How Strong Are Your Internal Controls? – Rea CPA

How Strong Are Your Internal Controls?

Is Your Organization A Victim Of Occupational Fraud?

How do you monitor what’s going on in your organization’s back office? The truth is, there are a lot of owners and managers out there who “trust” that everything is on the up-and-up when, in fact, fraudulent activity is taking place right under their noses? Unfortunately, no matter how much you may like, respect and trust a person, there is no denying that in the end: “Trust Is Not An Internal Control.”

So, what internal controls have you put in place to protect your business, nonprofit or government entity? And, as a follow-up question for those who have implemented an internal controls strategy, what are you doing to monitor the strength of your existing efforts?


Read Also: When The Suspect Works For You

What Are Internal Controls?

Internal controls are methods an entity implements to protect and ensure it has control over daily accounting procedures and that these procedures are being followed. The primary purpose of your organization’s internal controls is to help to safeguard assets against possible fraud and corruption.

Time and time again internal controls have been shown to be an excellent preventative measure against fraudulent acts. Organizations that have an internal controls strategy in place are statistically less likely to be victims of fraud.

According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, which is the largest and most comprehensive study of occupational fraud, internal control weaknesses were responsible for nearly half of all frauds committed and, when analyzed, organizations with anti-fraud controls in place enjoyed lower fraud losses and quicker detection. Additionally, the report found that organizations that regularly monitored and audited their back-office functions and a significant reduction in fraud loss and duration. However, only 37 percent of victim organizations actually had internal controls in place.

Other interesting statistics include:

  • Industries with the highest proportion of corruption cases were energy (53%), manufacturing (51%), and government and public administration (50%).
  • Fraud is especially devastating to small businesses as they reportedly lose almost twice as much per scheme to occupational fraud. This is because these organizations tend to have fewer resources to prevent, and to recover, from fraud. Moreover, studies show that, in small businesses, 42 percent of frauds are caused by a lack of internal controls.
  • Of those who responded to the survey, 30 percent of respondents said they believed a simple lack of controls was the main factor that allowed fraud to occur within their organization.
  • Overall, 77 percent of occupational frauds examined in the ACFE’s study came from only eight departments (in order according to risk: high to low): accounting, operations, sales, executive/upper management, customer service, administrative support, finance, and purchasing.
  • Most fraudsters (85 percent) displayed at least one behavioral red flag and half of these cases exhibited multiple red flags. The most common behavioral red flags are:
    • Living beyond their means
    • Financial difficulty
    • Unusually close association with vendor/customer
    • Control issues, unwillingness to share duties
    • Divorce/family problems
    • “Wheeler-dealer” attitude

This report is really an interesting read and includes a lot of great insight. I encourage you to check it out.


Check out this video about fraud, internal controls and employee hotlines.

Do You Need (Better) Internal Controls?

The first thing to remember as you are contemplating whether your organization needs to put internal controls in place (or whether you need to better improve, monitor and manage your existing internal controls) is that a strategy rooted in trust is completely insufficient. Next, ask yourself the following key questions to gain greater insight into your level of risk:

  • Are you requiring dual signatures on purchase orders and requisitions?
  • Have you ever thought about the receiving report or invoice?
  • Have you included segregation of duties into your internal controls?

Read on to discover what your answers say about the security of your organization while gaining insight that can help you improve your internal controls.

You Can’t Afford To Do Nothing

If you’re struggling with implementing and maintaining segregation of duties in your back office, don’t worry. You’re not alone. However, if one person has the sole authority to approve all forms of purchasing and receiving, you should be concerned.

Imagine the many ways fraud could occur if, for example, your maintenance supervisor was responsible for filling out the requisition for the approval of cleaning supplies. Then, after the approval process, this same maintenance supervisor goes on to fill out the purchase order and signs it. Finally, once the purchase is received and the purchase order is processed, this same individual is responsible for marking the items as received on the invoice or signing the receiving report. In this scenario, how would you even know if the cleaning supplies arrived or cost what they reportedly cost? What’s to stop your company’s assets from walking out the door?


Read Also: Business Owners Can’t Do It All

Segregation of duties is one of the easiest and most effective internal control procedures an organization can establish, many leaders have a hard time putting this strategy into place.

All too often we see failure in the segregation of duties involving the approval process for requesting goods and the approval of receiving the goods. And the risk spans every department. Just think of all the areas that could be at risk because you don’t have multiple pairs of eyes on the situation.

  • Is the employee that performs the accounts payable or payroll functions, the same employee that performs and approves the bank reconciliations?
  • Is the same person who collects the game ticket sales the same person who reconciles the ticket receipts to the stubs and deposits the money?
  • Is the person responsible for ordering and dispersing new technology, such as laptops, phones, tablets, etc., the same person responsible for ordering and receiving the deliveries?

Implementing a procedure where a separate employee signs the receiving report essentially strengthens your company’s controls and reduces items that could be stolen. If you need help getting started or if you have more questions about occupational fraud and how you can prevent yourself from becoming a victim organization, email Rea & Associates to speak with one of our certified fraud examiners today.

By Ashley Starr, CFE, MSA (New Philadelphia office)

Looking for more tips to help you protect your business? Check out these resources:

Are Your Suppliers Meeting Your Demand?

Six Policies & Procedures All Government Entities Should Implement, Update

Is Your Business Ready For An Audit?


Sign up to receive regular tips and insight from Rea & Associates!