Risk Management

How the C-Suite Can Impact Internal Controls

Good internal controls need to start at the top of a firm. But they must be carried through to all levels, say experts.
Kathy HoffelderOctober 25, 2013

CFOs and other members of the C-suite could be the reason their companies’ internal controls aren’t in better shape.

“If the managers, the C-level and board have good demonstrative behavior, everybody down the line will mimic that,” said Yigal Rechtman, senior manager of forensics and litigation at Grassi & Co., an accounting and business consulting service, at a New York State Society of CPAs’ forensic accounting conference Thursday. “People need to operate by example,” he said, noting that if the CFO is leaving at 3 p.m. on a daily basis, for example, that will not help a firm to have better internal controls.

Jonny Frank, a partner with StoneTurn Group and a former federal prosecutor in the U.S. Department of Justice, agreed. He noted at the conference that to have an effective internal audit function, there needs to be the right “tone at the top” of the company. The internal-control function itself needs to be valued by the organization, he noted.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Though the effectiveness of internal controls is difficult to quantify, they can mean the difference between successful companies and struggling ones, according to Frank. Firms that sell products overseas, for example, are at a “competitive disadvantage,” if they don’t have good controls to protect themselves, he said. “It’s like fire prevention. You don’t know how many fires that you’ve stopped.”

As Rechtman noted, a lack of internal controls presents opportunities for fraud, even among some of the most trustworthy employees. “Who has final access to everything?” he asked. The answer should help executives determine whether they are leaving their companies vulnerable to fraud.

For example, having good internal controls means segregating the bookkeeping and accounts-receivables duties, according to Rechtman. That means not having one person in charge of authorizing, posting and having final custody of live checks. Bad controls, for example, would be if the accounts-receivables clerk is responsible for all those things, which can be the case in small businesses. “These kinds of situations are what cause people to have the opportunity to commit, convert [the fraud to involve oneself] and conceal the fraud,” said Rechtman, outlining what he calls the “three Cs” of fraud opportunity.

Similarly, password controls can play a part in contributing to an employee’s ability to commit fraud. Rechtman said that when using accounting systems it is a good idea to change passwords often, not just when the IT department makes its routine company-wide request. “Password controls act as access controls that give us good segregation of duties,” he said.

Companies need to be particularly mindful of former employees in business units as well as within the company as a whole. When employees move departments, their access to sensitive data can increase. “Equally important is an employee who changes positions in the company,” said Frank. Simply by keeping old passwords active, “you are enabling a good person to do bad things.”

Frank and Rechtman’s comments coincide with a revised framework on internal controls put out by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in May. COSO maintains that internal controls “[help] entities achieve important objectives and sustain and improve performance.”