Internal Controls Matters

One police officer talking to another on an embezzlement investigation:

Overheard “I wish I made enough money so someone could steal $250,000 from me and I didn’t know it.” And later we determine that the bank account reconciliations had been manipulated and the former controller was going to Sam’s Club and purchasing personal items including thousands of dollars in gift cards every month, with the payments automatically deducted from the business account that the owner never looked at. Charges filed. Former Controller Arrested.

How did it happen? Long-time trusted employee, off-site management, no review of results by operations manager, lack of segregation of duties and negative attitude of controller ignored.

 Auditor discussing misappropriation with business owner: “You mean she was buying this stuff with a credit card or company check then putting in a check request for a petty cash reimbursement? And the total is $20,000?” Bookkeeper fired.

How did it happen? Lack of control over petty cash. Failure to properly supervise and review, with documentation supporting reimbursement simply initialed. Failure to determine the “why” of increases in expenses.

Business owner to Accountant: “Food sales and cost of sales seem normal, but Beverages are totally out of whack. Beer, wine & liquor have the highest margins, except for this store.”

Later: “Seriously?  Separate cash registers for cash vs. credit. Bringing in his own bottles, no adherence to bottle control? Diluting liquor?  No wonder!  My profits are going in his pocket.) Bartender fired.

How did it happen?  Failure to do background checks, No follow-up when things appear “questionable” or “not reasonable”, failure to timely investigate gross margin fluctuations and failure to monitor whether established control mechanisms were, in fact, operating, and effective.

Controller of Jewelry Store business to auditor: “He’s borrowing jewelry from his friends for the upcoming inventory.” Lo and behold, support cannot be located to substantiate the cost so the owner offers the catalog to validate the inventory cost. Client gets fired. How did it happen?  Business was failing, cash flows inadequate to operate business, default on all lender covenants.

Internal Control Matters!  Many small businesses and quite a few large ones put internal control on the back burner.  They tell themselves, “We’re small, ” or “I trust my staff” or “We don’t have time for that” but given motive and opportunity many employees will be tempted to put their hands in the till.  Nevertheless, internal control is more than detecting employee theft. Proper internal controls and policies & procedures, when put in place and monitored, provide businesses with the tools to prevent or detect errors and irregularities.

In days past, manual bookkeeping and software limited the production of financial records to days or weeks after the period end.  In this age, we have moved to "up to the minute" financial information. If you establish proper controls and policies, you can produce reliable financial information timely and even mid-month or weekly or daily if necessary.

Think this can’t happen to you?  Sorry, it can; and the conversations above are real-life examples. It’s important to remember the basics of fraud. Three factors are likely present for fraud to occur:

· Motive – someone has a reason to steal

· Rationalization – someone determines that it is okay to steal

· Opportunity – someone can steal, potentially without detection

Motive and rationalization are factors that are beyond your control and are usually a result of outside influences, personal lives, and individual personalities. Opportunity is the one factor that management can control; therefore, focus needs to be on eliminating or reducing the opportunities to commit fraud. But keep in mind, internal control can provide only reasonable assurance - not absolute assurance - regarding the achievement of a business’s objectives or the elimination of fraud in its entirety.

Everyone has heard of segregation of duties and a lot of small businesses just pooh-pooh it away, claiming the business is too small or there’s not enough time.  Wrong answer.  It doesn’t take much time to review the bank reconciliations or even open the bank statements yourself and flip through them, and you have to be looking at financials to manage the business. As an owner/manager reportable to someone besides yourself i.e. the other users, you have a responsibility to create an environment where fraud is not tolerated, to identify risks of fraud, and to take appropriate actions to ensure that controls are in place to prevent and detect fraud. Keep in mind, a "devil may care" attitude trickles down.

Insofar as opportunity, your job is to set the tone at the top and put controls in place to either prevent or detect errors or irregularities, which is a nice way of saying theft.   Generally speaking there are two types of controls designed to address this problem: preventive and detective controls. Both types of controls are essential in the design of an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality; designed to prevent errors, irregularities or undesirable events from occurring. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended; designed to detect and correct undesirable events after the fact.

Examples of preventive controls are:

· Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.

· Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.

· Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.

Examples of detective controls are:

· Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.

· Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.

· Physical Inventories

Monitoring is also very important.  This is a process that assesses the quality of internal control performance over time. Monitoring helps management ensure that established control activities are being carried out and that they are both sufficient and efficient. Part of monitoring is responding to internal & external events (economic conditions, staffing changes, new systems, regulatory changes, natural disasters, etc.), collectively known as risks, that threaten the accomplishment of objectives.  Risk assessment is the process of identifying, evaluating, and deciding how to manage these events… What is the likelihood of the event occurring? What would be the impact if it were to occur? What can we do to prevent or reduce the risk?

· Internal control systems must be monitored to assess their effectiveness… Are they operating as intended?

· Ongoing monitoring is necessary to react dynamically to changing conditions.  Have controls become outdated, redundant, or obsolete?

· Monitoring occurs in the course of everyday operations, it includes regular management & supervisory activities and other actions personnel take in performing their duties.

So, where do you start?  First you need to identify risks, understand them as they relate to your business and finally assess them against what you determine to be levels defined as acceptable before you know what controls you need.

At the same time, you need controls to manage those risks and ensure that they are at, and remain at, acceptable levels.

Does the process start with risk? Actually, the process starts with the setting of objectives. If the wrong objectives are set, the organization is highly unlikely to deliver best value to its stakeholders. Risks, or at least the risks that matter, are identified and assessed in relation to the objectives, so setting the objectives is a precondition.

So, objective-setting is a precondition to risk management and risk management is a precondition to internal controls. Objectives are categorized as operational, financial and compliance.  A particular objective can fall into more than one category.  Objective-setting is the initiation point of planning, identifying procedures and controls, and accountability. 

Primary objectives of an internal control system (the end goal) are:

· Compliance with applicable policies, procedures, plans, laws, regulations and contracts;

· Reliability and integrity of information;

· Effective and efficient operations; and.

· Safeguarding of assets.

Assume you’ve decided that the above are your primary objectives and you recognize that as a small business you must accept that sometimes the cost outweighs the risk.  The next step?  Don’t start from scratch.  Some control activities are inherent in the system simply to enable you to pay bills and to prepare financial statements. And if you aren’t generating monthly financial statements, WE NEED TO TALK. You can’t accept shoe box accounting or a financial nightmare if you plan to succeed.

In saying “don’t start from scratch”, I mean that you can identify what controls you do have or think you have. There are probably controls or tools built into your accounting application.

There is a method called EIOW, which stands for Extended Inquiry, Observation and Walkthrough that is a good starting point.  This process will help you identify those controls that need documenting or revisiting.  A common example is supervisory review and approval, vs. simply putting initials on a piece of paper. If you document this process you can end up with a very valuable policies and procedures manual. That will be a dual control as one of the risks of business is change in personnel.  This manual can be a training tool.

The intent of the EIOW is to spot any controls that are missing or weak. Such a finding does not automatically indicate the presence of a control problem that requires remediation. If there are offsetting controls elsewhere in the system, a weak control could be considered acceptable. For example, if a signature plate is used to sign checks, this could be considered a control weakness, except that a formal approval is required upstream for every purchase order issued. This offsetting control ensures that purchases are still approved somewhere in the purchasing system.

Here are a few suggestions to get you started.

Description of Control Activity

Train your department heads on understanding financial statements and internal controls. Discuss budgeting and have them start the process.  They are much more accountable if they have a hand in setting the budgets. Train the department heads to review everything they sign or authorize.l

Regularly review expenses and constantly review actual results compared to budget and prior year. Prepare an annual budget in sufficient detail to establish expense guidelines. [i] Deviations should be explained.

Segregate duties to reduce opportunity for someone to be in a position to steal and hide the theft in the normal course of their duties.  (This could be as simple as having the receptionist open the mail, copy the checks and restrictively endorse the checks and someone else prepares the deposit slip. With cross checks for agreement) Assign different people responsibilities to authorize, record and maintain custody of assets.

Computer security should be maintained.  The primary methods for such security are passwords and locks.  Either IT or the Owner should always have a list of passwords.

To understand business cycles as they relate to internal controls, we will go through the basics then follow up with subsequent articles for detailed suggestions for each cycle.

A transaction cycle is a process that begins with capturing data about a transaction and ends with information output, such as a set of financial statements. Thousands of transactions can occur within each cycle, but there are relatively few types of transactions in a cycle and each transaction cycle relates to others and interfaces with the general ledger and reporting system. The general ledger and reporting system get data from all of the cycles and provide information for internal and external users.

The expenditure cycle, which follows a purchase from the decision to buy through the final payment. The three basic activities performed in the expenditure cycle are: (1) ordering goods, supplies, and services; (2) receiving and storing these items; and (3) paying for these items.

The revenue cycle includes all activities that lead to the generation and collection of income. The revenue cycle can also be defined as a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. Four basic business activities are performed in the revenue cycle:  (1) sales order entry, (2) shipping, (3) billing, and (4) cash collection.

The other are Production, Human Resources, & Financing.  All cycles involve a give/get relationship. You give up something and get something in return, and it all gets recorded.