Menu Icon
https://www.sikich.com

How to seal the internal controls cracks that enable fraud

INSIGHT 3 min read

WRITTEN BY

Steve Randall
Internal Audit

Imagine checking out the day’s news as a massive corporate fraud scandal story breaks. The culprit is the company’s CFO. Dumbfounded staffer after staffer are being interviewed. It’s a narrative of shock and disbelief. But anyone in the risk, audit or compliance industry isn’t exactly asking, “How did this happen?” They’re asking, “Which internal controls failed?”

This isn’t a tale of brilliance or sophistication. It’s a case study in opportunity. And opportunity thrives in environments where internal controls exist on paper but not in practice. The real story here is the quiet and uncomfortable reality that many organizations still operate on trust instead of verification. Trust without structure is a liability.

Fraud slips through the cracks you forget to seal

Schemes like this often span years and even multiple organizations. A perpetrator in a senior finance position may manipulate payroll systems to pay themselves unearned salary, bonuses and commissions – pocketing millions while the leadership team stays in the dark. They can abuse corporate credit cards for personal spending and hide it by altering ledgers and financial statements. They can overstate bank account balances and withdraw funds without authorization. It’s a problem if any one employee has too little oversight and too much trust, even at or near the top.

The internal controls cracks that enabled this fraud

Major fraud rarely hinges on one missing safeguard. It emerges from a network of small weaknesses that create a wide-open runway. Common cracks in the internal controls system:

  • Unrestricted access and control: Access to payroll, financial systems and credit cards with no segregation of duties, monitoring or balancing controls
  • Absent oversight: A concentrated financial responsibility, with no rotating duties or audits
  • Weak or no review processes: Financial statements and payroll adjustments not independently scrutinized
  • Poor credit card visibility: Unauthorized purchases going unchecked because of inconsistent or nonexistent transaction monitoring
  • No independent reconciliation: Bank statements, credit card accounts and financial system data not regularly reviewed independently, making discrepancies easy to bury

Again, these weaknesses are common – disturbingly so. How does your organization stack up? Have you built controls that truly function or controls that simply exist?

It’s easy for leaders to assume that controls slow them down. There are forms to complete, reviews to schedule and approvals to route. When the organization runs smoothly, those steps can feel like red tape. But trust is not a control. Skipping verification measures may feel efficient but it’s highly risky.

Internal audit keeps security tight

Internal controls cannot do their job if no one is checking if they work. Even well-designed frameworks weaken over time. Systems change. People change. Processes drift.

Internal audit keeps those gaps from widening and seals them. It validates, tests and challenges the way the organization operates. It asks questions leaders need to hear, such as:

  • Are duties separated in meaningful ways?
  • Do high-risk transactions receive independent review?
  • Does system access match job responsibilities?
  • Are reports validated rather than accepted at face value?
  • Are anomalies examined or explained away?

These are not compliance exercises. They are leadership exercises.

How Sikich helps seal cracks

If this case made you wonder how vulnerable your organization might be, you’re not alone. Sikich helps organizations evaluate their internal controls, strengthen oversight, modernize financial safeguards and identify gaps before they turn into damage.

Whether you need a targeted review, a full internal audit or guidance on designing a control environment that actually works, we can help. Reach out if you want support protecting your assets, your people and your reputation.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

CONTACT
Author

Steve Randall, MBA, is the Governance, Risk & Compliance Leader, who has over 30 years of management and consulting experience with specialized skills in project management, operational efficiency, and conflict resolution. Steve also possesses a depth of knowledge in business management, risk and internal controls. He provides independent counsel, identifies core issues, develops strategic solutions and offers leadership to clients facing challenges.

Steve Randall

WHAT'S NEW Related Insights