Date posted: 27/11/2020 6 min read

An ounce of prevention - internal control and fraud

Fraud and unexpected catastrophic corporate collapses are constant topics in audit and corporate governance debates. How can auditors deal with these issues?

In Brief

  • Fraud and corporate collapses continue to be the subject of audit debates globally
  • The PJC has recommended that Australian companies report on internal controls and that this be subject to audit
  • Robust internal controls are key to companies preventing fraud and managing risk

Two demons have been constant in the past two years of audit and broader corporate governance – fraud and unexpected catastrophic corporate collapses.

How the audit profession should wrestle these demons has been the subject of regulatory reviews globally, with multiple inquiries in the UK, across Europe and Asia, a Parliamentary Joint Committee (PJC) inquiry in Australia, ongoing debate in New Zealand, and now a major consultation from the IAASB.

We frequently hear concerns about ‘the next Enron’. What is raised less often in the wake of Enron is how countries, including Australia and New Zealand, are yet to follow the US and bring internal controls and their role in fraud and risk management into sharper focus. When it comes to fraud, the old adage about an ounce of prevention being better than a pound of cure is true.

The PJC recommended that Australian companies report on internal controls and that this be subject to audit. Implementing this will take commitment and the PJC has rightly pointed to the costs involved given the current economic conditions. While there certainly are costs, this is perhaps the main recommendation that could meaningfully move the needle in how key risks such as fraud and misreporting are addressed.

Internal controls over financial reporting, and other risk areas, are the most important tools directors and management have to manage risks, prevent fraud, and ensure they have oversight of what is happening in their business.

After Enron, the Sarbanes-Oxley Act (SOX) was introduced in the US to make sure companies and auditors were more tightly focused on internal controls to prevent the repeat of such a catastrophe and to restore investor confidence in the reliability of financial reporting.

In a 2006 article reviewing the experience of adopting SOX, Harvard Business Review said, “A focus on the control environment helps ensure that the controls themselves are the second and third lines of defense, not the first.”

The article indicated that under the new regime, directors and management eager to “do the right thing” suddenly had the force behind them to push back on a cowboy approach to internal controls that is often one of the key dynamics in large-scale fraud.

There have still been frauds and collapses in the US since SOX, but generally the culpability has been much clearer. Accountability is doled out and businesses and stakeholders can often move on. Compare this with the haze surrounding what happened, who did it, how and why that has led in the UK, here and other countries to inquiries and pondering that goes on for years.

There will always be corporate attrition in any market-based economy. What needs to be prevented is the kind of unforeseen large collapses that unfairly impact smaller investors and cause, quite rightly, public outcry. A strong and accountable internal control environment means it’s much harder for the mismanagement and lack of accountability to go unchecked over any length of time.

If we fail to act, we will keep repeating the familiar cycle of failure-outrage-protracted reactive response and risk falling behind the integrity of other capital markets in the crucial reset and recovery period ahead.

Some will argue that such a regime has too high a cost, especially in the current environment when many businesses are struggling due to the impacts of the pandemic. But, as we’ve seen time and time again, the cost of bad internal controls is measured in the billions, or of late trillions, even before you factor in the human cost that can’t be put into numbers.

Internal control reporting and audit doesn’t necessarily mean adopting as detailed and prescriptive an approach as the US. Companies already have internal controls – everyone agrees this is a good thing – so the costs of compliance to confirm and strengthen should be nominal. And while internal controls audit is an additional cost, the US experience has been that many companies were able to leverage benefits from their improved controls that far outweighed the compliance cost.

Strengthening internal control is market-based regulation. It’s about dialling in the right incentives to address risks and setting accountability so that investors have confidence. The alternative is regulating much more specifically to each risk, often in hindsight, in an effort to stop things from happening rather than setting up strong preventatively systems.

It is going to be hard to navigate these reforms, but they are essential. The UK, Europe and elsewhere are already pushing in this direction. While timing and scope will be critical to avoid over-burdening businesses at this time, there is no reason not to start the work needed to consult and shape this properly over time.

If we fail to act, we will keep repeating the familiar cycle of failure-outrage-protracted reactive response and risk falling behind the integrity of other capital markets in the crucial reset and recovery period ahead.

Audit inquiry final report provides clear direction for the way forward

Read the final report from the Australian Parliamentary Joint Inquiry. 

Read now

Search related topics