What do you have to trust? People or Process?
My immediate reaction is you must trust people but rely on processes. But there is homework you must deliver before trusting people and relying on your work processes and procedures.
One of the critical measures to implement is finding out what kind of people you are employing for the respective roles. We all agree that things like skill set, competencies, career experience, and etc. matter a lot when it comes to believing that the person will be able to deliver the required job satisfactorily. But it is not enough if the issue is “trust”. Well, trust will come with how you have experienced the person. How he will have handled issues. How open he/she is. How he/she values himself/herself as a brand.
Now, for the process to be relayed there must be a sound system of internal controls embedded in it. This is not talking Greek, I mean when executing any work there should be automatic checks and balances to maximize the chance of attainment. The process owner should be aware of any hiccups before they occur that is usually referred to as preventative internal control. For example, in the process of paying creditors, the new supplier confirms the bank account by sending the legit bank confirmation. In case the supplier changes the bank the communication to that effect should be treated like the onboarding of the new supplier. The bank confirmation should not be coming from any officer on the supplier side, but it should have the sign-off by the relevant senior authority. Sign off? This is not necessarily paper-based but some sort of authorization. If this is a must in the payment process it is then correct to refer to it as automatic in-built internal control. However, because it is not system or technology-driven it is not as effective as it would be in the world of technology. This is rather human-driven, and it may not be consistently done. But it is automatic if it is embedded in the process.
If the preventative measure has failed or has not prevented the obstacle the second in charge is detective control. Here we automatically, please note this, “automatically” become aware of disorder as work is carried out. Many of us think the word automatically relates to technology or computer systems. A simple example is the end-of-day process must include the reconciliation of cash collected by the petrol attendants against fuel sold. Here you simply check what the opening stock at the start of work minus the closing stock. That will give you the number of litres sold. Multiply that by the price per litre and that is your sales. Count cash. It should balance. If not, find out. Pick financial losses before they become material. Then the point is if that reconciliation exercise is a must, then it is “automatic”.
Now, processes, whether preventative or detective, have always been bypassed. Either through collusion or otherwise. Shooting the breeze with one friend, he told me the story of where one employee was selling the electronic stock he had stolen from the store where he was working. He said the processes of checking and authorizing were in place and all seemed to be in order and consistently performed. Then how did he get away with about 50 plasm TVs and 100 laptops that were worth over half a million? The answer was the chain of collusion was implemented and that involved all people who were responsible for preventing theft or stock illegal diversion. From the store manager to operator clerks and the security guards. Unfortunately, there was no CCTV, but in this case, it was clear that whoever would be managing the CCTV would be likely to be involved in the collusion as well if they were in place.
How do we minimize collusion at work? We may not get rid of collation at work but with the independent checks, we can do better. In this story that my friend narrated to me I immediately thought of the regular Internal Audit reviews or similar exercises with some level of independence. In this case, they should have invited people from another store or branch to come and count the stock against the transactions. Surely, they would have picked some anomalies much earlier before big damage occurred.
It is not healthy to pick the fraud of theft late after years. We see that happening most of the time. We are seeing cases of millions of Rands being investigated as if it is the norm. The question is, were there internal controls (preventative and detective) in place? If yes, were there automatic independent checks? Surely it is much likely that there were none of the above. What are we doing about this?
In conclusion, close your eyes and think about this; if at your business you do not have anything to point to as preventative control, monitoring control, detective control and independent checks, please open your eyes and think deeply about establishing internal controls. Do not wait for losses. Detective or monitoring control is more effective if it picks anomalies within a reasonable time. Hence it is very important to make it as frequent as possible. Preventative control has the main challenge of collusion but the medicine to that sickness is independent checks. Buckle up or you will lose your hard-earned business wealth through actual financial losses and necessary investigations.
Joseph Rakauoane CA L, PIA (South Africa) BSC Hons Applied Accounting
Joseph Rakauoane is a member of the Institute of Internal Auditors Lesotho and the former president of the same Institute. He is the current Internal Auditor of the year 2023 as recognized by the same institute. He worked as Chief Internal Auditor and Head of Risk in the financial sector and is now a substantive committee member of the Finance, Audit and Risk committees of the board in the communication sector and tourism sector as well as the accountancy professional sector