The Enron case highlighted that inadequate internal controls cause huge damage to the organization. Subsequently, the Sarbanes Oxley Act section 404 focused on making it mandatory for organizations to implement good internal controls. However, don’t view internal controls in isolation of the organization culture. As I had mentioned before that internal controls of an organization are as good as the culture. The probability of breach of internal controls is higher in negative cultures. (Read Impact of Organization Culture on Internal Controls). Though, in this post I am totally focusing on internal controls without linking to the organization culture.
While the organization expanded and grew, the focus on internal controls reduced. When we consider the bigger fraud cases, Enron, WorldCom, Barings etc., the organizations management committed one or a combination of the following mistakes.
a) Management stopped old control systems without introducing new control systems.
b) In some cases, continued to use old systems without conducting a review to assess their reliability and usability.
c) On the other hand, in some companies management relied on new systems without assessing their accuracy and timeliness.
d) Lastly, assigned roles and responsibilities without segregating duties and defining clear reporting lines.
In nutshell, one can say that management lacked focus on implementing internal controls. Due to these weaknesses in the internal control systems, management and auditors failed to detect frauds done by employees. KPMG 2010 India Fraud Survey stated 75% of Indian organization experienced fraud. It further mentioned:
“Supply chain fraud (procurement, distribution and revenue leakage) is the single most exposed area. Weak internal control systems, eroding ethical values and a reluctance on the part of the line managers to take decisive action against the perpetrators are cited as the most vital underlying reasons for frauds being on the rise.”
So let me start with the ways lapses in internal controls in the purchasing process can result in huge fraud. The Common Wealth Games fraud depicts the methods that are used to tamper with the purchasing process. Here are some examples, which apply to organizations:
1. Contracts awarded without ensuring reasonableness of requirements – The basic premise of issuing purchase contract is that there is a business requirement for a specific good or service. Breaches of internal controls occur when employees create unnecessary requirements to favor a certain vendor. To illustrate, in India terrorist threat is high, however there haven’t been any major incident of an office premises being targeted. Now let us say, the physical security team plays on the nerves on the senior management, since security is essential and creates many unnecessary requests for equipment. For example, request for automobile blocking ramps at gates, which may not be used in any other offices. Now each installation is in lacks and the physical security team gets kickbacks from the vendor for the contract.
Another way of circumventing the controls is to order in excess of requirement. For example, the organization needs 100 units of X product and the order is given for 200 units. Now since the business requirement is met, the excess stock will be ignored. Either the concerned employee can get the excess stock delivered outside the office for personal use or if delivered in office steal the stock later on.
2. Contracts awarded without ensuring reasonableness of rates – Normally the bidder with the lowest rates and best quality gets the contract. Multiple vendors are invited to submitted quotes. However, the purchasing team can easily breach the internal controls by doing false paperwork. Let us say, that X vendor quoted the most reasonable price for a product. However, purchasing team has tied up with Y vendor. Hence, it just discards the documents submitted by X vendor and produces two additional set of bidding documents in which Y vendor is reflected in the best light.
3. Payments made without receiving goods and services – The purchase contract terms state the payment terms. Advance payments amount to 10-20% of the total purchase price. The payments team in the finance section can contravene this control by making advance payments for 70-80% of the contract without receiving any goods or services. This affects cash flows and the company loses interest income. The other risk is that if subsequently if the vendor gives sub-standard goods or services, the company does not many tactics for negotiating fair terms with the vendors.
4. Contracts terminated on flimsy grounds – Most organizations invest significantly in vendor relationships since good relationships result in lower costs and better quality. However, to meet personal agendas employees can get the contracts terminated on flimsy grounds. To illustrate, let us say the physical security team evaluates the security contract for the premises, inclusive of guarding services. Now, if the same security vendor provides services in all office locations of the organization, the cost will be lower since the vendor has economies of scale. However, the physical security team approves contracts of different vendors for different locations and terminates the contract on a yearly basis without renewing the same. The reason behind it is that the physical security team gets a kickback for every fresh contract.
5. Fake purchase contracts issued – In the worst-case scenario, employees can issue fake purchase contracts to vendors for meeting personal expenses. For example, let us say a physical security team has an XXX amount of budget for securing the organization. On the face of it, the team issues the contract to a guarding agency to protect an office premises. However, in reality the contract is given to spy on other employees for harassing them. In such cases, the organization suffers huge costs, as it is difficult to identify the true purpose of the contracts.
There are some key lessons to learn for senior management from these corporate disasters.
a) Firstly, review process controls on acquisition of a new company, business or process. Conduct an independent review of controls to assess the vulnerability.
b) Secondly, create new job descriptions with clear lines of responsibility and accountability. Remember that segregation of duties is essential for effective control. If employees are in the same positions for a longtime, rotate them to ensure they don’t get too comfortable in their positions.
c) Monitor results through key performance indicators, exception reports and budget variances.
d) Appoint independent external auditors (big four or other reputed concern) to evaluate the controls.
e) In case of purchase contracts, audit the suppliers to see determine their authenticity of the contracts
f) Conduct interviews with employees, consultants, contractors and subcontractors to assess whether kickbacks are being paid or received while entering into contracts.
To read more of the Fraud Symptoms series, click here.