Internal controls have a soft side: why human frailty can foil even sure-fire internal controls.

Internal controls are hard and soft. The hard controls comprise policies, procedures, and systems. These hard controls set the "standards" so to speak. If employees comply with policies and follow the procedures, the objectives of the internal controls can be met.

The soft controls are simply the competence, attention, and integrity of the people in an organization whose oversight helps to prevent and detect fraud. This was the basic premise introduced by John J. Hall of Hall Consulting, Inc., Chicago, in a presentation at the AICPA National Conference on Fraud, October 2-3, 2003 in Miami Beach, Florida. Along with Courtenay M. Thompson of Courtenay Thompson & Associates, Dallas, Texas, Hall offered "15 Reasons Internal Controls Break Down and What to Do about It."

First among the 15 reasons is "the process mentality." People with this mentality, according to Thompson, just go through the motions, the steps of the process, without thinking about what they're doing. He cited, for example, his experience with one organization whose accounts payable system required three executive signatures before a payment was made. In this instance, because of their inattention, the signers failed to notice that there was no payee on the check. Thompson thinks that perhaps one or more of the signers may have noticed the lack of a payee on the check. They assumed, however, that because others signed off on payment, it was all right, and therefore didn't question it.

The remedy for this reliance on process without thinking, Thompson advised, is for CPAs to educate clients (the executives) and to be aware of this mentality and its consequences when auditing.

Blind man's bluff

A second reason controls break down is blind trust. Managers may have too much faith in an employee, a faith often based on a relationship. The manager may have hired the person, trained him or her, or is related through family or some other kinship. Favored vendors are also sometimes given this blind trust. CPAs and their clients need to remember, Thompson says, that all fraud is done by those we trust and that trust is not a control.

Blindness, however, does not always result from unwarranted or even thoughtless trust. Sometimes it's deliberate. Willful blindness, choosing not to see or acknowledge a breakdown in controls, is a third reason controls break down. Hall cited an example of management's failure to question obvious red flags uncovered during an operational review of a...