Is “Trust” a consideration in designing and implementing internal controls?

When I am working on evaluating, designing and implementing internal controls and accounting procedures within client organizations to minimize the risk of employee theft and embezzlement, I am frequently asked why certain measures are needed, given that a certain individual works within a position.  The individual is often described as a long-term, honest, loyal, dedicated and trustworthy employee who would never steal, let alone do anything else harmful to the organization.  The human element.

My response has always been the same.

1) Internal controls and accounting procedures should be objective, not subjective, and should look at the positions and opportunities rather than the individuals who fill those positions.  What does each position entail, what are their duties and responsibilities, and what opportunities exist within each position are key elements to the assessment?  Who presently fills each position, how long have they worked there, and attributes about them as a person and their background are not part of the evaluation (unless we are also measuring competence, capacity, efficiencies and/or other separate objectives simultaneous to assessing the strength of the internal controls).

2) Organizations do rely upon trust.  And they should.  Not the “trust that an employees will not steal”, but rather “trust the employees will consistently adhere to the established controls, policies and procedures” every time.  Internal controls always include measures to ensure that happens (compliance).  “Trust, but Verify” – in the words of the late Ronald Reagan.

3) The individual often described as the most honest, loyal, dedicated, trustworthy person ironically is almost always the very same person who has embezzled funds, lots of funds, over a long time, operating below the radar screen of suspicions, because they were perceived as honest, loyal, dedicated, trustworthy… and therefore provided too much latitude and opportunity.

Employers expect to “trust” their employees.  For example, employers trust that:

– their employees will devote all their efforts towards their employer;

– their employees will honor and adhere to all policies and procedures of the organization, regardless of whether they are satisfied with their employment and current situation, or not;

– their employees will keep all information learned through their employment confidential, only to be used within the contexts of their employment (and not steal or share customer or client lists, vendor profiles and histories, employee listings, competitive bidding information, pricing and price lists, trade secrets and other confidential and proprietary information)

– their employees will do what they are supposed to do, all the time, and not just when someone is watching over them

But one area that employers should not “trust” their employees is with internal controls over the financial aspects of the organization.  Measures are always needed to safeguard assets, segregate duties, create checks and balances, identify procedures to prevent things from happening, and implement procedures to detect things early on when they do happen (prevent what can be prevented, and detect everything else as early as possible).