Opinion
Suggestions for Internal Control Disclosure to Prevent Embezzlement and Fraud
Jeong-hoon Shim, Managing Director of IA Division, Samjong KPMG
Recent Trends in Internal Control over Financial Reporting (ICFR)
It has been nearly five years since the audit system for internal control over financial reporting(ICFR) was introduced. Some argue that the strengthened ICFR contributes to corporate accounting transparency, while others contend that it places an excessive burden on companies, particularly when considering the depressed economic situation. The audit system for ICFR has somewhat soft-landed, and to prevent corporate activities from being hindered, regulatory authorities have postponed the introduction of the consolidated ICFR and exempted small-scale listed companies from the ICFR audit. However, there have been cases of large-scale embezzlement that undermined internal controls, and these are occurring frequently not only in general corporations but also in the financial sector.
As embezzlement incidents continue to emerge as a social issue, regulatory authorities have established the "Standards for Evaluation and Reporting of Internal Control over Financial Reporting" as a measure to prevent such occurrences. This requires management to specifically describe control activities to prevent fraud, including embezzlement, in their operating effectiveness test reports. In the past, the evaluation and reporting standards were operated as self-regulation, but now the regulatory authorities have been given the power to establish them as a reference standard for ICFR supervision. The revised standards are implemented from this year, but with a one-year grace period allowing the application of previous regulations. Based on the author's field experience, most companies plan to adhere to the previous regulations this year. However, some companies have shown confidence in disclosing according to the new standards starting this year.
Key Contents of the New 'Standards for Evaluation and Reporting of Internal Control over Financial Reporting (ICFR)
As mentioned earlier, the new standards are largely similar to the previous ones, but there are two major differences:
Firstly, it requires specific disclosure of control activities responding to fraud risks such as embezzlement. Currently, discussions are actively ongoing to prepare detailed disclosure guidelines, and the regulatory authorities are expected to announce example disclosure formats around October this year. Unlike in the past, quite specific details about control activities for funds and other aspects will be described, which could be a significant burden for companies. After such detailed disclosures are made, if incidents like embezzlement occur, it is expected that regulatory penalties and management responsibilities will be more severe, and shareholder lawsuits may increase.
Secondly, the substantive supervisory role of the audit committee is being emphasized. In the previous regulations, one new item has been added to the audit committee's
Evaluating whether the ICFR is designed and operated to prevent management from improperly intervening in the process of preparing and disclosing accounting
evaluation of the ICFR :
Additionally, a new format has been added to the audit committee's evaluation report on the ICFR, requiring active communication with management through face-to-face discussions and with external auditors regarding fraud risks and other matters.
Strengthening Internal Control Directions According to the New Evaluation and Reporting Standards for Internal Control over Financial Reporting (ICFR)
In the future, to prevent fraud such as embezzlement of funds, it is necessary to re-examine the basic principles of internal control, including segregation of duties, management review, and regular monitoring. In particular, it is necessary to review whether the internal control of the subsidiary's treasury process at the consolidated level is sufficient for disclosure of operation and evaluation result. This review should include checking if there are any deficiencies in the evaluation design compared to the parent company.
(1) Level up the response to fraud risks such as financial incidents.
Even if a sample test of treasury controls passes, can we say that the possibility of embezzlement is close to zero? Even if the control is concluded to be effective in the selected sample test, one or two abnormal items outside the sample could be the cause of a major incident. This is why a more effective response plan should be established to address fraud risks such as embezzlement.
① Constant monitoring through full investigation of data
One or two unusual transactions among all transactions could lead to embezzlement. Therefore, it is necessary to actively consider full data investigation techniques beyond sample testing for fund-related matters. Due to recent technological advancements enabling comprehensive surveys, a systematic approach involves collecting all financial transaction data, compiling it, and then designing negative scenarios to filter out exceptional data and pinpoint the underlying reasons.
② Expanding the proportion of automated controls
Automated controls are known to have a high preventive effect on fraud as they have a strong preventive control nature. For reference, in the United States, the proportion of automated controls is relatively higher than in Korea. If automated controls are set to block bypass routes in advance by checking system design, fraud risk can be reduced.
③ Expansion of fraud prevention programs, education, and training
Among company-wide fraud prevention programs, the most key contents are the fraud reporting system and education and training for fraud detection. In particular, according to the ACFE(Association of Certified Fraud Examiners) report, the proportion of fraud detection training for executives and employees increased from 52% in 2016 to 63% in 2024, and the resulting loss amount was significantly reduced by half. As fraud detection training can also lead to fraud reporting, continuous training is necessary.
(2) Consider active support for the strengthened role of the Audit Committee.
In 2022 and 2023, 38 and 43 companies respectively received adverse audit opinions. Among these, only 12 and 9 companies respectively had their Audit Committee (or auditor) declare that the internal control over financial reporting was ineffective. Regulatory authorities are emphasizing the substantial supervisory role of the Audit Committee and demanding face-to-face meetings with management and external auditors. Recently, we observe in the field that the Audit Committee's interest in ICFR has increased, leading to more questions about subsidiary internal controls and fund controls. As the supervision of the Audit Committee and the Board of Directors plays a crucial role in fraud prevention programs, active support should be considered to ensure they can fulfill their functions.
