One of the objectives of any legitimate organization is to safeguard its assets. Once valuable assets have been identified controls need to be implemented to reduce their exposure to misappropriation, misuse or loss. The need for physical safeguards was highlighted just this past week when a fire district vehicle was stolen and crashed in eastern Suffolk County, NY. This highlights the need for suitable physical controls to prevent loss or misuse of organizational assets.
Keep in mind that controls can either be detective or preventative. An example of a preventative control would be keeping a district vehicle locked in a garage. A detective would be having a GPS on the vehicle that alerts you to when it has been moved.
Preventive controls are designed to keep a fraud or misuse from occurring. Some practical examples of preventive controls related to finance include locking up unused checks, having someone independent of accounts receivable function open the mail and prepare deposits, using pre-numbered receipts, setting appropriate authorization limits for single signature checks, and utilizing a capital budget plan for fixed asset purchases.
Detective controls are designed to detect loss or misappropriation soon after it has taken place. A detective control procedure would be to have someone independent of the recordkeeping function reconcile checking accounts within a reasonable number of days of receipt, or having another employee open and review the bank statement prior to reconciliation. Another common detective control is the periodic, independent review of the vendors included on the accounts payable master list, ensuring that only valid, authorized vendors have been added.
The following are examples of the types of policies and procedures that may be used to prevent or detect misappropriations of assets:
- Analytical reviews
- Independent checks
- Segregation of functions and duties
- Access limitation and authorization controls
Analytical reviews are comparisons of current financial reports to other information. For example, a commissioner or director might compare employee earnings to year to date budgets or prior year data. Large variances might indicate abuses of overtime or fictitious employees being included on the payroll. Such was the case in a recent Office of the New York State Comptroller audit of the MTA. State auditors alleged an abuse of overtime by certain employees; in response the MTA is implementing biometric finger readers for employees to clock in and out (a preventative control).
Independent checks validate another’s work. Independent checks may be accomplished in many ways, such as:
Second check; an employee’s work might be re-performed or tested by a supervisor or Board Member.
Computer validation; Computers may test the employee’s work. For example, the computer may compare purchase order information with the amounts invoiced. It may report or refuse to process a transaction or entry with exceptions.
Mandatory employee vacation or rotation; Concealing or perpetuating fraudulent activity often requires continual attention by the fraudster. To deter this type of abuse, some organizations require mandatory vacations. While the employee is on vacation, their duties are to be performed by others with similar competencies. This makes a fraud more difficult to conceal. The same control objective can be met by periodically rotating employees’ duties.
Audits; Periodic independent audits of the books and records can help detect fraud, and the auditor’s presence act as a deterrent, discouraging dishonest employees from attempting to commit fraud.
Segregation of Duties
Segregation of duties is a hallmark of sound internal controls. It is one of the most effective controls to prevent, or to detect misappropriations of assets in a timely fashion. Areas that lack adequate separation of duties often provide opportunity for fraud. Whenever possible, incompatible duties should be performed by different employees or a Board member. For example, the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets should be assigned to different people.
Access and Authorization Controls
These controls are designed to ensure that only appropriate employees can enter into transactions or have access to organization assets, documents, and records. Examples of these types of controls include:
- Password protection of computer files.
- Authorization limits on purchase orders and check signing.
- Dual custody of cash receipts or cash on hand.
- Physical safeguards on assets susceptible to theft (for example, cash, credit cards, fuel).
- Physical controls over organization documents and records (such as maintaining offsite storage of critical records).
Effective authorization and access controls reduce opportunities to commit and conceal fraud. It is hard to steal assets that you do not have access to, and fraudsters can’t alter documents or records to without access to those items.
Monitor Risks and the Control Systems in Place
We encourage all of our clients to take the time to conduct ongoing assessments of the risks facing your organization and the preventative and detective internal controls you have in place to effectively minimize or mitigate these risks. Undergoing a routine such as this will help to ensure that you have reasonable and appropriate controls in place to mitigate the risk of incurring a significant loss. If you would like more information on conducting an internal control self-assessment or you would like assistance performing an assessment of the controls you have in place, please feel free to contact Robert Craig at firstname.lastname@example.org or (631) 360-1400 Extension 303.