The Illusion of Control (Part I) – The Internal Control Paradox

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in 1985 in response to a series of high-profile financial scandals that were made possible by weaknesses in internal control systems. The Treadway Commission, named after its chairman, James Treadway, was established to address concerns about fraudulent financial reporting and to improve the overall quality of financial reporting.

As described in our previous blog “Managing Fraud Risks: COSO 101“, the commission developed the COSO framework which provides guidance on internal control, risk management, and fraud deterrence. In essence, the COSO framework provides organisation with a structured approach to risk management and internal control that ultimately contributes to the achievement of the organisation’s objectives while upholding integrity and transparency in business operations. COSO, together with the Association of Certified Fraud Examiners, also published the Fraud Risk Management Guide. This guide is specifically intended to assist organisations with managing the risk of fraud. The components of this guide are: (1) Fraud risk governance, (2) Fraud risk assessment, (3) Fraud control activity, (4) Fraud investigation and corrective action, and (5) Fraud risk management monitoring activities. The question is how to design and implement these five components. Perhaps even more important, how extensive should the internal control framework be to effectively manage the risk of white-collar crime and fraud? Is there such a thing as ‘too many controls’?

In this context it is important to note that there will always be people that are up to no good. As every organisation – at some point – will be confronted with white-collar crime, fraud or other forms of misconduct, it is impossible to fully mitigate fraud risks. Furthermore, when fraud occurs, it is likely to be concealed. This leads to the situation in which, almost by default, the timing, type and extent of such issues are unknown. As the essence of fraud lies in its intention to remain concealed and details are often unclear, how do you control such risks?

It is noteworthy that the design and implementation of an internal are often driven by regulatory developments. Over the years, we again see a trend where organisations are pushed to increase their internal control efforts. Regulatory authorities increasingly focus on prosecuting entities for the lack of or deficiencies in internal controls rather than the perpetration of white-collar crimes per se. Regulatory initiatives such as the “failure to prevent” in the UK and the Monaco memo in the US exemplify this trend. We refer to other blogs on our website for a detailed analysis on those specific regulatory initiatives. In short, organisations face more severe penalties when their internal controls are deficient, while those with effective internal controls may receive cooperation credits.

Apart from these legislative developments, another force driving organisations towards more and more internal controls is the risk of fraud itself. As set out in the Association of Certified Fraud Examiners’ “A Report to the Nations”, organisations with effective internal controls are less likely to falling victim to fraud and if they do the damages are smaller. Moreover, incidents of fraud prompt a natural response to implement more and more controls, new standards and internal regulations. Organisations nowadays face much greater publicity, or media, risk than ever before. Companies experiencing fraud, mismanagement, short seller reports, or claims and litigation usually receive major media attention.

While we acknowledge the importance of maintaining an effective internal control system, it is our believe that an excess of control measures may even prove to be counterproductive over time. We argue that an abundance of rules, controls, and audits complicate the way an organisation conduct its business. Moreover, it creates bureaucratic hurdles and as well as an inherent increase of both human and systemic errors. We have observed organisations, burdened by too much controls, where it became impossible to conduct their business operations effectively.

Paradoxically, as organizations strive to reduce the risk of white-collar crime and fraud by intensifying internal control efforts, a tipping point is reached where excessive controls result in an excess of bureaucracy, thereby inadvertently creating additional opportunities for fraudulent activities. When organizations become ensnared in a web of overly intricate rules. procedures and monitoring mechanisms, it pushes employees to find workarounds to be able to do their job. This wil introduce loopholes and deficiencies that can be exploited by malicious actors. Moreover, in a situation of an overwhelming number of control activities, the effectiveness of these controls becomes questionable. The sheer volume of controls impede their practical implementation and monitoring. The effectiveness these controls comes into question when a person is tasked with a multitude of checks each day. The sheer volume of controls compromises the depth and thoroughness of scrutiny. Additionally, an inherent lack of trust in employees within such a stringent environment creates a self-fulfilling prophecy, where the perceived lack of trust inadvertently results in the very behaviours that the controls aim to prevent. Striking a balance between effective control measures and a conducive working environment is crucial to mitigate fraud risks without compromising operational efficiency or eroding the trust essential for a healthy organisational culture.

Achieving the right balance between internal control and operational efficiency is an ongoing challenge for any organisation. Not having the balance right increase the risk of white-collar crime and fraud. In this delicate balance, we see that organisations traditionally prioritise prevention over detection and response. While deterring fraud is crucial, how quick you are able to detect when something starts to go wrong and the quality of your response to such a signal is what will make the difference. Leveraging technology, including data analytics and artificial intelligence, holds the potential to enhance anomaly detection, identifying unusual transactions and behaviours. Moreover, it can alleviate the administrative burden associated with manual processes. Furthermore, organisation must be prepared to respond to risk event. Although you will never know when fraud hits you or what fraud it will be, you can train organisation in being resilient.

The morale and trust of employees stand as critical factors for any successful organisation. It is key to assess how employees perceive internal controls as well as the impact on workplace culture, job satisfaction, and productivity. Establishing a culture of trust is key to prevent that well-intentioned employees move toward feeling the need to find work arounds, circumvent internal controls and possible even fraudulent behaviour.

Curiosity Leads, Amazement Follows – Continue reading the Green Hyena