Designing internal controls for a small business or organization is a difficult task for management and/or the board to undertake. There are some that say it cannot be done because there are too few employees in the organization. We disagree. It can be done with a bit of forethought about the design of the workflow that needs to be accomplished. To begin the process, consideration needs to be given to the four major components of internal controls: control environment, risk assessment, technology and monitoring.
An important part of any organization is its team of employees and the environment in which this team operates. To understand how to design internal controls for small organizations, one must understand the control problems within the organization. The most common problem encountered by small organizations occurs when a small staff is involved in the financial function. Often, the same individual is given access to assets and the recording of transactions due to the limited number of employees sharing the workload. Unfortunately, this results in individuals being able to easily conceal any fraud or errors they cause. This is referred to as an insufficient segregation of duties. (An example of this would be an individual being tasked to perform the bank reconciliation and make cash deposits.)
Risks such as this can be mitigated through the use of strong internal controls. For strong controls to take hold, all team members must demonstrate a strong commitment to honesty, integrity and ethical values. If there is one employee that does not agree with the controls put in place, the control environment will suffer. Within the control environment, management's tone will set the pace. If there is a solid tone at the top, it will provide the perfect environment for sturdy controls to take root. Combine this with the separation of incompatible duties – such as having different employees reconcile the bank and take responsibility for cash deposits – and the organization will have stronger internal controls.
To set up a system of strong internal controls, it is important to have a good understanding of the risks that affect the organization's control environment. Risks vary from organization to organization, but fraud should always be taken into consideration when designing internal controls. For example, an organization that has cash transactions is vulnerable to a misappropriation of assets due to the risk of theft. To mitigate this risk, management should review bank reconciliations and ensure that its gross margin is within an acceptable range. When there are changes in the environment (i.e. new staff), these risks should be reassessed and controls should be changed as necessary. For example, upon the departure of a staff member in charge of online banking, the username and password should be changed to block access to the account. This continuous risk assessment will ensure that controls in place will be secure and useful.
Organizations should consider the use of technology – hardware and software – when establishing a strong control environment. With the correct technology in place, the production of reader-friendly reports can provide relevant information to management and those charged with oversight, providing them with insight as to the operation of controls. If software provides reports that are difficult to read or unnecessarily complicated, it will be harder to detect fraud, error and the deterioration of controls. For example, a manager reviewing a budget report may misinterpret the results if there is an abundance of useless information. If the report is too detailed (too many accounts) or not detailed enough (too few accounts), it may not provide information necessary to make informed decisions.
Technology extends beyond the use of reports. Through the use of software features, management can restrict an employee's access to areas that are not required for them to perform their job functions. For example, management could restrict the payroll clerk's access to the accounts payable sub ledger. The use of electronic signatures is also a way to ensure that electronic documents are reviewed. Having the proper software in place will allow controls to function properly.
In order for internal controls to function and perform as intended, it is important to establish a monitoring process to ensure that the controls are being applied consistently. Depending on the control and the individual accountable for the control, management – or those charged with oversight – should be responsible for monitoring. In some cases where a manager is responsible for most of the organization's administrative functions, those charged with oversight (such as the board or owner) would be more involved with day-to-day operations and responsible for the review of reports. The monitoring process should reinforce the importance of proper internal controls for the entire organization. If inefficiencies are identified through this process, action needs to be taken immediately to address the problems.
In conclusion, there are several considerations to keep in mind when designing controls for small organizations. These controls will aid in the achievement of an organization's objectives, provide reliable financial reporting, ensure compliance with laws and regulations and protect the organization's resources against waste and fraud.
To determine the best approach to internal controls for your organization, consult with your local Collins Barrow professional today.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.