By Jon Tatum, CFE, CICA, CIRA, HoganTaylor Consulting Executive
Internal Control Basics
Internal Controls are a set of activities that are woven into the operating fabric of an organization with the intent to safeguard assets, minimize errors, and ensure that operations are conducted in an orderly manner. These controls should increase in comprehensiveness as a company grows. The following are a few examples of internal controls:
- A board of directors overseeing an organization’s management team
- Segregating duties so that more than one person is involved, thereby requiring employees to cross-check each other, which ultimately reduces errors and the risk of fraud
- Restricting access to computer records so that information is made available to only those individuals that need to conduct specific tasks
- Locking up physical assets when not in use making them more difficult to steal
Segregation of Duties
Let’s focus on one of the most important types of internal controls to reduce the risk of fraud, segregating duties. Simply put, segregating duties ensures that one single person doesn’t have too much control over any given process. If an organization receives funds through a cash register, front desk, electronically, or by mail make sure:
- Checks are endorsed immediately and deposited;
- To use pre-numbered receipts for collection of all funds;
- The person responsible for invoicing customers does not also collect funds and post payments to customer accounts;
- The person collecting funds and posting customer payments does not also have the ability to initiate and approve credits or write-offs of a customer’s account;
- The person collecting funds is separate from the person who takes the funds to the bank; and
- bank statement reconciliation is not performed by the person posting or taking cash to the bank.
Small businesses with only one person in the accounting department must find creative ways to segregate duties. For example, consider training a non-accounting person to take money to the bank, post payments or reconcile bank statements.
Internal Controls and Trust
Trust is not an internal control. Recently, I performed an engagement where there was only one person in the accounting department. When interviewing the owner of the company, he indicated this person had been employed for over 20 years and he had complete and total trust in him/her. This employee held the “keys to the kingdom” meaning, he/she could have easily perpetrated a fraud as there were no separation of duties or oversight.
It is important to trust employees, but we should also inspect their work. Many fraud investigations that I perform reveal an owner or manager that was not paying attention and performing no regular monitoring activities. Simple monitoring activities include examining bank statements on a monthly basis, reviewing a deposit before an employee takes it to the bank, or looking closely at credit card statements/transactions.
The single most important line of defense against fraud that an owner or manager of a small business has at their disposal are monthly bank statement and canceled check image reviews. Always make sure bank statements are received unopened by someone other than the person preparing and processing checks. In an environment routing bank statements to an outside accountant to prepare the bank reconciliation is a good control mechanism. A review of the cancelled check scans can reveal inappropriate payees, amounts, and unauthorized signatures.
Internal Controls and Payroll
One final area to consider is payroll. Regardless of whether you process payroll in-house or with an outside firm, there is risk associated with it. Some best practices include:
- Segregating the hiring and human resource functions from the payroll function;
- Management approval of payroll hours before they are entered into the pay system;
- requiring direct deposit rather than issuing live checks;
- Making timely tax payments; and
- Management review of payroll reports once payroll is processed
Inform and Train
Finally, as the company implements a system of internal controls it should use the opportunity to inform and train employees of the importance in operating within the control environment. Implementing and following these processes are essential for the organization to grow and compete more effectively in the marketplace by implementing improved processes and procedures and ultimately reducing risk.