Many people have asked me whether internal controls monitoring is sufficient to unearth suspicious transactions, abuse of processes or frauds. Do you really need another fraud investigation exercise?
Both exercises have different objectives and perspectives and answers different needs (e.g. do we need to prevent or detect, examine historical or current data, use predictive or presumptive approach, bring in concurrent or forensic audit, etc.)
To answer this question, my take on this is as follows:
Continuous monitoring of internal controls of an organization focuses on
- Determining sufficiency and deficiency of internal controls on structured business data such as financial accounting, human resources, payroll, treasury operations, etc.
- Following a systematic, repetitive approach for testing the effectiveness and efficiency of controls.
- Getting periodic self-assessments and certifications for organizational level assertions.
- Scanning data after business transactions are performed or committed, thus mostly providing a detective mechanism
- Notifying failures of internal controls to responsible persons on an exceptional basis generally based on materiality concept.
Fraud investigation, on the other hand, is more than just monitoring business controls in an organization.
- Investigations on suspicious transactions can be far-reaching in terms of timeframes. While internal controls monitoring is usually for current quarter / half year or year, a forensic investigation may necessitate going back into several years to assess patterns adopted by the fraudster and quantify damage caused.
- In order to crunch high data volume, one may need to adopt some technology or computer-aided tool for enabling data mining, analysis, simulation, predictive analytics, complex business rules, etc. for determining trends and patterns.
- Performing a fraud detection or screening of transactions as a preventative measure before the business transaction is completed is a must in some scenarios – examples – screening high volume payments, credit card approvals / blocking, Bank ATM network validations, etc.
- External sources of information and unstructured data like emails, phone calls, whistle blower tips or data when conjoined with internal business transactions may point to failure of multiple controls leading to abuse of power, processes, bribery, corruption, misappropriation of cash or assets.
- Individual controls may be very effective, but a combination of controls may point to a different story – for example
- controls in the purchase process may be effective, but the purchase officer may have a collusion with a preferred vendor or with another employee.
- Multiple approval workflows may be working fine, but splitting invoices or contracts to bypass approval levels may be happening to push through business transactions that may be violative of company policies and favour outside parties.
- Administrators authorized for maintaining master data may do a flip flop change in payee’s name to direct payment to themselves once in a while that goes unnoticed.
- Working on holidays or late shifts and suspicious write offs – say inventory or consumables – to cover up thefts from warehouses, plants, etc.
- Leakage of financial / competitive information either overtly or covertly, sharing of passwords, succumbing to social engineering attacks, conflict of interests not declared, etc.
- Fraud investigation also needs to be flexible enough to add more factors to the analysis or change the thresholds and parameters in the logic for determining exceptions.
- Fraud investigation usually starts off with examining existing internal controls and can throw up new insights into the deficiency of internal controls to be strengthened. There is a two-way benefit for groups involved in testing controls and fraud investigation.
- In the event of a fraudster being involved, the human behaviour / psychology and the observation and interpretation thereof, plays a large part in concluding the investigations. The user identity needs to be pseudonymized and business operations must go on unaffected until the case is closed.
- Upon conclusion, the case may lead to criminal proceedings that requires gathering and submission of evidence in a Court of law. Fraud examiners need to have a basic understanding on the various laws and legal provisions that are attracted for the specific case under investigation.
In summary, internal controls monitoring and fraud investigations are like two arms – inputs from both being useful to each other.
I would rate fraud investigation or forensic audit as a wider and broader platform (as compared to internal controls monitoring), going by the objectives of the exercise and the challenges presented by the sheer volume of data (external and internal) to be analyzed.