The Illusion of Control (Part II): A False Sense of Security

Effective internal controls are good for business. At least, this how COSO (Committee of Sponsoring Organizations of the Treadway Commission) introduces the purpose of internal control. According to the COSO website, internal controls have a value beyond compliance and external financial reporting. Effective internal controls can help an organisation articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information. The implementation of internal controls stands as a formidable barrier against potential threats, particularly against white-collar crime and fraud. However, while internal controls are undeniably crucial, there is a pressing issue that often lurks beneath the surface – we call it: The illusion of control.

The Facade of Rigorous Checks

Imagine a scenario where an employee is tasked with scrutinising and authorising a substantial number of invoices on a daily basis. The control mechanism requires meticulous examination of a numerous invoices within a short timeframe. In theory, this process seems robust, aiming to catch any discrepancies and prevent fraudulent activities such as false invoices, inflated invoices or invoices from fake vendors. However, in practice, the sheer volume of transactions can compromise the effectiveness of the checks and balance performed by the employee.

Humans, by nature, are prone to errors, distractions, and bias. When confronted with a deluge of invoices to verify, the depth and thoroughness of each examination are inevitably compromised. The risk here lies not just in the possibility of missing discrepancies but in the gradual erosion of the quality of the checks as a result of sheer workload. In our experience with conducting forensic investigations, we’ve encountered numerous cases where organisations had established internal controls. However, the effectiveness of these controls was compromised not only by poor design but often also by the impractical workload that hindered thorough scrutiny of the checks and balances, creating opportunities for fraud.

Dilution of Responsibility

A significant challenge arises when multiple individuals are involved in the execution of certain internal controls. In a situation where several people share the responsibility of for example authorising transactions, a dangerous mentality can set in – let’s call it the ‘dilution of accountability’. Each person may subconsciously believe that their colleagues will catch any errors or irregularities, leading to a collective mindset of complacency. When everyone assumes that someone else is performing a thorough check, the system becomes vulnerable to oversights and potential fraud.

This phenomenon is exacerbated when the workload is distributed among team members. The more decentralised the control process becomes, the greater the risk that individuals may perceive their contribution as less critical, diminishing the overall effectiveness of the control mechanism.

Management Override: The Silent Threat

Even the most robust control frameworks can be rendered ineffective if there is a lack of awareness or vigilance regarding the potential for management override. In some instances, individuals in positions of authority may exploit their power to manipulate or bypass established controls. This challenge extends beyond the technicalities of control frameworks and emphasizes the human element in risk management.

Addressing the threat of management override requires a combination of technological safeguards, a culture of transparency, and periodic independent assessments to ensure that those responsible for checks and balances remain incorruptible.

In conclusion, while internal controls are indispensable in managing risks, in particular fraud risks, organisations must remain alert of the inherent limitations of internal controls. I.e., a false sense of security that can compromise the effectiveness of internal controls. It is vital to have the right balance the number of controls and ensuring that they are realistically achievable and consistently enforced. As emphasised in our other blogs, having the right culture is key. A culture of accountability and awareness, coupled with periodic evaluations and full use of technological possibilities, will enable organisations to adequately manage the risk of white-collar crime and fraud.  

In following blogs we will provide you with guidance on how to overcome the above challenges and not fall victim to the illusion of control.

Curiosity Leads, Amazement Follows – Continue reading the Green Hyena