... do as the gun runners? Or make out like bandits? You'd hope that companies dealing with lethal products have excellent standards regarding hiring people and internal processes.
Any company dealing, especially those dealing with highly sensitive systems, secrets, military and related products, money, high-tech products, and so on, must have air-tight internal controls. That is easily said but much harder to do.
A major manufacturer of weapons in Belgium found itself out of 15 million euros, apparently due to lacking internal controls. It turns out that a staff member of the procurement department set up a system with falsified invoices and put the monies paid toward these in his pocket. He subsequently skipped town to an African nation. The unions already notified the then-CEO back in 2014 and the vice minister-president of the Walloon government at the time that internal controls were insufficient at the company. That was over six years ago.
Controls, in this context, are mechanisms, rules, and procedures that try to ensure the integrity of processes used within a company to protect it from mistakes, faults, fraud, and other things. In this particular case, the internal controls of the procurement department were put into question.
Some good examples in a procurement department could be the following rules;
Rules by themselves are not controls. We all know that we should not ignore a red light in traffic. Have you always abided by that rule? Of course not! Late at night, when there's no traffic at all, we can see cyclists and pedestrians routinely ignore a red light. Why do they do that? Because the perceived risk is very low.
When that same person is riding a motorcycle or driving a car, perception changes, not necessarily of the risk, but of the consequences, should it go wrong. These can take the form of a member of the police who sees the infraction and the fine that follows or when you actually run over a person. The risk (as opposed to consequence) only comes into play when it is not easy to oversee the crossing over a larger area.
Even in this example, which can have devastating consequences, you can see how our internal thought processes combine the rule with the chance of getting caught. That is only human. We don't live by absolutes, not even in totalitarian regimes. And our perception of reality is our own, but that is another discussion...
So how do you enforce this simple "do not cross on red" rule? By putting a monitoring system in place, like a camera. And how do you do that in the procurement department? Adding a user access rights system into the software, as most modern accounting systems have. And, of course, by configuring it correctly. That also needs to be monitored.
It can be as simple in less technologically inclined companies as "put the checkbook in a locked drawer." For most companies, it means separate payment approvals to a central team and comparing Purchase Orders and Purchase Approvals to incoming invoices. The general tenet is that approval should never be done by the same person who ordered something.
Nature has already shown us that unilateral rules don't work. A dog will take another's bone if it estimates it can get away with it. It is all about estimating risk, and what is acceptable within the environment we operate, and the likelihood of consequences.
For controls to work, we need an agreed framework within which we operate. For that, we must have:
There is no one-size fits all answer typically embraced by big-box consultants who use a fill-in-the-blanks ISO-whatever approach. Control compliance starts with understanding your company. Use toolkits to guide you, but always adapt them to your culture. When you hire a consultant to implement anything, always ensure the person does so with respect to how people work and operate. Yes, change will probably need to happen, but it will happen faster and more lasting when doing it in line with your corporate values, way of thinking, and working.