Internal controls are used to direct, monitor and measure your business's operations and are key to your business meeting its goals. Controls should run through a business like blood runs through the body. However, controls are often only added after something has gone wrong.
If controls are so important, why isn't this article titled: "Five Internal Controls All Companies Should Implement to Eliminate Fraud and Error"? There is no perfect control. Controls can minimize risk – not eliminate it.
Internal Controls Are All About Risk
Designing internal controls requires knowledge of your business,
it operations and its risks. It's is only through understanding
how your business operates that you can design effective
Some risks are universal, but even these risk vary from business to business. Employee theft is a common risk for companies. Jewelry stores bond their employees against employee theft, paying a significant premium for this type of insurance. On the other hand, a company that manufactures glue for industrial use (large barrels with limited resale value on the open market) has less risk from theft and requires significantly less controls.
Information about the Business is key to effective controls
Understanding how task are completed within your business is the
first step to designing effective controls. How is payroll
processed and paid? How are assets purchased? How are goods and
services sold to your customers and payments received? We call
these types of tasks internal control cycles.
Common cycles include the purchases, payables, payments cycle, revenue, receivables, receipts cycle, inventory production cycle, payroll cycle and treasury cycle.
Walkthrough the company's common transactions
The starting point to designing effective controls is understanding how a transaction is moved through your company from start to finish and documenting each step.
Techniques to document your business's processes include:
- Flowcharts – use boxes (which describe each step in the process including any decisions being made) and arrows to follow the movement of a transaction from start to finish.
- Narratives – create a story of the connected events that represent the sequence of steps in the transaction cycle.
- Table – create a table that moves through the steps of a transaction from start to finish with each line representing a step. Common table headings include "actor", "description of process", "software/forms used" and "key controls".
Looking at the revenue, receivable, receipts cycle, how does a customer start the purchase process? Do they phone your business and place an order, or do they walk into your store, pick up an item and take it to the cashier for payment?
After all the information is gathered...
Completed walkthroughs should be used to perform the internal control assessment. Where are the weak points in the process? When performing the walkthrough, did you notice any errors being made? What have customers complained about?
An internal control assessment is about asking questions. If customers complain about not receiving all of the items they've ordered, can you pinpoint which part of the cycle is creating an issue? If most orders are phoned in, transcription errors (by the salesman) are the likely cause. A possible solution is having the customer review the order before it's filled. Internal controls are created at specific points in each cycle based on the occurrence of common errors from weaknesses in the cycle.
What about fraud?
Fraud requires opportunity – effective internal controls minimize that opportunity. While review your company's processes ask yourself at each step of the cycles what weaknesses exist. Sometimes minimizing fraud can be as simple as locking up cheque paper and not leaving unsigned blank cheques around. Other examples include adding a dual signature requirement for electronic fund transfers and requiring bank reconciliations be reviewed by someone other than the person who prepared them.
A common internal control weakness
A common internal control weakness occurs when one person is given control over all the steps in a cycle allowing an individual to manipulate both the information going into the cycle and the information coming out of the cycle.
Segregation of duties
Segregation of duties is the process of assigning tasks to minimize a person's involvement in all of the steps in an internal control cycle. An example of a lack of segregation is when an individual is responsible for processing mail, including mail containing customer payments, and also prepares the bank reconciliation. This gives a person the chance to both steal a customer payment and hide the theft by modifying the bank reconciliation.
It can be difficult for smaller businesses to get perfect segregation of duties because the underlying principal is breaking up processes by giving the pieces to different people. Small business don't have enough people to make segregation practical. Instead, other internal controls should be used to replace segregation.
Proactive introduction of controls
Internal controls can be used to control your company's risks and should help you protect your company's resources and assets. If you would like help in performing an internal control assessment or have any questions about internal controls Crowe MacKay would be happy to help. A proactive approach to controls can give you a competitive advantage over others who introduce controls only when something goes wrong.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.