With an increasing reliance on information for decision making and a sense of the cost of fraud to business, many owners are taking a serious look at how internal controls can help their companies.
The effectiveness of most internal control systems relies on the division of certain tasks among employees. This is often difficult in a small business with few staff.
Implementing even a few basic controls can significantly improve the reliability of your financial information and give you confidence in your overall system.
The concept of internal control can mean more than just procedures governing transactions. A good system would also consider maintaining proper records, hiring quality staff, conducting background checks and defining responsibilities.
Properly communicating the company’s internal control policies and processes is another key consideration in developing a system. Letting employees know that owners and management are committed to accurate reporting and reducing the opportunity for fraud helps to strengthen the overall control environment.
In general, when designing internal controls for your business, three types of activities should be performed separately by different individuals: custody, authorisation and record keeping.
1. Custody refers to the physical handling of assets – for example a person who works the cash register or opens company mail would have custody over cash or cheques.
2. Authorisation is the ability to make decisions on behalf of the company. For example, hiring employees or deciding when overdue accounts receivable should be written off.
3. Record keeping refers to maintaining books and records. For example, making journal entries in the books of the company or preparing schedules and reports.
The importance of segregation of incompatible functions can be seen in the following examples.
Handling cash receipts and maintaining accounts receivable
In this example, assume an employee receives cash, maintains the accounts receivable sub-ledger, and follows up on overdue accounts. If a customer makes a payment on their account, this employee could redirect the payment for their own benefit and fail to record the payment on the books. While the balance would eventually be shown as overdue, the error would not be discovered because that staff member is also responsible for following up with overdue accounts.
The person could also decide to record the payment as cash received and reduce their accounts receivable. If the company does not perform bank reconciliations on a regular basis, the theft of funds could go undetected. Another risk in this area is where the employee has the authority to write off accounts receivable. In this case, the overdue receivable is simply written off without further attempt to recover the funds, which have in fact been paid.
Segregation of the incompatible duties of custody and record keeping along with monthly bank reconciliations would be two key controls that would help address this risk.
Hiring new employees, authorising time sheets and distributing payroll cheques
When individuals have the authority to hire and oversee new employees, there is the risk that they are able to set up fictitious employees, authorise falsified time sheets and redirect their pay cheques for their own benefit.
Segregation of the authorisation of new employees and time sheets, and custody of pay cheques would help reduce the risk of this type of fraud.
In a smaller business where some duties cannot be divided, consider owner / manager approval for all new employees, and owner / manager signatures on all cheques. A clerk could be responsible for distributing payroll cheques, or direct debit could be arranged with the bank.
Receipt of inventory and approval of invoices for payment
An individual with these two duties would have the opportunity to misappropriate goods delivered to the business, indicate that all goods had been received, and approve payment of the suppliers invoice in full.
A proper system would separate these two functions, and require that the quantity of all goods be checked on arrival, signed for, and some form of receiving report be prepared. On receipt of the actual invoice, a separate individual would agree the original purchase order, the invoice, and the receiving report to each other prior to approving payment.
Where possible in a smaller business, owner / manager approval of the purchase and payment of the invoice would help in this area.
Reliable financial reporting
While fraud is a big area of concern for most businesses, reducing errors and improving the reliability of financial information is another goal when developing internal controls. One of the major distinctions between errors and fraudulent accounting entries is intent. Many controls designed to reduce the chance for fraud to go undetected, also help to reduce errors.
For example, bank reconciliations help detect internal errors as well as bank errors. Owner / manager review of entries, purchases and payments, also help to minimize errors. Data entry controls on computer systems are sometimes built in to force staff to double check their input by forcing entry of the data twice.
Other input controls define the number of characters entered into certain fields and do not allow progress to the next field or screen until all are entered correctly.
These examples illustrate some of the risks that business owners face, and how internal controls can help – even at a basic level. The potential for fraud and error in any business is high, and can be extremely costly. Growing awareness of the importance of reliable information for decision making and the prevalence of fraud and has really legitimized the time and money invested in controls and made this a priority of many businesses in recent years.
Ian Downing is a manager with Deloitte’s Economic and Business Consulting department. Deloitte Consulting provides a wide range of economic and business planning services including detailed business plans, business and marketing strategies, financial analysis and feasibility studies and business valuations