Evaluate if the controls are operating. Evaluate whether the identified controls are operating effectively and efficiently. The operating effectiveness and efficiency of internal controls are significant parameters in assessing the risk of fraud in any organization. One may have a view about the organization by understanding its internal controls and their operating effectiveness.
Evaluate If The Controls Are Operating: Step 6 In Fraud Risk Management
It is not only necessary to design and implement the internal controls, but the main point is to ensure the operating efficiencies and effectiveness of the controls. Effectiveness of controls means how much the chances of occurrence of frauds are reduced or how many fraud risks are identified with the help of implemented controls.
To evaluate the operating effectiveness and efficiency of controls, the policies and procedures are reviewed to check their accuracy and coverage. Procedures are required to cover all aspects and steps which form the overall process. The risk of overriding controls is also assessed. If the management finds that controls are easily overridden, then it means that the chances of fraud are increased.
Management needs to take immediate steps to ensure that robust controls are designed and implemented with no chance of being overridden. To build robust controls, the organizations use technology and artificial intelligence, which eliminates the chance of overriding of controls by the employees or outsiders.
Internal Controls Effectiveness
To assess the operating effectiveness of the internal controls, management and employees are also interviewed. The interviewer assesses the risks of fraudulent activities or related intentions during the interview process. Interviewing the right people, cross-questioning, and emphasizing the right issues help identify and assess fraud risks in different processes and departments of the organization.
Activities of the employees are observed to identify any weaknesses in the process or the possibility of an employee breaching the controls. There may be situations in which employees are not well trained or educated about the controls, which is identified through observation of the employees while performing their duties.
Fraud investigators test the transactions on a sample basis as well to identify those transactions where frauds occur or which may identify the fraud risks. Walkthroughs of transactions and processes are also performed to ensure that internal controls are operating effectively and efficiently.
Audit reports of the departments and processes, especially internal audit reports, also help in assessing the fraud risks and breaches of controls. Internal auditors review the processes and transactions of different departments and compare the activities with the approved policies and procedures. Internal auditors perform a test of internal controls and verify transactions.
In case of deviations and breaches of internal controls by the employees and departments, internal auditors report such issues in the form of audit observations. Therefore, audit reports also serve as the reference point to identify the weak processes and controls which expose the organization to fraud risks and incidents.
Internal auditors also perform fraud investigations. Reasons for the occurrence of fraud are identified, and the facts are discovered as to why fraud incidents have occurred despite implementing internal controls. Review of fraud investigation reports of internal auditors also helps assess the weak internal controls and gaps that caused the particular fraud to occur.
As the internal audit reports and fraud investigation reports are shared with the board Audit Committee (BAC), the board is updated about the fraud risks and fraud incidents that occurred and reported within the organization. BAC issues guidance regarding the internal controls, and a roadmap is provided to management to ensure that frauds do not occur in the future.
Operating effectiveness of the Internal controls are assessed by allotting “Control Risk Ratings,” such as:
- 5 – for Very Effective controls,
- 4 – for Effective control,
- 3 – for Moderately Effective control,
- 2 – for Marginally Effective control and
- 1 – for Not Effective control.
These ratings help the fraud risk management team or respective process owner, to identify the weak or missing control elements in the existing controls trajectory.
Material misstatement risks can arise from a variety of sources, including external factors such as industry and environmental conditions, as well as company-specific factors such as the nature of the company, its activities, and internal control over financial reporting. External or company-specific factors, for example, can influence the judgments involved in determining accounting estimates or create pressures to manipulate financial statements in order to meet certain financial targets.