“Trust But Verify: Does Operating Under this Ideology Increase Risk for Management?”

Aug. 7, 2020

“Trust But Verify: Does Operating Under this Ideology Increase Risk for Management?”

By: Terry Thompson
Internal Audit (Chief Audit Executive), Enterprise Risk Management, and Fraud Leader

Terry has been an innovative thought leader and certified internal auditor with over 30 years of Internal Audit and Compliance experience.

In the article “Small business fraud and the trusted employee” written by G. Stevenson Smith in the January/February 2013 edition of Fraud magazine, Mr. Smith states that approximately 87 percent of occupational fraudsters studied in the AFCE’s 2012 Report to Nations had never been charged or convicted of a fraud-related offense and 84 percent had never been punished or terminated by an employer for fraud-related conduct. Specific to small businesses, Mr. Smith indicates that the major reason fraudsters can commit their crimes is that management trusts them so much. He also states that even when business owners find suspicious behavior, they often believe it’s inconceivable that employees would violate these trusted relationships. Consequently, management hesitated to investigate, which enabled highly trusted employees - who had easy access to assets and control of operating activities - to hide their activities and resulted in much larger frauds.

Over the years, I’ve heard the catchphrase “trust but verify” espoused by many professionals. Fundamentally, I agree with this statement. However, it’s the internal control portion of this statement that is problematic because employees continuously fail to “verify” that responsibilities have been executed. Why? Some of the standard responses have been “because I trusted them”, “I didn’t think that person would do that”, “this person has been doing a good job for years” and many others that inherently or overtly lead back to trust. How many times have you experienced or head stories about:

  • The employee who stole company funds because he or she was responsible for receiving money, posting payments and depositing funds, had a great work ethic – i.e., they never took vacations and worked weekends. (Control deficiencies were 1) a lack of segregation of duties and 2) a lack of secondary review by an independent party to verify that funds were properly accounted for.

  • The employee who stole company funds because they colluded with internal and/or outside parties and submitted false invoices. (Control deficiencies were that Accounts Payable personnel 1) did not verify the payee was a legitimate company, 2) did not verify that products or services were properly provided, and 3) allowed and did not track payments made through a manual check process.

  • Supervisors who allowed employees to borrow company assets. (The control deficiency was that supervisors did not implement tracking tools to verify that assets were returned. In this instance, supervisors were trained on the policy indicating that employees are not allowed to use company assets for personal use.)

  • Employees opened customer deposit or card accounts without customer authorization. (The control deficiency was that there was no secondary review to verify that customer authorizations were obtained.)

As indicated in the list above, the common denominator is that internal controls were not executed to provide reasonable assurance that organizational assets were protected. Consequently, organizations suffered negative financial losses (including decreases in stock values and fines and penalties from external agencies in some instances). However, the negative impact does not stop there. Negative publicity, breach of trust and lower employee morale, increased administrative costs, and negative financial impacts on other employees such as layoffs or elimination of raises and bonuses can also result from these activities.

Internal controls must be implemented, executed, and address the most significant element of the three-legged stool: Opportunity. Simply put, if you minimize opportunities to conduct fraud, the other elements – i.e., pressure and rationale - are irrelevant. Also, controls will not only assist in protecting the organization, but may also protect the employees from disciplinary actions – for example, termination and incarceration - that will significantly affect them and their families.

In closing, I want to revisit the catchphrase “Trust but verify”. Regardless of our relationship with, or feelings towards others, we cannot assume that we truly know the financial challenges, personal pressures, job dissatisfaction, and other factors affecting the lives of the people around us that cause them to engage in fraudulent activities. To this end, I generally state that we should verify in order to trust. Regardless of the semantics, verification must occur…whether you trust others or not.