by John Hanson
The most common means by which organizations can impact a person’s opportunity to commit fraud or deviate from company policies/procedures is through internal controls. Such controls may include segregation of duties, approvals, authority levels/restrictions, physical access, etc. Organizations must balance the degree/level of controls with their associated risks and costs, such that the ideal system of controls intended to prevent fraud and/or policy deviations are more an aspiration than a realization.
In performing a compliance risk assessment, the internal control system(s) should be understood and assessed. The degree to which internal controls help better reduce a person’s opportunity to commit fraud or violate company policies affects the associated compliance risk. Compliance officers might consider speaking with internal audit, IT, finance and other departments as part of assessing the controls in place.
For example, many organizations have policies that address gift giving/receiving by employees. In some instances, those organizations may have a significant degree of risk should such policies be violated (i.e. government contractors). If the system of controls related to the approval and reimbursements of employee expenses are strong, the associated risk of non-compliance might be reduced.
Perhaps even more important, internal controls are only as good as their application and adherence. For example, having a dedicated “vendor file master” (someone who sets up vendors and maintains the vendor file, but cannot approve invoices, issue payments, etc.) is a very effective means of preventing many common fraud schemes in accounts payable; however, if the vendor file master doesn’t adhere to the procedures in place surrounding the setup and maintenance of the vendor file, the control fails. Interviews of those in such “gatekeeper” roles should include questions that probe the effectiveness of such controls (see “The Compliance Interview – Six Helpful Questions” for interview question suggestions).
Also factoring into the Fraud Triangle’s “opportunity” is a person’s knowledge, authority and experience. Who is more likely to affect a greater fraud or more impactful compliance deviation, a chief financial officer or a line-level sales person? A new employee or one who has been in a certain role for many years? Clearly, those with more knowledge, authority and experience can commit larger frauds and take better steps to conceal them. In assessing the internal controls in place, the compliance officer should identify such persons and pay particular attention to the internal controls relevant to them.
Consideration and incorporation of the Fraud Triangle’s “opportunity” factor can help a compliance officer both identify and prioritize compliance risks. Audits and other techniques can then be accordingly planned to continuously monitor and report on such risks.
John “The Fraud Guy” Hanson is the founder and executive director of Artifice Forensic Financial Services LLC. He has over 20 years of fraud investigations, forensic accounting, and corporate compliance/ethics and audit experience. John has applied his extensive experience in these areas across a wide array of areas and industries, frequently assisting counsel, government agencies and companies with internal corporate investigations and other sensitive matters arising from alleged fraud or misconduct.