In any business, errors in processing may occur. Whether processes are manual or automated, there is potential for errors. The best way to prevent errors is to create processes to prevent the error from occurring or to create processes to detect the error after it occurs.
Also, in any business, fraud is unfortunately, often a possibility, with or without employees, as fraud may occur internally or externally. The best way to prevent fraud, is to develop processes that create controls that do not allow the fraud to occur. In addition, a business will often need processes that detect fraud.
The processes in total that prevent errors or fraud or that detect errors or fraud, are often called internal controls and are the responsibility of the entire company, including the owner(s), employees and vendors.
The most important aspect of internal controls is culture and values. If a company’s culture respects and values integrity and honesty, the culture will permeate throughout the organization and will carry to its selection and working environment with vendors as well.
The next aspect is training. Employees and vendors must be trained on the company policies, proper procedures and the code of conduct. Again, it goes back to the culture.
As mentioned above, there are two types of internal controls – preventative and detective. Preventative controls include segregation of duties, authorization, the physical control over assets and processes to prevent errors or irregularities. Detective controls include reconciliations, variance analysis and inventory count.
All internal controls should be designed to ensure authorization, completeness, accuracy, validity, physical safeguards and security, error handling and the segregation of duties. In addition, it is very important to consider risk and cost when designing and implementing internal control processes. For example, it does not make sense for a company to hire a full time employee just so a process has proper segregation of duties. The risk of fraud or error occurring may be substantially less than the cost of hiring an employee.
EXAMPLE – Here is an example of actual processes that were present at a company that had minimal internal controls and how fraud might have occurred.
A company with over 100 employees billed 5 nursing homes for each hour that the aides worked with the elderly. In addition, the company paid the 100 employees with weekly paychecks. There are only 2 employees (Anne and Bob) handling the payroll, billing processes and cash application at the back office. It is a small operation and Anne processed payroll for all employees, while both Anne and Bob entered hours worked for the 100 employees. Anne also performed the billing for 1 nursing home, while Bob handled the 4 other nursing home billing processes. Anne and Bob also processed the customer’s cash application.
In this true scenario, there are multiple areas for fraud to occur. Remember, internal controls are best implemented when the PREVENT errors or fraud from being able to occur.
In this case, Anne entered the employee information into the payroll system. In addition, she entered the hours to be paid to the employee. Anne could enter and pay fictitious employees. There were no controls set up to review additions or changes to the payroll system.
A second possibility in this scenario is the potential for unauthorized invoice adjustments which might occur when the cash was being applied.
The controls developed and implemented in this situation are both preventative and detective and include the limited segregation of duties (billing versus cash application) and to review changes made to the payroll system.
No system is perfect, nor will the potential for collusion be removed. However, a system of internal controls when implemented properly will provide management with reasonable assurance that the potential for errors and or fraud have been minimized.