The Quaestor - Volume 3, Issue 2

Very often during the course of our audit work when inquiring about the system of internal controls in place in the area we are auditing, the response that is received from the client goes something like this, “I have known our staff for a very long time and I completely trust them.” Our response goes something like this, “That’s great! Trust is a great thing! But, what is your system of internal controls?” And, interestingly, in the event of a fraud investigation, the phrase almost invariably uttered by a supervisor when confronted with the very real possibility that a fraud is occurring in their department is “I can’t believe this…I have known this person for a very long time…I completely trusted them.”

You see, despite what many people would like to believe, “trust” is NOT an internal control. Although it is extremely important to trust each other, trust - in and of itself - is not a substitute for internal controls. Trust relies purely on the character and integrity of the individual performing the function to ensure that business objectives are met; whereas, a strong system of internal controls - operating effectively - relies on a process, which will hold strong regardless of who is in the role by deterring or detecting errors or misuse of University assets. When we perform an audit, we are not auditing a person’s integrity or character, we are auditing a process.

Implementing internal controls can be tricky in functions where “trust” was the factor previously relied upon to ensure that what was supposed to get done, did get done and in an appropriate way. Many times people think that their integrity or character is being questioned when internal controls (i.e. segregation of duties, supervisory review/approval, documented reconciliations) are implemented.

However, what fails to be recognized is that without internal controls, the individual’s integrity and character - qualities so important to the trust equation - can be irreparably damaged in a matter of a few moments with just the slightest perception of wrong-doing.

Internal controls actually serve to protect the individuals charged with responsibility for each of the aspects of a function. If strong internal controls are in place, your integrity will be able to be held above scrutiny - it will be protected. Knowing this, we should all be eager to embrace implementation of internal controls that will protect us as well as the University. Trust and internal controls must coexist. It is imperative that “trust” exists in our relationships with each other; however, for everyone’s protection, that trust should be supported by a strong process of internal controls.

If after reading this article, you are moved to improve the level of controls in your department/function (yes, the key process owner - those individuals who are actually doing the work - can and should encourage improved internal controls wherever a gap is perceived) and aren’t quite sure how best to do that, please know that we are always available to provide advisory services to the University to ensure that internal controls are strong and reliable.