Who’s Really in Control of Your Internal Controls?
As a small business grows beyond its owner or owners, a system of internal controls becomes necessary. We would all like to believe that our business assets are safe from unscrupulous employees and that the financial information we use to make critical business decisions is free from errors and omissions. However, without a system of internal controls, there is little possibility that even the most innocent error or omission will be detected.
Internal controls are the checks and balances that are in place to at least provide a fighting chance that errors, omissions, duplications and misappropriations will be detected and avoided. They can apply to many different aspects of the business.
For example a business can have internal controls over financial processes, IT applications and systems, as well as over human resources. My focus is on accounting and financial internal controls that a small business can put into place immediately without breaking the bank.
The 10 internal controls you need
Ten internal control procedures businesses of all sizes can immediately put into place:
- Separate the check writing and check signing responsibilities among two or more individuals. If using online bill pay, keep account passwords secure and only with those authorized to make the online payment.
- Have a person who is independent from the check writing or accounts receivable responsibilities open the mail. When opening mail, immediately endorse and stamp checks “for deposit only” and list checks on a log before turning them over to the person responsible for depositing receipts. Periodically reconcile the incoming check log against deposits. Small offices can have the business owner open all mail and populate the check log.
- Require paychecks to be distributed by a person other than the one authorizing or recording payroll transactions or preparing payroll checks. Have employees sign for their paycheck and periodically inspect signatures against employee files. Many fictitious employee schemes have been found through “surprise” in person paycheck distributions.
- Reconcile bank accounts monthly. Ideally these reconciliations should be done by an independent person who doesn’t have bookkeeping responsibilities or check signing responsibilities. If you don’t have the personnel to segregate these duties, make sure the reconciliation is adequately reviewed by another person or by the organization’s independent CPA.
- As part of the reconciliation process, periodically examine cancelled checks to ensure that checks are in sequence, payees are recognized, endorsements are appropriate and signatures are valid.
- Set account limits on company credit card use and require employees to submit original receipts for all purchases. Examine credit card statements and receipts each month to ensure charges are business related and authorized.
- Compare financial results against budgets, forecasts and prior year results. This comparison should be done monthly and any inconsistencies or variances should be investigated.
- Avoid time lags between approval and processing since falsifications can occur after the approval of the transaction. After approval the document should not be returned to the preparer.
- Limit access to assets such as inventory, petty cash and equipment. Periodically count the assets and compare the results to the underlying accounting records.
- Develop formal policies and procedures for purchasing. Separate the purchasing function from the requisitioning, shipping, and receiving functions. Include the verification of goods and services received to the contract or purchase order and invoice.
Protecting against fraudulent activity
Internal controls are not only needed to help protect a business against fraud or misappropriation by bad employees. They are used to detect innocent errors, duplications or omissions.
Once a business determines formal internal controls are needed it shouldn’t delay in establishing these procedures and protocols; as we all know, the longer the delay in implementing a process the more difficult the buy-in for change.
In the end management is ultimately responsible for the organization’s internal controls. Be aware that any system will be hard pressed to prevent or detect fraudulent activity through employee collusion. A good system of control will help to prevent what could be costly errors and omissions as well as discourage deliberate misappropriation of organizational assets.