Think Out of The Circle
When opportunity to commit fraud exist, someone has likely already exploited it. Then, the role of fraud investigators is just to determine the extent of the losses. What fraud perpetrators do? They don't play by the rules. They ignore internal controls or compromise with internal controls. Circle represents your 'As Is' internal controls and Square represents what employees really do. 
There is no proof in the audit books that segregation of duties is generally effective or worth its often significant cost. It depends on case to case basis. To my knowledge the segregation of duties is the most overemphasized and often least cost-effective control design option available.
Breakdown in segregation of duty is mostly a symptom of bad control design. Apparently it seems that segregation of duty will improve controls. However, the laws of human psychology and the realities of the workplace prevent segregation of duties from being an effective control.
Segregation of duties is expected to prevent fraud and error and to safeguard assets. However reality is different. Let us take couple of examples from Hospitality business; the chef picks up the phone and orders the material directly from the supplier, and purchasing prepares the paperwork after the fact, often when the invoice arrives. What happened to requisition, purchase order approvals etc? It is to be noted that chef has done nothing wrong as far as business objectives are concerned. Does it mean control objectives are not in sync with business objectives?
In a Restaurant, check voids are supposed to be approved by the Restaurant Manager and Chef to serve a dual control. However, repeated void of a same menu item due to its bad taste never gets attention for taking appropriate action. What really happens? Manager & chef sign all void check just to serve a control. Actually responsibility is not fixed in this case. When we find everything approved, we say controls are effective. What about the purpose?
Such ineffective practices are bad for the business as they block innovation and learning. Need is for analyzing risk and control within a specific process or a work groups to couch the work groups about the control practices and its effectiveness. This will help us form a reliable opinion about effectiveness of the controls. The Companies should expect occasional error, fraud, or abuse and deal with it. The organization will be healthier as a result. Trust but verify - can be a powerful cost-effective strategy.
Some companies are using ongoing surveys to seek inputs from employee on sensitive soft control issues. Tools can be simple like automated excel sheet or web based tool to increase awareness and reflect real business needs for the controls. Risk perception determines your risk management process. So let us get innovative and meaningful in our approach.
There is no proof in the audit books that segregation of duties is generally effective or worth its often significant cost. It depends on case to case basis. To my knowledge the segregation of duties is the most overemphasized and often least cost-effective control design option available.Breakdown in segregation of duty is mostly a symptom of bad control design. Apparently it seems that segregation of duty will improve controls. However, the laws of human psychology and the realities of the workplace prevent segregation of duties from being an effective control.
Segregation of duties is expected to prevent fraud and error and to safeguard assets. However reality is different. Let us take couple of examples from Hospitality business; the chef picks up the phone and orders the material directly from the supplier, and purchasing prepares the paperwork after the fact, often when the invoice arrives. What happened to requisition, purchase order approvals etc? It is to be noted that chef has done nothing wrong as far as business objectives are concerned. Does it mean control objectives are not in sync with business objectives?
In a Restaurant, check voids are supposed to be approved by the Restaurant Manager and Chef to serve a dual control. However, repeated void of a same menu item due to its bad taste never gets attention for taking appropriate action. What really happens? Manager & chef sign all void check just to serve a control. Actually responsibility is not fixed in this case. When we find everything approved, we say controls are effective. What about the purpose?
Such ineffective practices are bad for the business as they block innovation and learning. Need is for analyzing risk and control within a specific process or a work groups to couch the work groups about the control practices and its effectiveness. This will help us form a reliable opinion about effectiveness of the controls. The Companies should expect occasional error, fraud, or abuse and deal with it. The organization will be healthier as a result. Trust but verify - can be a powerful cost-effective strategy.
Some companies are using ongoing surveys to seek inputs from employee on sensitive soft control issues. Tools can be simple like automated excel sheet or web based tool to increase awareness and reflect real business needs for the controls. Risk perception determines your risk management process. So let us get innovative and meaningful in our approach.
Labels: Hospitality, Internal Control
posted by Narayan Mantri at
1:39 PM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home