Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Taking Control: A Balanced Approach
April 01, 2006

Second in a four-part series on multifaceted perspectives of internal audit

Internal controls are absolutely essential for keeping assets safe and information secure, thereby protecting financial institutions from errors and fraud. Controls consist of both manual procedures and automated processes. The best control environments also combine two types of approaches: preventive and detective.

Start with prevention

As the name implies, preventive controls are measures put into place to prevent undesirable events from occurring. Such controls are an institution’s first line of defense in protecting itself and are typically the most cost efficient. After all, it’s far better to prevent mistakes and fraud in the first place than it is to detect them afterward.

For instance, preventing access to assets that can be easily stolen—like money in the cash vault—is more efficient at the outset than having daily detection procedures for counting vault cash to ensure that all assets are accounted for.

In addition to ensuring that only authorized personnel have access to assets and data, there are many other strong preventive practices that can support a sound control environment. Some examples include:

  • Approval authority levels for transactions over a specified limit and the requirement of dual signatures.
  • Segregation of duties to reduce the opportunity employees may have to hide fraud or cover up errors.
  • Mandatory vacations, particularly for employees in sensitive positions.
  • Password requirements.
  • The use of prenumbered documents.

Follow up with detection

No preventive system can be 100% effective. Therefore, subsequent measures are needed to detect inadvertent oversights and monitor for deliberate deception.

Automated reports that expose fraud and reveal mistakes are the most common types of detective controls. Other activities designed to detect fraud and correct errors include:

  • Frequent account reconciliation.
  • Regular review of reports by senior management to verify execution.
  • Independent checks on performance of duties.

Detective controls must be performed in a timely manner to ensure their effectiveness. Timeliness varies and largely depends on the potential impact to an institution and its customers.

Adapt controls to fit

By using a mix of preventive and detective controls, an institution can optimize its control environment. But how can a financial institution know what controls are appropriate for its environment?

Balance is key to success, and so is the need to design a control system that suits an organization’s particular circumstances.

When determining the control mix, for instance, an institution can weigh its risk tolerance, such as in the following examples:  Is the financial institution highly concerned with customer service and, therefore, prefers keeping more cash in ATMs while using dual controls to prevent theft, or is it more comfortable keeping fewer dollars in ATMs and detecting losses afterward via balancing procedures? Would management prefer to use preventive controls to deny teller access to cash vaults, or would it rather employ detective controls and accept some losses of stolen cash?

An institution can also consider its staff levels to determine the best control approach. If having too few frontline employees prohibits the financial institution from instituting a preventive policy like segregation of duties, it can instead create more active procedures for detecting fraud by relying on its abundant accounting staff.

By understanding the many internal control tools that are at their disposal, institutions can then adapt the practices that will work best for their individual success.