3.4 Human factors and internal controls
Internal controls are a widely used component of most risk management systems. But controls that rely on people can sometimes fail.
Of a more sinister nature, deliberate deception or fraud can cause an otherwise high-performing risk management system to fail. Failing to identify risks or to properly assess them, or deliberate subversion of controls for fraudulent purposes, can lead to a risk system failing to operate correctly – fraud effects all organisations, to a greater or lesser extent, and it is something that should be guarded against.
To guard against an individual committing fraud it is common to have ‘segregation of duties’ – this simply means that more than one person is involved in carrying out a task. An example is paying a supplier. Segregating duties would involve one person raising the invoice and another person paying the invoice. Segregation of duties can be subverted (got around) when people collude. For this reason an independent oversight (e.g. by internal audit) is necessary, even when, at face value, appropriate controls are in place.