I want to believe that the first person to have ever locked the door to his room perhaps is the first victim of larceny. Experience, they say is the best teacher. Locking and opening the door at certain times is a form of control to regulate access to an area. Controls exist in every facet of our lives and that controls are part of human life.
It comes in different forms and shapes depending the scope of the potential risk at stake. In recent time, banks have become copiously loud on the concept of Know Your Customer (KYC) and customer update all in bid to monitor possible involvement of customers in money laundering, terrorist financing and the proliferation of weapons of mass destruction. This is in no doubt a step in good direction but more needs to be done.
This is because every bank serves two categories of customers thus internal customers and external customers. The external customer refers to the general public to whom KYC is directed and the internal customers are the employees of the bank. Comparatively, whiles banks deploy policies and procedures that seek to ensure strict Know Your Customer (external customer), same cannot be said about Know Your Employee (KYE) thus the internal customers. Know Your Employee has become an area of concern in banking operation because of the rising trends in employee fraud activities in the industry that have made headlines in news.
The plethora of publications by several media houses on incidence of bank employee fraud have the potential of gradually eroding the trust customers have in the banking sector. Employee fraud, no doubt cast serious slur on the internal controls of banks. This brings me to the core of this article; internal control in our financial institutions. Banks have collapsed, depositors’ funds have suffered and assets have been lost because of lax internal controls.
A recent report by the Bank of Ghana titled “THE 2019 BANKING INDUSTRY FRAUD REPORT” indicated that a total of 2,295 cases of fraud representing a 5.4 per cent increase in cases reported in 2018. In 2019, the industry reported a total fraud value of approximately GH¢115.52 million. Approximately 28.96 per cent (i.e.GH¢33.44 million) of this amount was reported as losses and 71.04 per cent (i.e. GH¢82.06million) was unsuccessful or recovered. The reported total loss value is made up of GH¢10.35million and remaining balance of GH¢23.09million (as at the end of December 2019).
The reported added that similar to the year 2018, in 2019, suppression of cash and deposits accounted for the largest portion (77 percent) of the total number of fraud cases reported to the Bank of Ghana. It is important to stress that about 94 per cent of the fraud cases reported as suppression of cash and deposits were perpetrated by staff (either contract or permanent) of the financial institutions. The alarming rate of involvement of bank staff in the perpetration of fraud in the banking sector, calls for significant reforms in the engagement, remuneration and disengagement processes of employees and contractual staff of financial institutions.
INTERNAL CONTROL AND THE PURPOSE IT SERVES
Internal controls are processes put into place by management to help an organization operate efficiently and effectively at the same time prevent and reduce all manner of risks to the lowest ebb. Internal Control refers to all policies, processes and procedures that require operation and administration to be carried out in a specified way in order to prevent or mitigate adverse outcomes or risk. Managers often think of internal controls as the purview and responsibility of accountants and auditors. The fact is that management at all levels of an organization is responsible for ensuring that internal controls are set up, followed, and reviewed regularly.
The purposes of internal controls are to:
- Protect assets through prevention of fraud
- Ensure that records are accurate;
- Promote operational efficiency;
- Prevent abuse of power;
- Achieve organizational mission and goals; and
- Ensure compliance with policies, rules, regulations, and laws.
COMPONENTS OF INTERNAL CONTROL
For internal control systems of any organisation to achieve the effectiveness it desires, certain precepts must be acknowledged and adopted by that organisations.
Control Environment: The control environment is the culture, values, and expectations that organizations put into place. A sound control environment is the foundation for all other components of internal control. The basic elements of the control environment include:
- Integrity and ethical values;
- Leadership view point and operating cycle;
- The commitment to competence and not mere personalities.
- The manner in which management assigns authority and responsibility, organization and development of its employees.
Risk Assessment: In the past, risk management focused exclusively on financial dangers. Enterprise Risk Management (ERM) looks at the entirety of an organization and everything that could affect it. This involves management’s identification of areas of high risk and implementation of controls to detect errors or fraud that potentially result in material misstatements. Examples include:
- Unrecorded revenue or expense transactions;
- Ghost employees on payroll;
- Payments to fictitious vendors; and
- Confirmation of inventory.
Control Activities: Control activities are the policies and procedures put in place to run operations, accomplish goals, and prevent fraud. Control activities occur within the internal control system. Internal controls are developed and implemented to prevent or mitigate any risks identified. These are actually the specific policies, procedures, and processes designed to meet the bank’s objectives. Examples include:
- Approval and authorization
- Reporting (Whistle Blowing)
- Physical security of assets; and
- Electronic data security.
Information and Communication: Communications are essential for every organization. They rely on quality of information and effectiveness of dissemination. This area focuses on the systems and reports that help ensure that management directives to bank employees are carried out effectively.
Monitoring: Establishing controls is not enough. Once they are in place, managers need to verify the effectiveness of the controls. This involves assessing the quality and effectiveness of the bank’s internal control over time. Monitoring can be an internal or external activity by management, employees, or outside parties. Monitoring can involve the following:
- Assessing the design and operation of controls;
- Assessing the compliance with policies and procedures; and
- Providing for implementation of corrective action plans.
Implementing the 5 Key Internal Controls Themes
Key 1. Establish a Control Environment
Ways to establish and nourish the environment are:
- Set “tone at the top” by implementing and promoting ethical standards, integrity, and accountability policies;
- Establish structure, organizational responsibilities, and reporting chains;
- Hire competent and trustworthy staff members and provide necessary training for them;
- Emphasize that compliance with laws and regulations is of high priority to senior management of the organization;
- Establish your intent to hold people accountable for their responsibilities.
Key 2. Conduct Risk Assessments
- Leadership should oversee a risk management process and ways to accomplish this are:
- Identify the risks to operations and performance of each function through brainstorming with staff that handle these schedule;
- Learn about emerging risks through employee and industry experts etc.;
- Rate and rank the risks, and discuss controls or other actions needed to eliminate or reduce the risk;
- Develop corrective actions and assign someone to be in charge of implementing each.
Key 3. Implement Control Activities
Basic internal control methods are:
- Establish responsibility; Assign each task to specific staff and establish chain of command and avoid conflict of interest.
- Implement separation of duties; Don’t make one employee responsible for all parts of a process. Use compensating controls, such as additional monitoring or secondary sign-offs, when separation is not possible.
- Restrict Access; Don’t provide access to systems, information, assets, etc. unless needed.
- Create policies and procedures; Implement written instructions with directives to follow them. Assure controls cover all areas of compliance. Assure controls cover security of assets and technology.
Key 4. Implement Information and Communication Systems
Use the following suggestions to guide your information and communication protocols:
- Establish relevant and reliable information systems to track operations, goal progress, and compliance;
- Broadly distribute information throughout the organization to ensure that critical information is delivered to the right staff in a timely way. Ask staff members what information they need but are not getting;
- Establish separate lines of communication, such as fraud and ethics hotlines, for confidential information. Inform employees of these separate reporting lines, how they operate, and how reports are handled;
- Establish both outgoing and incoming lines of communication with external entities. Stay aware of external events that could pose a risk.
Key 5. Monitor Internal Controls
Ways to accomplish this include:
- Establish a system of quality control over all processes such as supervisory reviews, approvals, and automated exception checks;
- Conduct routine reviews of actual performance compared to goals and budgets;
- Conduct separate management reviews of a function to determine whether it is working as intended, or controls need to be redesigned.
- Arrange for external audits and be responsive to findings;
- Track all corrective actions, and ensure that they are implemented and working as intended;
- Use monitoring to tie corrective actions back to improvements in Control
THE RESPONSIBILITY OF INTERNAL CONTROLS
Senior Management sets the “tone at the top” that affects integrity, ethics and other factors of a positive control environment and implementation. In effect, everyone in an organization has a responsibility for internal control. No employee must be left out of the processes that surround internal control i.e. bottom-up, top-down, side to side of the organisational structure etc.
The Chartered Institute of Public Finance and Accountancy (CIPFA), United Kingdom, defines fraud as “Any intentional false representation, including failure to declare information or abuse of position that is carried out to make gain, cause loss or expose another to the risk of loss”. Fraud essentially involves using deception to dishonestly make a personal gain for oneself and/or create a loss for another. In recent years, corporate financial accounting scandals no longer become unexpected news of the day. Many studies have discussed fraud-related issues, and the general view is that fraud prevention should be the main focus. It is less expensive and more effective to prevent fraud from happening than to detect it after the occurrence. Usually, by the time the fraud is discovered, the money or item is unrecoverable or the chance to recover the full amount of the loss is very slim. Furthermore, it is costly and time consuming to investigate frauds especially involving large-scale multinational operations. However, if the focus is on fraud prevention all the monetary losses, time and effort to reconstruct fraudulent transactions, track down the perpetrator, and reclaim missing funds or item can be saved.
ESSENTIALS OF FRAND
A common model that brings together a number of these aspects is the Fraud Triangle. In 1950, Donald Cressey, a criminologist, started the study of fraud by arguing that there must be a reason behind everything people do. Questions such as why people commit fraud led him to focus his research on what drives people to violate trust? This model is built on the premise that fraud is likely to result from a combination of three factors: Pressure/Motivation, Opportunity and Rationalisation.
Pressure/Motivation: In simple terms, pressure/motivation to commit fraud is typically based on either greed or need. Other causes include problems from debts, gambling, extravagant lifestyle, addictive problems, status gaining, personal failures, employer-employee relationship etc. Many people are faced with the opportunity to commit fraud, and only a minority of the greedy and needy do so. Personality and temperament, including how frightened people are about the consequences of taking risks, play a role. Some people with good objective principles can fall into bad company and develop tastes for the fast life, which tempts them to fraud. Others are tempted only when faced with ruin anyway.
Opportunity: In terms of opportunity, fraud is more likely in institutions where there is a weak internal control system, poor security over company property, little fear of exposure and likelihood of no detection, or unclear policies with regard to acceptable behaviour. In practice, some employees are totally honest, some are totally dishonest, but that many are swayed by opportunity. Research has shown that in most cases fraud has festered when there is a breach in controls.
Rationalisation: Many people obey the law because they believe in it and/or they are afraid of being shamed or rejected by people they care about if they are caught. However, some people may be able to rationalise fraudulent actions as:
- Necessary – especially when done for the business.
- Harmless – because the victim is large enough to absorb the impact.
- Justified – because ‘the victim deserved it’ or ‘because I was mistreated.
Diagram source: https://forensiq.ca/compensation-fraud-in-canada/
Fraud detection is a multifaceted activity. Occupational fraud can be detected through a number of different method including continuous timely audits, whistle blowing, real time and post activity monitoring, and spot checks.
Different types of fraudster
Fraudsters usually fall into one of three categories:
- Pre-planned fraudsters, who start out from the beginning intending to commit fraud. These can be short-term players, like many who use stolen ATM cards or false identification card; or can be longer-term, like bankruptcy fraudsters and those who execute complex money laundering schemes and scams.
- Intermediate fraudsters, who start off honest but turn to fraud when times get hard or when life events, such as irritation at being passed over for promotion or the need to pay for health care for a family member, status gaining.
- Slippery-slope fraudsters, who simply carry on trading even when, objectively, they are not in a position to pay their debts. This can apply to ordinary traders or to major business people.
Even strong controls do not always work. As organisations implement controls, it is worth noting that all of the control systems are dependent upon people. The effectiveness of internal controls is directly proportional to employees’ willingness and commitment to adhere to them. The working conditions and remuneration of employees must be reviewed and aligned with industry players to avert the temptation of “pressure, opportunity and rationalisation” the fraud process. Integrity of employees (permanent and contract) of financial institutions must be given proper scrutiny before and during their appointment under the principles of Know Your Employee (KYE) and reviews must be done periodically. Again, some operational processes and procedures must be automated to an appreciable level to minimise human interventions.
The author is a Researcher, a Governance and an Operational Risk Expert in banking. He has worked over a decade in various capacities in the banking industry. For enquiries on this article kindly contact the author through email: [email protected]