by Estrella Rivera, Supreme Audit Institution Ecuador
Research suggests a principal cause of fraud to be a weak, limited internal control system. In Ecuador, the nation’s Organic Criminal Code (COIP) addresses fraud and crimes against public administration, and the COIP considers embezzlement, illicit enrichment, bribery, and influence peddling among the primary forms of corrupt activities. These crimes, generally discovered through audit interventions and/or complaints, demonstrate the need for a robust internal control system.
An internal control system aims to (1) comply with legal, technical and administrative order; (2) promote an entity’s efficiency and effectiveness; (3) guarantee information reliability and timeliness; and (4) take appropriate measures to correct control deficiencies.
In addition to strong internal controls, the auditor’s role in detecting fraud is crucial, as the auditor evaluates internal controls to prevent risk; promote efficiency, effectiveness, transparency and economy; protect assets and public resources; and mitigate possible fraud.
Several organizations have tried to standardize the internal control concept, including the Committee of Sponsoring Organizations (COSO) Tradway Commission, whose report stresses the need for internal control to be incorporated into organizational objectives and strategies. For Ecuadorian public institutions, this approach is envisioned in the national agenda (Agreement 39-CG-2008), which cites the following as necessary internal control components:
- Control Environment. An environment including principles of integrity and ethical values governing the company.
- Risk Evaluation. Defining objectives; risk identification and evaluation; determining risk management; probability of fraud; and evaluating events or changes affecting the internal control system.
- Control Activities. These activities refer to policies and procedures established to reduce risks that may affect achieving objectives.
- Information and Communication. The information necessary for the entity to carry out internal control responsibilities that support achieving outlined objectives.
- Supervision Activities. Self-control activities incorporated into the supervisory and monitoring processes that are designed to evaluate and improve operations.
Given the intricacies of the internal control system, this article describes incorporating the “Balanced Scorecard” (scorecard) method during the evaluation process to reduce audit complexity and facilitate fraud detection.
The scorecard has traditionally been employed as a strategic planning tool—measuring organizational performance and evaluating corporate goal achievement. Based on both financial and non-financial indicators, the scorecard is a flexible tool that lends itself to internal control component integration. The tool’s flexibility also facilitates detecting fraud because of its ease of application and evaluation.
Combining the scorecard method with audit and documentary forms, an internal control evaluation matrix was developed that: (1) generates questions (by areas of application) for an organization’s administrative and financial management; (2) establishes weight (importance) and level of occurrence; and (3) defines key performance indicators along with respective parameters, ranges, levels or thresholds from which alerts are generated or triggered in the control panel (similar to a traffic signal).
This tool facilitates recognizing risk situations that can lead to fraud; helps detect (with greater precision) people involved, controls that may have been violated and possible resources affected or economic damage caused; and optimizes time and ability to make audit work more effective.
To demonstrate the tool’s practical application, the below example provides in-depth situational questions, indicators and weights potentially suggesting fraud:
1. Are there pre-numbered or pre-printed forms to control the income? No. Frequency: Daily; Weight: 10; Likely; Indicator: Forms.
2. Is the deposit of securities in financial institutions made within 48 hours after collection? Yes. Frequency: Daily, Weight: 10, Very Likely; Indicator: Bank
3. Are collection reports made daily? No. Frequency: Daily; Weight: 10; Very Likely; Indicator: Reports.
4. Are deposited values versus collected ones reconciled daily? No. Frequency: Daily; Weight: 10; Very Likely; Indicator: Conciliations.
5. Are there differences between the values collected and deposited? Yes. Frequency: Daily; Weight: 10; Likely; Indicator: Conciliations.
The negative responses to questions 1 and 4 and positive response to question 5 may suggest the occurrence of a malicious act (embezzlement). To confirm the assumption, the auditor should gather necessary, pertinent and sufficient evidence as a probative element of the determined findings.
This tool also allows for information tabulation and processing to develop reports by component, making it possible to measure risk and confidence levels. Subsequently, components can be ranked to demonstrate the critical nature of each component and interference with organizational objectives. Identifying the most critical factors (based on rank) provides the foundation for an improvement plan where essential recommendations to correct observations are formulated to strengthen the internal control system.
Fraud raises questions about audit work’s responsibility and scope, as well as the auditor’s role in fraud detection. Therefore, special attention must be paid to the entity’s assessment methodology and the sufficiency of the applied audit procedures.
Accordingly, auditors can combine management tools with internal control components to reduce audit complexity and prevent fraud. To that effect, the balanced scorecard method can help analyze financial and non-financial indicators. These indicators, combined with evaluating internal control components, assist in risk identification and fraud detection.
Applying an internal control tool based on the balanced scorecard should be complemented by collecting sufficient, relevant and competent evidence. Likewise, to ensure a functional evaluation methodology, the matrix must be adapted for each audited organization to consider legal basis, legal nature and related regulations. Measurement guidelines must also be clearly established.
Assessment results will provide reliable information regarding internal control effectiveness and/or weaknesses, allowing for adequate definition of recommendations and corrective actions.
As preventive measures, an institution’s top management must promote a high degree of integrity, honesty and ethical behavior and design and disseminate appropriate procedures and codes that consolidate transparency that is reinforced by training actions, active and continuous supervision, and the execution of effective internal controls.