In the news lately, company after company has been announcing significant layoffs in their workforce. The reasons are varied, including centralizing operations at a corporate office, cutting budgets, experiencing an industry downturn or automating manual tasks.
This change in the workforce brings two major questions to mind:
- How are these companies updating their internal controls to ensure an appropriate segregation of duties with a reduced staff?
- Is management worried that employees may start to have more opportunities and incentives to commit fraud with fewer employees doing the same number of functions as before the layoffs?
I noticed that some of my clients expect employees to take on responsibilities that former employees were doing. I understand the rationale – management wants to ensure that the business continues to run smoothly, even with a significant reduction in their number of employees.
However, if the reduction in force is not planned appropriately, shifting responsibilities could result in gaps in the internal control framework and create deficiencies in the design and/or operation of their internal controls.
Below are three simple ways that illustrate how reviewing your company’s internal control framework can help ensure your company stays vigilant through personnel changes:
- Review IT Access Continuously – This may seem like a very simple or obvious task, but failing to review employees who have access to certain systems or functions (for example, payroll or cash disbursements) puts the company at risk for theft and fraud. Certain employees may have easy opportunities to initiate, approve and process transactions without anyone even knowing. In these access reviews, management is often surprised to see who has access to what areas. For example, employees who occasionally work on payroll records as a backup when the payroll clerk is out of the office may have access to payroll records at all times. Having a designated back-up is important, but access should be granted only on an as-needed basis.
- Review of AP Vendors Continuously – Many companies have controls in place to review and approve new vendors to ensure they are added to the system for valid business reasons, but forget to review the status of current vendors. Reviewing vendor listings on a routine basis could help to remove vendors from the system that the company is no longer using or uncover any suspicious relationships between vendors and employees. Two simple tips: update agreements with all frequent vendors and ensure disbursements are being sent to the vendor’s correct mailing address.
- Promote Ethics and Honesty – A company could have a fool-proof set of internal controls in place, but if members of senior management are not setting an appropriate tone at the top, then how can they expect their employees to remain honest? For example, if an executive is known to buy small personal items on the company account and to let them slide, then it is likely other employees will follow suit. Establishing a code of conduct that employees read and sign is becoming the norm.
Management should regularly stress the importance of integrity and ethics in everyday work, and set the expectation for employees to talk to someone if they are uncomfortable about the ethics of a situation. Some companies have even established an employee hotline. We might all adopt the TSA slogan, “If you see something, say something.”
Sounds easy enough, right? To some, these suggestions will be easy to implement. Others, whose plates are already overflowing, may think they are great ideas in theory, but actually putting them into action could be a major challenge. However difficult it seems, setting aside time to work on these items now could save many headaches later when dealing with the after effects of preventable fraud.
For weekly insights into enterprise complexity, please sign up here: