“If you perceive that there are four possible ways in which something can go wrong, and circumvent these, then a fifth way, unprepared for, will promptly develop.” That is Murphy’s Law, and unfortunately it applies to internal control environments everywhere. Even when the audit testing has found no exceptions and the financials have been signed, sealed, and delivered, there are situations that should prompt renewed investigation.
In the ongoing struggle to be more productive and ultimately more profitable, companies refocus their priorities and assign new reporting structures. This can have a profound effect on the day-to-day activities that support the control environment.
A multi-national company experienced such a control breakdown. Monthly budget reports were programmed to print each month and were distributed through inter-office mail. This was a basic detective control designed to spot unapproved spending or errors in bookkeeping, and it fit nicely in the SOX control plan. During interviews after the most recent reorganization however it was discovered that many of the managers never received a budget report, while others received them in inter-office mail on a random basis. No one knew who was responsible for distributing the reports, and there was confusion about the department structure.
Another threat to a smooth running control environment is downsizing. People who find that they must “do more with less” often find creative ways to be more productive. Sharing passwords to access systems that were not previously needed is common, as is informal delegation of responsibilities. One case involved a supervisor reassigning roles in an accounts payable department, unwittingly destroying the structure that had been designed to protect against conflict of interest and fraud.
When employees are under increasing pressure to meet deadlines or objectives, controls may be circumvented. A payroll clerk decided to over-ride a system control designed to ensure supervisor approval because it enabled her to be more efficient. Inventory controls are also commonly avoided to expedite customer service or production quotas when the stakes are high.
The controls that are compromised are often related to basic process and procedure issues that are not always apparent. Management should keep controls in mind as they deal with changing environments. Auditors must look below the surface to ensure that the procedures designed to support controls are firmly in place.
This post was contributed by Janet Hintz, a Director with Vonya Global. Janet is a seasoned advisor, focused on helping her clients find alternatives that align financial and operational objectives, increase productivity, and strengthen internal control. If you would like to contact or connect with Janet directly you can find her profile on LinkedIn: https://www.linkedin.com/in/janethintz.