The current economic environment and financial pressures to improve margins and earnings performance are challenging many financial institutions, causing them to downsize, employ newer technologies, or offer new products and services in attempts to maintain a competitive edge. As a result, there is the potential that the internal control environment may not always evolve in kind. Failure to maintain an internal control environment commensurate with the size and activities of an institution can open Pandora's Box and create issues, including opportunity for fraud.
This article will provide the characteristics of an effective internal control program and expectations from the examiner's perspective, detail some examples of fraudulent activity and outline potential trends, and discuss how to avoid or limit the likelihood of a fraud event (if possible). In addition, the various responsibilities of the board of directors and senior management will be defined.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has defined internal control as a process, which should be developed by the directorate and senior management to provide reasonable assurance regarding the effectiveness and efficiency of an institution's operations, the reliability of financial reporting, and compliance with applicable laws and regulations. According to COSO, the following five components can help to create an effective internal control system:
A financial institution's internal control environment assessment falls under the Management and Risk Management components of a bank examination or bank holding company inspection. Examiners expect that board members and senior management understand their institution's activities and associated level of risk. During an examination or inspection, examiner activities include the following:
The board and senior management are responsible for monitoring all significant risk, controls, and the high-risk areas associated with new products, such as electronic banking, stored value cards, remote deposit capture, and ACH. In addition, the board is ultimately responsible for compliance with new laws and regulations; therefore, the board must ensure that the audit function consistently meets legal, regulatory, and supervisory requirements. Moreover, the board must make certain that the audit function monitors and tests the reliability and effectiveness of both the institution's internal controls and its financial statements. Lastly, the independence of the audit function is vital to the overall effectiveness of every audit program.
Some would argue that not all fraudulent activity is the result of broken controls. However, there is no doubt that a broken control environment is conducive to fraudulent activity. Even more importantly, fraud can eventually cost an institution enormously in terms of viability and reputation, in addition to any direct financial impact.
Adrian Stern, CPA, Cr.FA, suggests that some effective tools in the battle against fraud include having strong internal controls, performing audits of records, and analyzing key financial trends. Clear policies and zero tolerance toward fraud, along with employee support programs, also help to create the proper control environment. Moreover, Stern provides some clear examples of poor controls, which may be common occurrences, as outlined below:
To prevent internal control breakdowns, financial institutions should conduct periodic risk assessments, led by either internal or external auditing staff. The assessments should focus on high-risk areas, such as physical controls relating to high dollar fixed assets, cash, marketable securities, payroll, and inventory.3
Current economic conditions demand that financial institutions strengthen internal controls over the lending process; at a minimum, they should be reviewed for effectiveness. In a case study of a company's internal controls, author Kevin Clancy documented that the validity and collectability of the company's accounts receivable were in question. A subsequent forensic investigation identified fictitious customers, fictitious sales, and forged bills of lading, invoices, and other fraudulent documents. Ultimately, it was determined that certain company officers were involved in a massive fraud, resulting in U.S. and foreign bank losses of between $600 million and $1 billion and, in turn, the arrest of the company's chief executive officer on charges of conspiracy to commit bank fraud, mail fraud, and wire fraud. The company's CFO and former treasurer were also arrested on similar charges.4 Regardless of a loan department's credibility, internal controls are necessary to ensure professional and legal operations.
Comprehensive and correct internal controls can prevent many types of fraud, especially those committed by an institution's employees. The Department of Justice noted one such case, where a vault teller responsible for preparing the daily vault cash reconciliation reports and providing the reports to bank officers created false internal bank documents, which purported to show the movement of cash in and out of the branch vault. In doing so, the vault teller defrauded the bank in excess of $3.2 million. Bank management indicated that the teller had used the position of trust and co-opted internal controls by exploiting professional relationships at the institution.5 Because not all fraud is the result of weak controls, Stern indicates that institutions should seek ways to lessen outside pressures on employees that may lead them to commit fraud. He attests that some institutions have actually introduced programs to help their employees with financial difficulties, thereby reducing the employee's temptation to commit fraud.
While lessons can be learned from past instances of fraudulent activity related to insufficient internal controls, lessons are also being learned about potential areas of increased fraud now and in the future.
TARP. In the age of Troubled Asset Relief Program (TARP) funds, the appropriate use of funding has often been the topic of discussion. According to Robert S. Mueller, III, director of the Federal Bureau of Investigations (FBI), a potential area for new fraud cases involves TARP funds. The FBI is currently working with other agencies to identify how and for what purpose these funds are being used. Mueller stressed the need for "independent board members, auditors, and outside counsel" to help keep organizations honest. "If this financial crisis has taught us anything," he said, "it may be that it is time for a cultural shift-a 'back to basics' approach that incorporates sound business judgment, risk assessment, and integrity, from the top down."6
Investment portfolio. Another area susceptible to fraudulent activity is the investment portfolio process, due to the level of oversight and management. Brent Currey, an audit manager at the accounting firm, Frost PLLC, indicates that the investment portfolios of most financial institutions are often managed by a single individual with little or no oversight by another party, often due to a lack of available staff.7 In some instances, staff with the required specialized skill set to manage the investment portfolio may be scarce. This highlights a greater need for additional scrutiny.
Currey explains the key controls needed under such circumstances, and they include proper segregation of duties for investment portfolios and processes involving purchasing, disbursement, and reconciliation within the investment cycle. Moreover, Currey indicates that risk analysis of the investment portfolio should be monitored closely by the institution's oversight group or an appropriate committee to ensure that the risk profile of the investment portfolio matches the risk goals for the institution. A key control is to separate the reconciliation of the investment portfolio from the management function. However, and more importantly, the reconciliation process should be performed by a separate individual, and the reconciling individual should be familiar with the investment process and diligently follow up on any significant reconciling items in a timely matter.
The point can again be made that one of the most significant challenges of the current economic environment is combating fraudulent activity. While there may not be a feasible way to eliminate every imaginable type of fraud, board and senior management have an important role in ensuring that the internal control environment and internal audit control function remain effective. Plato was quoted as saying "Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." In this case, a strong and effective internal control environment serves as a deterrent to those who seek to circumvent the laws and processes designed to protect an institution.