Strategic Planning for 2011? Changes in Business Can Compromise the Effectiveness of Internal Controls

If we have learned anything from the Sarbanes-Oxley era and the scandals that brought down the economy, it is that internal controls have to be effective. The first step is control design. When done properly, the design will include preventive controls to preclude undesirable activities and detective controls to alert management when exceptions occur. An appropriate design of preventive and detective controls is critical, but not sufficient. Control environments are dynamic. Changes in the business often result in workload shifts. When this happens, roles and assignments are informally swapped to make the work load more equitable. As informal process changes evolve, the control design is often unintentionally compromised, sometimes with significant consequences.

For example, an Accounts Payable Manager has the responsibility to review all vendor master file changes before payments to vendors are made. However, if the Accounts Payable Manager is suddenly swamped with a new system implementation she may not have the time to review the master file changes and she may not be available when the payable checks are ready.

In situations like this, the Accounts Payable Manager might assign the vendor master file review to an employee who is responsible for processing checks but does not have system access to enter invoices. On the surface, this appears to be a viable alternative since the responsibilities for invoice processing and vendor change review are segregated. However, this informal role change has just compromised the control system.

What happens if this employee creates an invoice from a fictitious vendor? Since the employee has been given the responsibility to review new vendor additions, the fictitious vendor is not questioned. After the invoices are processed, she simply prints the check and pockets the payment.

This is only one example to illustrate how a “quick fix” may not be in the best interests of the company. Informal reassignments are common as new pressures develop. When workloads shift, it is worth the time to review the internal control design in total. If there is no time for a total control design reevaluation, enlist the help of the Internal Audit department. In any case, when responsibilities are reassigned make sure that there are adequate mitigating controls throughout the entire process. Having “trusted” employees does not always protect against errors or fraud.