Opinion
200 billion embezzlements, just monitoring the funds...
Lee Hyungmin Partner, Samil PwC Internal Control Center
Two years ago, an internal embezzlement incident worth 200 billion won at Company ○ caused a big stir in Korean society. As shocking as the astronomical amount of embezzlement was the fact that embezzlement and other corruption incidents occur in a variety of industries and departments, from manufacturing and service industries to the financial industry. Now, even companies that are trusted to have good internal controls are being caught up in embezzlement cases. This is because the company's internal control system, which prevents and detects corruption such as embezzlement, did not actually work.
At the end of last year, the Financial Supervisory Service legislated the internal accounting management system, which had been established and operated as a voluntary regulation, into the 'Internal Accounting Management System Evaluation and Reporting Standards'. According to this standard, which has been in effect since January of this year, the CEO must report to the audit (committee), board of directors, and general shareholders' meeting every year the company's core internal control activities to respond to the risk of financial fraud, such as embezzlement, in a prescribed form. In addition, the audit (committee) must consult face-to-face with management every year regarding fund-related fraud risks and additionally disclose details of communication with external auditors in the evaluation report. This is a warning from the supervisory authorities to no longer engage in formal governance activities that end with reporting.
This standard applies equally to domestic and foreign subsidiaries of listed companies with total assets of KRW 2 trillion or more. In particular, in the case of overseas subsidiaries, passive management by headquarters that relies on reports from a small number of expatriates, weak division of work related to funds, practice of sharing IDs and passwords, work structure in which slips are created without proper approval, lack of internal audit function, etc. There is an urgent need to improve the weak internal control environment.
What is interesting is that there was a large difference in the amount of fraud depending on whether there was an internal control system to prevent fraud. A representative example is rotational assignments, and the difference between the average amount of fraud in companies with rotational assignments and the amount of fraud in companies without rotations was the largest, more than twice. The recent incident in which an employee of a domestic bank embezzled approximately 300 billion won while working in real estate project financing in the same department for 15 years from 2007 is a clear example that shows the importance of rotational positions.
Five strategies for internal control
Effective internal control strategies to prevent irregularities such as embezzlement vary depending on the characteristics and circumstances of the company, such as manpower, system, and governance. Based on past cases of denial and analysis of it, the following strategies are proposed.
First, diagnose money control.
Direct control areas related to funds include account management, withdrawal management, balance management, and corporate seal management. It is necessary to diagnose whether such financial control is effectively established and operated not only in Korea but also in overseas subsidiaries. Questionnaires and interviews can quickly identify where the most vulnerable sectors and areas are and improve the process.
A typical example is the introduction of a firm banking(corporate Internet banking) system in relation to withdrawal of funds or the establishment of multi-level approval of a security card(OTP) when using Internet banking. In the case of balance management, the daily funding date(daily funding status) should be reviewed and monitored by an independent department, not by the funding team.
Second, take advantage of Cash Proofing.
Monitoring money transactions is a complete investigation of a company's bank money transaction history and accounting director during a specific period. Through this, it is possible to detect embezzlement of funds by extracting money deposit and withdrawal transactions without accounting, which are not found in standardized accounting audit procedures. This method can improve the process by identifying areas with potential risks even if embezzlement has not occurred. Monitoring money transactions is mainly used to detect embezzlement, but doing this periodically has an excellent effect in preventing embezzlement.
Third, take control of the data.
There is a need for a data control technique that examines whether the authority system of input, modification, and approval of data is justified and verifies that the input data is valid. For example, if you compare a customer registered in the Enterprise Resource Planning(ERP) with the National Tax Service's closed business inquiry data, there are countless customers that have already closed. In addition, there may be various negative factors, such as recording an arbitrary unit price different from the approved unit price of sales, or arbitrarily modifying the slip after approval. However, if the data is not analyzed, it is impossible to find any already predicted negatives. Amid the recent increase in complexity of transactions and data, data control techniques should be used to identify the truth of data and preemptively prevent fraudulent risks.
Fourth, invest in IT systems for internal control.
With the recent digitalization, the corporate environment has become so invisible that it is difficult for the company's representatives to grasp the company's contents at a glance. At the same time, the ability of cheaters has been advanced. However, control to prevent and detect irregularities often remains at the level of manual approval control. Therefore, it is necessary to convert control areas that are simple, repetitive, time-consuming, and can occur due to human error into automatic control.
For example, instead of automatically calculating the data from the system or manually entering the data downloaded from the system into another system, an interface that automatically uploads is used. Recently, more and more cases have been applied to Robotic Process Automation(RPA) by developing verification logic for areas with high risk of fraud.
Fifth, run an enterprise-wide anti-fraud program.
This is a fundamental element for preventing fraudulent risk, and above all, ethical standards and education that reflect management's strong will to fight fraud are needed. In addition, an effective internal and external accusation system for preventing irregularities should be operated, including domestic and foreign subsidiaries, and protection measures for accusers, such as consignment operation of reporting channels, should be strengthened. An independent internal audit department, which is the final line of defense against corporate irregularities, may be operated, but if there are restrictions on manpower management, it may also be considered to temporarily receive external advice. Finally, practical supervision of the board of directors and the audit committee is very important.
Checkpoint for reassessment of fraudulent risk
Donald R. Cressy, a famous American criminologist, proposed the 'triangle theory' that negation occurs due to three factors: ▲ motivation ▲ opportunity ▲ self- rationalization.
The motivation is that you can deny due to economic deprivation, personal disposition such as gambling, heavy work, or complaints about the company, and the opportunity provides an environment in which internal control is weak and unethical organizational culture can commit injustice. Self-rationalization is to justify cheating, such as dismissing injustice as a work practice or thinking that the embezzlement amount was borrowed for a while due to moral insensitivity. If 'motivation' and 'self-rationalization' are personal factors of negation, 'opportunity' is an organizational factor. Companies should focus on opportunities and carefully check whether there are any weaknesses in internal control and any gaps that make denial possible. This requires companies to confidently answer the following question 'No' while re-evaluating the risk of fraud.
·Didn't you dismiss the risk of fraud as someone else's business and evaluate it formally?
·Didn't you blindly believe and overestimate the vulnerable controls due to changes in the environment such as organizations and systems because you didn't want to change the tasks you had done in the past?
·Didn't monitoring through an independent internal audit department be regarded as management interference and waste of manpower?
·Wasn't it judged that data analysis tools due to digitalization were unnecessary because they were overconfident about approval control carried out by humans?
Until now, companies have made various efforts to improve the reliability of financial reporting and prevent fraudulent risks. It is unfortunate that the credibility of the Korean capital market is reduced due to a small number of personal irregularities. We should no longer abandon the unfounded belief that injustice is someone else's business, and we should not deal with it like a "post-medical visit" that deals with after an accident occurs.
We would like to inform you that the above expert opinion was contributed to Maekyung ECONOMY by Samil PwC Partner Hyeong-min Lee, and was published in this newsletter with the permission of Maekyung ECONOMY and Partner Hyeong-min Lee.
[Contact Us]
Please contact to the email below if you have any questions.
sh.moon@hyundai.com (F&AP Team Seonghoon Moon Manager)
This newsletter has been sent for executives and employees to comply with K-SOX training obligation under the Korean External Audit Act (Enforcement Decree Article 9)
