Facebook Twitter LinkedIn Email Share

Internal Controls Are Front Line of Defense Against Fraud

The Kraft Heinz Co. owns 60 percent of the ketchup market in the United States and 80 percent of that market in Europe. As of 2014, 97 percent of American households had ketchup on hand, and most of that was Heinz. When people think of ketchup, they think of Heinz. Kraft Heinz also is home to other such iconic brands as Oscar Mayer, Capri Sun, Kool-Aid, Jell-O, Philadelphia, Planters, Grey Poupon, Maxwell House and, of course, Kraft Macaroni and Cheese.

On February 21, the company announced that an inquiry into its procurement practices by the Securities and Exchange Commission (SEC) was underway. The next day the company’s stock plummeted brutally, declining 28 percent in value, or about $4 billion. Kraft Heinz said that after it received the SEC subpoena, it launched an internal investigation into the matter and confirmed there were indeed problems with its systems and procedures. The company also said it is improving internal controls and procedures to prevent something similar from recurring.

Kraft Heinz may be unique in its ability to sell tomatoes, but it is not unique in either its reliance on good internal controls or in discovering that its controls somehow had been circumvented. This article could be written almost anytime using a current example of a well-known company failing to comply with its own compliance process. In the case of Kraft Heinz, controls the company had in place were overridden.

To be fair, the company’s value crashed for other significant reasons in addition to lapses in internal controls. It is selling manufactured foods to a market that is shifting to more natural and unprocessed products, and investors are concerned that if the company doesn’t adapt to this new health consciousness it will significantly shrink. The main news announcements from the company disclosed a large impairment charge accompanied by a large dividend cut. The lapse of control was just the ketchup on the fries but is still one of the sexier parts of the lawsuits already being filed against the company because it is an objective indication of either negligence or incompetence on the part of management.

The market is concerned that Kraft Heinz management has taken its eye off the ball and is destroying the brand equity that both Kraft and Heinz have each carefully built up over 100 years. The impairment charge is a big indicator of that, but the control lapses are a much subtler confirmation of that same fear. Management has announced that the procurement issues being investigated by the SEC are immaterial to the company’s financial results, but many investors see them as being indicative of management’s focus being solely on cost-cutting while losing control of important parts of the business.

Lapses in internal controls are often indicative of lapses in management integrity, attention, or quality. A culture that allowed “improper interactions with suppliers” (from Kraft Heinz’s admission statement, as quoted by the Chicago Tribune) on a large enough scale to be noticed by the SEC either wasn’t paying enough attention to its operations or at least at some level in the company felt the need to cheat to succeed. Neither of these bodes well for a company in a shifting market.

Enforcing Controls

Entire organizations have disintegrated and trillions of dollars have been lost due to fraudulent activities caused or conducted by insiders. Anti-fraud training emphasizes that the most important defense against most types of fraud is to design and enforce the use of an internal control system that makes it difficult for fraud to be committed and to remain undetected. Internal controls help ensure the accuracy, integrity, and safety of company resources.

Having strong internal controls has been a core principle of business accounting and management for many decades, and except for technological adaptation, internal control conventions have barely changed over the decades. There are no excuses for not knowing and enforcing good internal control protocols.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint project of the American Institute of Certified Public Accountants and four other prestigious accounting bodies, defines internal control as:

“a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations

  • Reliability of Financial Reporting

  • Compliance with applicable laws and objectives”

At Wells Fargo Bank, one of the largest banks in the world, employees were allegedly encouraged to order credit cards and insurance policies for customers without their consent and to create fraudulent checking and savings accounts, a process that sometimes involved moving money out of legitimate accounts. As a result of these fraudulent sales, the bank fired approximately 5,300 employees between 2011 and 2016.

How did one of the world’s largest and most prestigious institutions spawn such massive fraud? Its employees described intense pressure to make sales quotas stemming from unreasonable expectations from senior management. Some described levels of stress that led to frequent crying, vomiting, and severe panic attacks. Measures taken by employees to satisfy quotas allegedly included enrolling homeless individuals in fee-accruing financial products. Management initially denied that they had created a sales culture that encouraged fraud. It is obvious, however, that 5,300 employees (especially bankers) didn’t just spontaneously decide to behave in such a way.

Rooting Out Fraud

Most turnaround professionals would agree that running out of cash would merely be a symptom of other significant business problems rather than a company’s core problem. Similarly, when a company has lapses in internal controls, that is not an indictment of the controls but of the culture that allowed the lapses to flourish.

The key is to understand the root causes of corporate fraud—overly aggressive targets for performance enforced by managers who considered failure to be unacceptable in the case of Wells Fargo. People who are creative, who cut corners, who are excessively optimistic, who have too much at stake to lose, etc., are all susceptible to turning to a little fraud. Most business people are inherently honest and not easily corruptible, but overwhelming pressure or frustration from external sources can help to generate an environment in which fraud is more likely to occur.

Quite often, it is the failure to meet bank loan covenants that starts a company on the road to ruin. A minor miss on a covenant that management believes is purely “a temporary blip” is easier to disguise than to disclose and then have to deal with loan committees, forbearance agreements, requests for increased guarantees, fees, multiple teams of lawyers, etc. However, when the “blip” in performance persists and “temporary” starts to span multiple reporting periods, the fraud grows.

Eventually, the perpetrators come to believe that the problem has become too big and has gone on for too long to disclose it. To suddenly let the music stop would be to create too precipitous a gap to explain. If things haven’t turned around, those involved feel the fraud must be continued to buy more time. Most frauds seem to start small and contained but then grow over time as they escape notice and pressure to maintain them—and even expand them—builds.

A typical reaction when such a scenario is described is that this type of thing still shouldn’t be able to occur in large companies. Former investors in Enron, Cendant, MF Global, WorldCom, Fannie Mae, HealthSouth, Tyco International, Qwest Communications, Lincoln Savings and Loan, and Adelphia Communications, among others, would all beg to differ. All of these companies had sophisticated internal controls that should have prevented exactly the types of fraud that occurred.

As the economy continues to change at an ever-faster pace and pressures on management continue to expand, management at many organizations is being forced to find ways to cut costs. Cost-cutting might take the form of employee reductions or foregoing necessary system upgrades. Unfortunately, the loss of employee resources—both in numbers and the institutional knowledge of long-term employees—and often combined with a failure to maintain effective systems can result in gaps in or weakening of the control environment. All of this leaves a company vulnerable to fraud.

Internal controls in areas related to information systems, financial statements, or assets might be negatively affected if they are not considered when organizational decisions are made. Neutering internal controls can adversely affect cost-cutting initiatives by exposing the company to greater losses due to fraud and abuse.

Many internal controls are deceptively simple: comparing actual results to budgets, ensuring segregation of duties, requiring multiple levels of approval, mandating job rotations, enforcing vacations, and monitoring cycle counts. Even physical controls such as locked doors and cabinets and controlling the custody of signature stamps are easy to implement. All of these measures are so simple, in fact, that there is often little thought given to overriding them to save time by sharing passwords, signing blank documents, giving unauthorized employees access to the signature stamps, or propping doors open.

Even well-designed internal controls can only provide reasonable assurance that they will be practiced. Poor judgement, misunderstanding the control objectives, management overrides, and collusion can all circumvent even the best internal controls. Collusion among key people can render both preventive and detective controls almost totally ineffective and useless.

Character Counts

There are many audit steps to test the integrity of the control environment, but experienced fraud investigators know that the best way to evaluate the control environment is to start by assessing the integrity and competence of senior management. Lax management breeds lax employees. Dishonesty exhibited by management, even if directed at people outside of the company, creates a dishonest environment where theft is easier to rationalize. Even when an employee has a need and an opportunity to steal, it usually will not happen unless the individual also can rationalize some justification to commit theft. Poor management can provide all the rationalization an employee might need.

It is not uncommon to investigate fraud by management and find that underlings are stealing from the managers who are stealing from either the owners or lenders. Like children imitating what they see their parents do, employees often mimic their superiors’ behaviors.


It is not uncommon to investigate fraud by management and find that underlings are stealing from the managers who are stealing from either the owners or lenders.


To identify fertile ground for fraud, one need only be aware and observant. For example, an embezzlement scheme was discovered at one company because an alert regional manager took a local manager out for a drink to celebrate a good performance review. The local manager chose the bar at an off-track betting establishment where everyone seemed to know his name, which raised the regional manager’s suspicion. Patterns matter.

What are senior management’s personality traits? Do they cheat at golf? Steal hotel furnishings? Lie about where they are going or what they are doing? Make up stories to enhance their prowess? Put personal items on their expense reports? One or two instances of any of these transgressions may not mean much, but more than a few can show a pattern that should be concerning.

Even if outsiders do not notice the patterns exhibited by senior managers, they can be sure that subordinates are aware of them. Management sets the tone, intentionally or not, and the organization reflects that tone. Consultants should be aware of the constant messaging and consider whether management is giving employees motive and rationalization to override internal controls. Accountants, procurement managers, bankers, and midlevel managers do not just spontaneously choose to become fraudulent professionals.

Actions Speak Volumes

The best internal control is a management team that sets a tone characterized by integrity, and the best way to gauge that is to pay attention to the patterns, actions, and attitudes of the people in the organization. Successful managers may be good at disguising some of their less savory personality traits, but those qualities often show loud and clear in the people that management hires and keeps on board.

Spending time in the midlevel ranks to get to know people is often a great way to learn about the people at the top. It is not what the subordinates say about upper management, but how they conduct their daily business that speaks volumes about the managers who oversee them.

The best internal controls are honest and competent employees. Bad employees can find ways to get around the best controls. Competence and character both matter.

Michael Goldman

Michael Goldman

KCP Advisory Group LLC

Michael Goldman is a senior managing director of KCP Advisory Group LLC. He has been qualified in both state and federal courts as an expert witness in cases involving fraud, solvency, fairness, commercial damages, marital dissolutions, valuation issues, professional malpractice, and bankruptcy issues. He is a CPA, has an MBA, and holds CVA, CFE, and CFF certifications. Previously, Goldman was a professor at the Lake Forest Graduate School of Management and designed courses in the school’s corporate education division.

TMA Print Logo