Strengthening Internal Controls to reduce fraud: A Pragmatic Approach

A holistic study on trends of weak internal controls and their impact on fraud losses with possible solutions
considering optimal costs of compliance.

Background

Cost is a single and most significant inhibitor of sacrifices in creation, maintenance and monitoring of
Internal Controls. As an entity goes up the risk ladder, potential threat of asset losses also goes up. In
aviation industry there is a point called “coffin corner”. Basically coffin corner is a point beyond which
there is no possibility of an aircraft to gain any thrust and goes in to a stall with negligible chance of
recovery (see fig. 1). We can derive a coffin corner for risk and costs as well with slight modification (see
fig. 2). Just as an aircraft comes to a spiraling stall and crashes when it reaches the coffin corner, so does
and entity spirals into uncontrollable conditions when risks and costs become too high that optimization
of either of them is no longer a practical possibility.

Figure 1 – Coffin Corner (Aviation) Figure 2 – Coffin Corner (Risks)

The small trapezium shaped window is the safest and optimal risk-cost point where an entity should be
working at. Here the costs are not too high in comparison with benefits and entity wide goals and
objectives are modest enough to keep risks at optimal level. Going down the trapezium, inefficiency of
controls will sink the entity and going too high will result in uncontrollable situations where nothing will
really work anymore.

The objective of the study is to find ways, most importantly, practical ways to keep an entity within that
trapezium of comfort while discussing current trends.
How bad is it now?

The very purpose and objective of any management is to safe guard its assets while improving the wealth
of the organization. Risk assessment is aimed at protecting assets, optimization of internal control costs
are aimed at improving the wealth of organization. Recent surveys by ACFE have disclosed staggering
trends which revealed how inefficient internal controls are in fighting fraud. Fraud is the single largest
cost of asset losses by far.

This figure depicts the

primary internal control
weakness that result in
Fraud. While 30% is due to
lack of internal controls,
19% is due to lapse in
internal controls. Equally
staggering 18% is due to
lack of management
oversight.

It is also important to
observe that Lack of
reporting mechanisms
consist less than 1% chance
for fraud losses. This goes to
prove that while reporting
mechanisms are on par with
effective mechanism,
efficiency of the very
controls are in challenge.
The situation needs to be
handled cautiously.

Presence of internal controls were found to be effective enough to reduce the occurrence of fraud by at
least 12% on an average. However, mere presence of controls is not the inhibiting factor for reduction in
occurrences of fraud. We need to observe how costly are those controls and how are entities assessing
their control requirements.
Identify, Estimate & Implement – The optimal methodology

In the identification stage, identify all the possible threats due to lack, lapse and not reviewing the internal
controls and list of suggested internal controls to fight those threats. Assume that all those controls are
in place and functioning but resulted in a magnificent control failure. Assess the damages of the losses
and calibrate those losses and jot down the reasons for failure.

In the estimation stage, estimate the cost of implementing the revised controls and classify them
according to level of risk; High, Medium and Low. Invest in controlling high risks, withdraw from medium
risk threats by refining the controls and slowly phase out low risk processes by combining those processes
i.e., reduce redundancy.

In the implementation stage, put the refined controls in place and keep monitoring them consistently and
update the values from stage of Identification and re-iterate the steps.

To understand this, let us take a process and test it with the above methodology.

Risk Master Inc., is a company engaged in manufacture of electronic circuit boards under JIT policy. As the
inventory is ordered and refilled in real time, there is need for company to maintain cash and bank
balances at higher levels than companies operating in same line of business but do not follow JIT policy.
While implementing JIT is an assessed operational control to reduce the inventory holding costs and
improve efficiency of production, the inconvenience of that control is to hold high levels of cash balances.

We can identify the following risks of handling cash.

1. Theft of cash from the drawer.

2. Insufficiency of cash balance delaying the inventory refuel.
3. Loss of interest due to maintaining more than required cash.

To reduce the losses due to above threats, the company has implemented following controls:

1. Installation of CC Cameras at the cash desk to prevent theft of cash.

2. Maintaining 1.5 times of required cash balance to avoid insufficiency of cash balance.
3. Clearing the surplus cash balance on a daily basis and investing them in short term investments
to benefit from interest savings.

The internal audit team sat down and assumed that these controls are in place and it has failed with
following instances.

1. An unidentified perpetrator stole an amount of Rs. 2 lacs from the cash drawer wearing a
macabre.
2. During January, 2019 due to sudden increase in orders, the company required rapid inventory
refuel and since the cash balance was not readily available, the company lost orders valuing Rs. 2
Crores.
3. The average cash balance required on normal production days was only Rs. 75 lacs which is only
50% of the estimated 1.5 times of cash balance requirement which resulted in a loss of interest
on remaining 50% idle cash balances.
Upon brain-storming the reasons, the internal audit team has come to the following conclusions:

1. Installation of CC Camera was not an effective anti-fraud control as it was a reactive control and
not proactive one, meaning it could not prevent the theft from materializing due to under-
estimation of perpetrators’ modus operandi. As a result the amount invested in purchasing the
CC Cameras and maintenance of the same was not fruitful and did not gave anticipated returns.
2. While implementing the JIT methodology, the company should have thought the possible threat
of over demand of inventory and should have thought about alternative ways to procure
inventory. There is a policy lapse here.
3. The production team and finance team did not estimate the cash requirement properly. This is
due to inefficiency of the management in placing trained people while budgeting the
requirements.

The internal audit team has now estimated the losses and costs associated to develop and place controls
to avoid these risks as follows:

Risk Estimation Risk Level Action Strategy Benefit

Theft of Cash At least two Invest in A safe will act
incidents are purchasing a safe as a physical
estimated based with physical locks deterrence
on past trends High Invest and custody of the and will
with a maximum locks be with a reduce the
loss of 5 lacs. specific person instances of
who is responsible theft and will
= 2 instances * 5 for safe guarding work as an
lacs = 10 lacs the same. anti-fraud
control.
Insufficient Loss of business Find alternative Will avoid the
Cash Balance maximized at Rs. suppliers who can need for
1 crores and Medium Withdraw deliver inventory maintaining
placing cash on credit and heavy cash
profit margin at engage them. balance and
2%, the loss is 2 threat of such
lacs. balance being
insufficient.
Loss of With the average Since the Avoid the
Interest cash balance at alternative process by
Rs. 1.5 crores, suppliers are limiting cash
considering 7% found and balance to
return on Low Avoid engaged, there is other
investment per no need to requirements.
year, the average maintain cash for
daily loss is JIT
restricted to Rs. implementation.
0.86 lacs per This control now
month. became
redundant.
Alternatively, to prevent cash thefts, without investing the amounts to buy a safe, the daily cash balances
can be withdrawn and deposited in the bank. This will however result in an inconvenience and will result
the control on insufficient cash balance transferred to high risk category. This means that all permutations
and combinations considered, an optimal solution exists only when the planning fallacy is considered
while assessing the strength of controls.

Conslusion

Going back to the concept of coffin corner, too much risk of maintaining high cash balance and investing
heavily will result in more opportunities for fraudsters to steal i.e. to say when the risk of theft and cost
of investment reaches the level of coffin corner, nothing much can be done to control those risks. This is
the very reason why the methodology should be regularly followed in several iterations continuously to
monitor the effectiveness and efficiency. It is noteworthy to say that COSO also built and developed its
2017 ERM framework in the same lines.