Control Activities: Deterring Fraud Through Sound Internal Policies and Procedures

Of the five integrated components that comprise COSO’s internal control framework, the area of Control Activities stands out for its direct relevance in helping guard an organization against fraud. As defined by COSO, control activities consist of “the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out” (COSO, 2013, p. 4). By considering the situations outlined in multiple case studies of fraud we have analyzed throughout this course and applying the guidance from Wells’ Corporate Fraud Handbook, it is clear that lacking or ineffective control activities represent one of the most frequent and impactful vulnerabilities that enable fraud to occur and remain undetected in companies.

The majority of fraud cases, such as the infamous Worldcom and Enron scandals, feature at their core a breakdown in key control policies and activities that provided both the opportunity for dishonest activity and the ability for that activity to go undiscovered over prolonged periods (Wells, 2017). Control activities like segregation of duties, review and authorization procedures, safeguards over company assets, and audit reconciliations are meant to directly counter the risk factors that invite and conceal fraudulent behaviors – embezzlement, fraudulent financial reporting, or otherwise. When these standard controls are missing or inconsistent, the implications are two-fold: 1) employees are more enabled and enticed to perpetrate theft or manipulation due to weakened oversight and policy enforcement; 2) red flags and incidents of actual wrongdoing have more of a chance to be concealed amidst overall ineffective accountability systems and reporting processes.

An example of this cause-effect sequence due to lacking controls is seen in the FirstPlus Financial case outlined by Wells (2017), where an accounts payable clerk created over 300 fraudulent vendor payment transactions totaling $2.3 million over six years. The scheme was enabled and prolonged due to the nonexistent segregation of accounts payable and general ledger duties and authorizations. Relatively simple detective controls requiring secondary review and approval for payments over certain thresholds were also absent. The cumulative lack of basic control activities meant the perpetrator had too much unilateral access and decision power with minimal accountability.

These control failures highlight the importance of the Control Environment and Risk Assessment components working effectively alongside Control Activities. Per COSO (2013), a company’s overall risk culture and awareness of vulnerabilities set the tone for how comprehensive and adhered to its control policies will be. Leadership must regularly identify and analyze risk-prone areas like financial reporting processes or inventory management and ensure enough preventative activity controls exist to deter fraud opportunities. Monitoring control activity compliance and effectiveness ensures the controls continue serving their anti-fraud purpose.

Creating strong control policies and procedures significantly contributes to building an ethical, compliance-focused culture, one of the leading fraud prevention goals highlighted by Wells (2017). Formalized controls signal to employees the importance placed not just on results but on how those results are achieved. They also reinforce consistency in areas vulnerable to misconduct, reducing the perception that “exceptions” will fly under the radar. Ideally, this promotes an environment where rule-bending and suspicious activity stand out more starkly. Combined controls across prevention, detection, and response stages thus mutually support one another in eliminating fraud from an organization altogether (COSO, 2013). Their coordinated impact limits mean motives and concealment simultaneously.

Recommendations for Improvement

While control activities represent one of the most directly impactful lines of defense against fraud, their mere documented existence is insufficient. As seen in the massive accounting manipulations at companies like Worldcom and Enron, controls can be skirted or falsely certified amidst “tone at the top” cultural problems and immense pressure to achieve performance targets (Wells, 2017). To truly leverage control activities in deterring fraud, organizations should:

1. Conduct periodic refreshers and compliance checks – Annual control policy reviews help ensure activities evolve with emerging risk factors versus becoming viewed as a check-box paperwork exercise. Tying supervisor and employee performance evaluations to control adherence further stresses their importance.
2. Welcome control findings and input – Leaders must respond positively to control gaps identified through audits, employee feedback channels, or other means. You view them as opportunities to improve the control network rather than failures to hide.
3. Coordinate control activities across departments – Cross-functional collaboration to integrate preventative, detective, and corrective controls ties activities into a comprehensive deterrence web. The business function should be free of concentrated gaps.

In summary, although frameworks give direction, proactive ownership by organizations is essential to maximize the utilization of control activities together with other components to prevent fraud. Regular control updates, dedicated resources, audits that increase efficiency and effectiveness, as well as breakdowns in functional silos, help position policies as not a drag but rather a proactive line of defense against fraud that is costly. These measures enable companies to gain headway in tilting the odds against potential perpetrators. However, this will need more than just viewing control activities as simply going through compliance checklists; it will require treating them as part of organizational culture.

References

Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal control – integrated framework. Retrieved from COSO website: https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf

Wells, J. T. (2017). Corporate fraud handbook: Prevention and detection (5th ed.). John Wiley & Sons.