In case you were wondering . . . Part 4 - Internal Controls - Lies, Damned Lies & Simple Incompe

Internal Controls (IC) are procedures, policies and products to protect the assets of a business entity. There are three elements: Physical Protection; Segregation of Duties; and Timely and Regular Reporting. As IC require a custom approach, they are expensive to obtain and tedious and time consuming to manage.

They are often viewed as a test of the auditor when, in fact, they are a key responsibility of Governance. A business endeavor can fail in the absence. The business entity is a pyramid. At the base reside transactions. Detail = Knowledge. As you move up, the utility of detail diminishes and that of analysis increases until, for the very large enterprise, at the apex Analysis = Knowledge. To the Board of Directors, the only asset is the entity’s ability to exist and prosper.

• Physical Protection refers to storage, documentation, record keeping, confirmation and reconciliation. This element invests data with credibility.

• Segregation of Duties is a type of physical protection. An individual with control over an asset should not have access to the books. In conjunction, the authority and approval hierarchy protects against the inappropriate exercise of authority.

• Timely and Regular Reporting processes data and transforms it into information to measure and optimize performance; control risk and make good decisions. It is in this element the custom nature of IC should be developed to the max. Reporting should serve the business model.

This is very technical. Why do I think you should care? Fraud, an unnecessary expense, can flourish in only two instances – failure of IC or conspiracy. Knowing this may protect you someday. In 2011, there were two vivid examples of failed IC.

UBS: A trader in ETF’s (Exchange Traded Funds) is alleged to have exposed the Bank to losses of $2.3bil over three years by booking “fictitious, forward-settling cash ETF positions”. An Exchange Traded Fund is a passively managed security mimicking an index. These positions were to hedge actual investments. The loss was the cost of an un-hedged bet. Physical Protection failed. The trader recorded transactions, in this case contracts. But finance and operations failed to confirm the trades. Treasury failed to note cash settlements never occurred. If the charges are correct, the trader found a weakness and exploited it. Apparently, there are similarities with prior scandals at Barings and Société Générale. You would have thought those cautionary examples. At UBS, resignation of the CEO and Chief Risk Officer and disciplinary action of managers in risk control, operations and finance followed realization of the loss.

MF Global declared bankruptcy on October 31st, citing operating losses and investment strategy. The news reporting describes something more. In less than two years, there was 40% turnover in staff and significant changes to record keeping applications and technology. In the week prior to bankruptcy, a potential buyer withdrew from an asset purchase when the due diligence team discovered $900mil of missing customer funds (now valued at > $1bil); and investigators claim client and company funds may have been co-mingled and not all cash transfers recorded to the General Ledger. All three elements of IC failed. Top executives are claiming ignorance. Wise choice – sometimes the cost of knowledge is prohibitive.