Conference Speaker: Sorry, But Trust Is Not an Internal Control
Eleanor Hume
"One day someone in the accounting department got really bold and wrote themselves a check for $108,000. ... This wasn't the first time, but it was the first time it was big enough to notice. And then the guy disappeared," she said.
Organizations should also note certain high-risk areas. The most common types of fraud, she said, include accounts payable and credit cards; corruption and conflicts of interest; and payroll. She said organizations, given these risk areas, should note unexplained increases in payroll and other expenses, which requires regularly checking financial information to identify trends. Similarly, unexplained disbursements could be another sign of trouble, especially if bank reconciliations aren't happening on a regular basis.
The main way to protect against these sorts of frauds, she said, is "the good old segregation of duties." People in the accounting office, she said, should not be the only ones looking at the bank statements. Systems should be locked down when not in use, passwords should not be shared among groups of people, and there should be a way to ensure that there's a verifiable audit trail for all transactions. The board should also take direct involvement through enforcing meeting schedules, ensuring timely financial information is reviewed, creating and monitoring budgets, and having an audit committee and executive sessions.
Organizations should also note certain high-risk areas. The most common types of fraud, she said, include accounts payable and credit cards; corruption and conflicts of interest; and payroll. She said organizations, given these risk areas, should note unexplained increases in payroll and other expenses, which requires regularly checking financial information to identify trends. Similarly, unexplained disbursements could be another sign of trouble, especially if bank reconciliations aren't happening on a regular basis.
The main way to protect against these sorts of frauds, she said, is "the good old segregation of duties." People in the accounting office, she said, should not be the only ones looking at the bank statements. Systems should be locked down when not in use, passwords should not be shared among groups of people, and there should be a way to ensure that there's a verifiable audit trail for all transactions. The board should also take direct involvement through enforcing meeting schedules, ensuring timely financial information is reviewed, creating and monitoring budgets, and having an audit committee and executive sessions.
Undergirding all these things, she said, should be a skeptical attitude.
"Attitude truly matters. Auditors are taught from the beginning to have a professional healthy skepticism. We also have to assume everyone is actually capable of stealing. That's a hard thing to think about, so to put it a little nicer, 'We trust you, but we still have to verify,'" she said.
"Attitude truly matters. Auditors are taught from the beginning to have a professional healthy skepticism. We also have to assume everyone is actually capable of stealing. That's a hard thing to think about, so to put it a little nicer, 'We trust you, but we still have to verify,'" she said.