Opinion
200 billion embezzlements, just monitoring the funds...
Lee Hyungmin Partner, Samil PwC Internal Control Center
The internal embezzlement of 200 billion won at ○ company two years ago caused a big stir in Korean society. What was as shocking as the astronomical amount of embezzlement was that fraudulent accidents such as embezzlement occurred in various industries and departments, from manufacturing and service to finance. Now, even companies that are trusted to have good internal control are caught up in embezzlement cases. This is because the internal control system of companies that prevents and detects irregularities such as embezzlement has not actually worked.
At the end of last year, the Financial Supervisory Service legislated the internal accounting management system, which had been enacted and operated as autonomous regulations, as the "Internal Accounting Management System Evaluation and Reporting Standards." According to this standard, which took effect in January this year, each year, the CEO must report the company's core internal control activities to the auditors(committees), the board of directors, and the general shareholders' meeting in a set form to respond to the risk of embezzlement. In addition, auditors (committees) must additionally disclose in their evaluation reports the details of their annual face-to-face consultations with management and communication with external auditors regarding fraudulent risks related to funds. In other words, it is a warning from the supervisory authority to no longer engage in formal governance activities that end after being reported.
This standard applies equally to domestic and foreign subsidiaries in the case of listed companies with assets of 2 trillion won or more. In particular, in the case of overseas subsidiaries, it is urgent to improve the weak internal control environment, such as passive management of the headquarters, which relies on reports from a small number of expatriates, weak division of duties related to funds, the practice of sharing IDs and passwords, the work structure in which slips are prepared without proper approval, and the lack of internal audit functions.
Interestingly, the difference in the amount of irregularities was large depending on the existence of an internal control system to prevent irregularities. A typical example is the circular position, and the difference between the average irregular amount of companies with circular positions and the irregular amount of companies that do not is more than double. The recent embezzlement of about 300 billion won while working on real estate project financing in the same department for 15 years from 2007 is a prime example of the importance of circular positions.
Five strategies for internal control
Effective internal control strategies to prevent irregularities such as embezzlement vary depending on the characteristics and circumstances of the company, such as manpower, system, and governance. Based on past cases of denial and analysis of it, the following strategies are proposed.
First, diagnose money control.
Direct control areas related to funds include account management, withdrawal management, balance management, and corporate seal management. It is necessary to diagnose whether such financial control is effectively established and operated not only in Korea but also in overseas subsidiaries. Questionnaires and interviews can quickly identify where the most vulnerable sectors and areas are and improve the process.
A typical example is the introduction of a firm banking(corporate Internet banking) system in relation to withdrawal of funds or the establishment of multi-level approval of a security card(OTP) when using Internet banking. In the case of balance management, the daily funding date(daily funding status) should be reviewed and monitored by an independent department, not by the funding team.
Second, take advantage of Cash Proofing.
Monitoring money transactions is a complete investigation of a company's bank money transaction history and accounting director during a specific period. Through this, it is possible to detect embezzlement of funds by extracting money deposit and withdrawal transactions without accounting, which are not found in standardized accounting audit procedures. This method can improve the process by identifying areas with potential risks even if embezzlement has not occurred. Monitoring money transactions is mainly used to detect embezzlement, but doing this periodically has an excellent effect in preventing embezzlement.
Third, take control of the data.
There is a need for a data control technique that examines whether the authority system of input, modification, and approval of data is justified and verifies that the input data is valid. For example, if you compare a customer registered in the Enterprise Resource Planning(ERP) with the National Tax Service's closed business inquiry data, there are countless customers that have already closed. In addition, there may be various negative factors, such as recording an arbitrary unit price different from the approved unit price of sales, or arbitrarily modifying the slip after approval. However, if the data is not analyzed, it is impossible to find any already predicted negatives. Amid the recent increase in complexity of transactions and data, data control techniques should be used to identify the truth of data and preemptively prevent fraudulent risks.
Fourth, invest in IT systems for internal control.
With the recent digitalization, the corporate environment has become so invisible that it is difficult for the company's representatives to grasp the company's contents at a glance. At the same time, the ability of cheaters has been advanced. However, control to prevent and detect irregularities often remains at the level of manual approval control. Therefore, it is necessary to convert control areas that are simple, repetitive, time-consuming, and can occur due to human error into automatic control.
For example, instead of automatically calculating the data from the system or manually entering the data downloaded from the system into another system, an interface that automatically uploads is used. Recently, more and more cases have been applied to Robotic Process Automation(RPA) by developing verification logic for areas with high risk of fraud.
Fifth, run an enterprise-wide anti-fraud program.
This is a fundamental element for preventing fraudulent risk, and above all, ethical standards and education that reflect management's strong will to fight fraud are needed. In addition, an effective internal and external accusation system for preventing irregularities should be operated, including domestic and foreign subsidiaries, and protection measures for accusers, such as consignment operation of reporting channels, should be strengthened. An independent internal audit department, which is the final line of defense against corporate irregularities, may be operated, but if there are restrictions on manpower management, it may also be considered to temporarily receive external advice. Finally, practical supervision of the board of directors and the audit committee is very important.
Checkpoint for reassessment of fraudulent risk
Donald R. Cressy, a famous American criminologist, proposed the 'triangle theory' that negation occurs due to three factors: ▲ motivation ▲ opportunity ▲ self- rationalization.
The motivation is that you can deny due to economic deprivation, personal disposition such as gambling, heavy work, or complaints about the company, and the opportunity provides an environment in which internal control is weak and unethical organizational culture can commit injustice. Self-rationalization is to justify cheating, such as dismissing injustice as a work practice or thinking that the embezzlement amount was borrowed for a while due to moral insensitivity. If 'motivation' and 'self-rationalization' are personal factors of negation, 'opportunity' is an organizational factor. Companies should focus on opportunities and carefully check whether there are any weaknesses in internal control and any gaps that make denial possible. This requires companies to confidently answer the following question 'No' while re-evaluating the risk of fraud.
·Didn't you dismiss the risk of fraud as someone else's business and evaluate it formally?
·Didn't you blindly believe and overestimate the vulnerable controls due to changes in the environment such as organizations and systems because you didn't want to change the tasks you had done in the past?
·Didn't monitoring through an independent internal audit department be regarded as management interference and waste of manpower?
·Wasn't it judged that data analysis tools due to digitalization were unnecessary because they were overconfident about approval control carried out by humans?
Until now, companies have made various efforts to improve the reliability of financial reporting and prevent fraudulent risks. It is unfortunate that the credibility of the Korean capital market is reduced due to a small number of personal irregularities. We should no longer abandon the unfounded belief that injustice is someone else's business, and we should not deal with it like a "post-medical visit" that deals with after an accident occurs.
We would like to inform you that the above expert opinion is a contribution written by partner Lee Hyungmin of Samil PwC to Maekyung ECONOMY, and it has been published in this newsletter under the permission of Maekyung ECONOMY and partner Lee Hyungmin.
[Contact Us]
Please contact to the email below if you have any questions.
sh.moon@hyundai.com (F&AP Team Seonghoon Moon Manager)
This newsletter has been sent for executives and employees to comply with K-SOX training obligation under the Korean External Audit Act (Enforcement Decree Article 9)
