Trust, but verify.

When it comes to internal controls, there may not be three more important words.
The biggest weakness I see in internal controls at organizations is often not in the design of those controls but in the execution. 
By Andrew Der

This phrase became well-known when used by President Ronald Regan repeatedly during the 1980’s.  This phrase, and these words, though, are just as important today.  When it comes to internal controls, there may not be three more important words.

Trust, but verify.

If you talk to auditors, they can tell you all about the fraud triangle; that in order for employees to commit fraud, three things must exist: motivation, rationalization, and opportunity.  Of these three things, the only one that organizations have some control over is the opportunity – opportunities that may be created by weaknesses in internal controls.

The biggest weakness I see in internal controls at organizations is often not in the design of those controls but in the execution.  Individuals who are responsible for reviewing and/or approving transactions are often susceptible to failing in those responsibilities because they trust the other person.  They often think that is why the person is there – to handle these tasks.  They trust them to do these things.  They think they don’t need to review these transactions.  But it is this trust and the lack of review and oversight because of this trust that leads to opportunity.

Whenever I hear people explain that they don’t need to have good review procedures because they trust the person, my response is always the same.  Of course you trust them.  The trust is a given.  You wouldn’t have put them in that position if you didn’t trust them.

You never hear of fraud being committed by people who weren’t trusted.  Why not?  Because organizations control the opportunities of those that aren’t trusted, or they don’t hire them in the first place.  We cannot control people’s motivations or rationalizations to commit fraud, we can only control their opportunities.

I know of an organization that recently discovered that an employee was stealing from it.  The organization appeared to have a solid system of internal controls in place, so how did this happen?  While there were review procedures in place in theory, it turned out that no one followed through with reviewing and questioning the organization’s credit card charges.  No one followed through with reviewing and questioning the employee expense reimbursements through payroll.  No one followed through with reviewing and questioning the wire transfers to the 401(k) plan.  Internal control procedures were in place to review all of these activities, but the organization failed in the execution of those internal control procedures.  Why?  Because the people who were supposed to be performing these reviews had trusted their employees.

A strong system of internal controls is not based on trust.  It is based on having sufficient review and approval procedures in place that are performed diligently and without exception to prevent and detect both intentional fraud and unintentional errors.  It is based on performing those review and approval procedures as if you don’t trust the person.  This is the only way that organizations can truly help to protect themselves from themselves and from their employees.  Especially those that they trust.  Because in the end, it is not about trust.  It is about both preventing opportunities and identifying errors.

Trust, but verify.