Introduction

The story I relate above is a good example of a number of assignments that I have worked on where it proved to be difficult to gain assurance that key controls in an organisation were actually working effectively. The reasons for this varied: sometimes it was caused by a lack of awareness by workers either of the control itself or, often, of the reasons why they should spend time carrying out a task simply because it was written down in a manual but which seemed unimportant to them; at other times it was because the checks were not being carried out due to time pressure; and again on occasion it was down to the fact that there was simply no available evidence to show that a control had in fact been carried out. Generally all of these situations have as their root cause a poor understanding by employees of the purpose of controls and a lack of respect for those controls as a result. Where this happens there is what may be termed poor control consciousness throughout an organisation. This was certainly something that was very apparent to me and my colleagues during the Luxembourg project described above.

Effective controls are of course essential if an organisation is to be able to manage its fraud risk successfully. We look at control theory and practice in detail in this Chapter and, in particular, at the steps that directors and managers can take in order to gain the assurance that their controls are indeed working effectively. We begin by going back to first principles ...