Combating Fraud

We've all heard of the major accounting scandals where fraud was perpetrated by a rogue few who created financial statements that did not accurately portray the company's true financial condition. But do you know how companies can reduce their financial, operational and compliance risks associated with improprieties and general mistakes? These safeguards, called internal controls, are essential; therefore, let's take a look at ways to implement them into your organization.

What is an Internal Control?

Understanding the meaning of internai control is the first step to improving and securing your business environment by using standards developed by the Committee of Sponsoring Organization (COSO). This organization provides practical, broadly accepted criteria for establishing internal control and evaluating its effectiveness. In 1992, COSO published, Internal Control Integrated Framework, which changed the way internal control was viewed, and has established a common definition of internal control. This definition is now the standard recognized by the accounting profession.

COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

* Effectiveness and efficiency of operations;

* Reliability of financial reporting;

* Compliance with applicable laws and regulations."

How Can Internal Controls Help Your Organization?

Internal controls can be designed to help an organization in the following ways:

* Ensure the quality of financial reporting;

* Achieve performance and profitability targets as well as prevent a loss of resources;

* Comply with laws and regulations, avoiding damage to reputation or other consequences;

* Prevent theft or inappropriate use of assets.

Factors and Legislation Affecting Internal Controls

Knowing the factors and legislation that gave internal controls instant precedence in the workforce is imperative for understanding their significance. Of course, the well known accounting scandals have played a big part in the heightened attention companies, regulators, and the public are placing on internal controls today.

The Sarbanes-Oxley Act requires public companies and their auditors to comply with a number of new requirements. This includes requirements to enhance corporate governance and financial transparency and includes a requirement for officers to certify as to the effectiveness of their company's internal control regarding financial reporting. Sarbanes-Oxley and other regulatory requirements have driven organizations to spend unprecedented amounts of time evaluating and putting in place more effective internal controls.

While the legal and regulatory drivers are important factors, many leading companies have, for many years, focused on putting in place and maintaining an effective internal control structure because of the business benefits. Internal controls are intended to help organizations achieve their objectives while managing their risks. And as organizations grow and become more complex, the sophistication and strength of the control environment must grow in order to help the organization continue to reach its goals and objectives.

Understanding and Identifying Risk in Your Organization

An internal control initiative must start by defining what the organization is trying to control. Three common high-level objectives to consider are:

* Effectiveness and efficiency of operations;

* Reliability of financial reporting;

* Compliance with applicable laws and regulations.

Once you determine your focus, you must then drill down to understand what, specifically, your organization is trying to accomplish and what risks must be controlled. For example, a financial reporting objective of a payroll process could be to ensure valid employees are appropriately paid. The existence of ghost employees or unearned pay may be risks that could prevent the achievement of the objective. Once the above problem is understood, the organization considers how it might prevent those risks from occurring. Then you begin to identify, design and implement internal controls into your organization.

Approaches to Managing Risk

Once you understand and are able to identify the risks in your organization, the next step is to manage and mitigate those risks. First, consider the optimal response to identified risks. It is imperative you understand the level of risk by determining the likelihood of occurrence and subsequent impact of the risk.

Next, consider different options for responding to the risk and the costs and benefits associated with the response. Organizations may address risks through:

* Avoidance - not doing what you were going to do;

* Reduction - putting in place internal controls;

* Sharing - purchase of insurance;

* Acceptance - not doing anything to reduce the risk level.

Overall risk needs to be viewed and evaluated at an enterprise level to ensure efforts are focused on addressing the risks that are most significant to the organization as a whole. Then it's time for the organization to design and put in place its internal controls. COSO identifies the following broad categories of internal control as the components of an effective internal control program: