Reduce fraud and other enterprise risks with internal audit procedures

In Protecting your firm’s assets from fraud, we discussed the importance of an effective internal control structure to reduce the risks of fraud, errors and irregularities. So what if your organization now has an effective internal control structure with the critical tone at the top, segregation of duties and an effective system of reviews, authorizations and approvals? Are you now fully protected from fraud risks? Are you protected from other enterprise risks to your law firm? Unfortunately, the answer is “no, fraud and enterprise risks still exist.” For example, fraud may occur due to the lack of compliance with well-designed control policies and procedures. 

The “three lines of defense” model is a commonly accepted risk management framework used to manage risk and controls as follows:

• First line of defense: operational management
• Owns and manages risks; performs day-to-day risk management activity
• Second line of defense: oversight
• Finance, human resources, risk management and compliance functions; set direction, define policy and provide assurance
• Third line of defense: internal audit
• Provides assurance that the other lines of defense are functioning effectively

American Lawyer magazine noted in a March 2019 article that one of the largest law firms in the world inadvertently transferred millions of dollars in client funds to a fraudster. It is likely this large law firm has a rather effective overall internal control structure; however, diligent compliance may have been lacking. Similarly, an audit committee member of a public company recently noted a similar fraud instance where wire transfer instruction changes from a seemingly appropriate source were not properly verified. To further complicate the need for diligent compliance with all procedures, the individual noted that, upon investigation, the public company determined that their information systems had been breached and monitored for a year while the fraudsters waited for an ideal time to strike.

Along with fraud risks, every organization faces additional enterprise risks. For law firms some of those enterprise risks include compliance with laws and regulations, cybersecurity and data protection threats, conflicts and professional practice requirements, security procedures over client escrow accounts, and increasingly important operational risks to effectively plan and manage legal matters that are more closely monitored by client demands. Many of these additional enterprise risks fall outside the scope of typical financial controls; however, they are generally controlled through a series of policies and procedures, as part of the second line of defense.