The Association of Certified Fraud Examiners estimates that fraud costs organizations, on average, 5% of their annual revenue. Globally, that’s more than $4.5 trillion lost each year. This is a huge problem for all manner of organizations, and strong corporate governance is a critical ingredient in managing that fraud risk.
Corporate governance, or simply “governance,” refers to the way an organization manages accountability, fairness, and transparency in its relationship with its stakeholders. And although the concept may seem like something that only applies to large or publicly traded organizations, that is not correct. Strong corporate governance is necessary for managing fraud risk at organizations of any size.
The Board of Directors is the leading force behind influencing governance, but the duty also extends to management and other stakeholders. Put another way, corporate governance is a team effort, driven by the Board of Directors, but with varying degrees of responsibility attributed to different levels of the organization.
While day-to-day accounting and financial decisions are primarily the responsibility of management, the Board must build the framework in which management operates by establishing policies that prevent and detect errors and fraud. This article addresses four important ways that the Board can directly help to mitigate fraud risk in their organizations:
- Performing a Risk Assessment
- Managing and Monitoring the Control Environment
- Establishing and Monitoring Internal Controls
- Establishing and Enforcing Solid Governance Policies and Procedures
Performing a Risk Assessment
Any fraud mitigation strategy should begin with a risk assessment. It is the most important part of the process, and it should be performed periodically to reassess the risks and recalibrate as needed.
Risk assessments are typically accomplished through a brainstorming session that considers the types of risks the organization is susceptible to – both from a financial standpoint and an operational one. The results of a risk assessment will inform the types of internal controls that should be implemented, as well as the policies and procedures that need to be developed.
You can learn more about risk assessments here.
Managing and Monitoring the Control Environment
The Control Environment is a broad term used to describe the bedrock of an effective internal control system, and it revolves around the concept of “tone at the top.”
“Tone at the top” refers to the ethical expectations and environment set by the leaders of an organization. The Board and management are responsible for establishing the accepted moral principles of the organization, and must “walk the walk” when it comes to modeling the expected ethical behavior. A consistent tone from the Board and senior management helps develop a common understanding of the values, business drivers, and expected behavior of employees and partners of the organization.
The Control Environment can be summarized by the following five important principles as defined in the Committee of Sponsoring Organization’s (COSO) Internal Control Framework:
- The organization must demonstrate a commitment to integrity and ethical values (e.g. “tone at the top”).
- The Board of Directors must demonstrate independence from management and exercise oversight of the development and performance of internal controls.
- Management must establish, with Board oversight, the structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of organizational objectives.
- The organization must demonstrate a commitment to attract, develop, and retain competent individuals in alignment with organizational objectives.
- The organization must hold individuals accountable for their internal control responsibilities in the pursuit of organizational objectives.
These principles provide a solid set of guidelines when considering an organization’s Control Environment.
Establishing and Monitoring Internal Controls
Responsibilities over internal controls flow from the Board of Directors, down to the CEO, then to senior management, and finally management. All levels are responsible for internal control, but it is the Board that establishes the specific priority of controls and ensures they are in place and working properly. The Board of Directors must have sufficient independence from management to carry out these duties appropriately and consistently.
Internal controls provide a built-in safety mechanism for the different processes in the financial cycle. There are two main types of internal controls:
- preventive, which aim to decrease the chance of errors and fraud before they occur, and
- detective (or “downstream controls”), which are designed to find errors or problems after the transaction has occurred.
Three of the most important internal controls that every organization should implement are:
Separation of Duties:
Proper separation of duties prohibits the assignment of the same person to maintain custody of assets, perform the related record keeping, and authorize related transactions. For example, you would not want the employee with access to your checks to also be responsible for entering payment data into the accounting system. No single person should have control over the whole cash process. This is an example of a preventative control.
In small organizations, maintaining this separation can be challenging, which is why it is important to implement downstream detective controls such as reconciliation and review.
Reconciliation and Review:
Reconciliations should be reviewed by someone outside of the cash process. Even if your organization is very small, the two items that should always be reviewed on a monthly basis are the bank statements/reconciliations and payroll registers. Other important items to review are cancelled check copies, subledger reconciliations, and the vendor master file. These are examples of detective controls.
Ensure Security of Assets:
One of the easiest ways for fraud to occur is if there is direct access to company assets by a person intent on defrauding the organization; this includes access to cash (including access to check stock) and inventory. All cash and cash equivalents being stored on-premise should be kept in a locked safe, and only accessible by one or two key people. As you may have guessed, this is an example of a preventative control.
Establishing and Enforcing Solid Policies and Procedures
Policies and procedures provide consistency and accountability over finances and operations. Creating corporate governance policies and procedures for your business can help you improve operating efficiency, prevent fraud, reduce errors, decrease your legal exposure, and increase profits. Three important governance policies to consider in the mitigation of fraud risk are:
Conflict of Interest Policy:
A conflict of interest policy protects an organization’s interest when entering into a transaction or arrangement that might benefit the private interest of one of its officers or directors.
Code of Ethics & Conduct Policy:
A code of ethics refers generally to the values of an organization. A code of conduct policy provides guidance for how to act in certain situations.
A whistleblower policy encourages staff to come forward with credible information on illegal practices or violations of adopted policies of the organization; specifies that the organization will protect the individual from retaliation; and identifies the staff, board members, or outside parties to whom such information can be reported.
The responsibility of corporate governance extends to multiple levels of the organization, but it is ultimately overseen and managed by the Board of Directors. Inadequate corporate governance increases the risk of fraud, which can lead to not only the loss of profits, but also corruption and a tarnished image. Performing a risk assessment, monitoring the control environment, establishing effective internal controls, and developing protective policies and procedures are the keys to reducing fraud risk.
If you have any questions regarding fraud controls and establishing strong corporate governance, contact a Clark Nuber advisor.
© Clark Nuber PS, 2020. All Rights Reserved