Internal control—it’s not the latest trend or likely to be the topic of a social media post. It may even be one of the least interesting business principles. Bland and uninspiring as the subject may be, it is the foundation of a well run business. Inadequate or missing internal controls have real dollar consequences that impact the bottom line. And it’s not limited to only small companies with less manpower and resources. Large businesses are just as vulnerable. There are numerous examples of theft of assets due to weak or absent internal controls which can be discussed and analyzed. But the more likely scenario resulting from deficient internal controls is that where a business is exposed to risk and losses due to errors. What can you do to strengthen your company’s internal controls to minimize business losses?
I. Start With the Basics
Any discussion of internal controls begins with a definition. We like this one from the Business Dictionary, “Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.” www.businessdictionary.com. Management is responsible for maintaining an adequate system of internal control, including communicating the expectations and duties of staff. Staff and operating personnel are responsible for carrying out the internal control activities set forth by management. Control activities are the specific policies and procedures management uses to achieve its objectives. The most important control activities appear below.
1) Segregation of duties requires that different individuals be assigned responsibility for different elements of related activities, particularly those involving authorization, custody, or recordkeeping. Having different individuals perform these functions creates a system of checks and balances.
2) Proper authorization of transactions and activities helps ensure that all company activities adhere to established guide lines unless responsible managers authorize another course of action.
3) Adequate documents and records provide evidence that financial statements are accurate. Controls designed to ensure adequate recordkeeping include the creation of invoices and other documents that are easy to use and sufficiently informative; the use of pre-numbered, consecutive documents; and the timely preparation of documents.
4) Physical control over assets and records helps protect the company’s assets. These control activities may include electronic or mechanical controls (such as a safe, employee ID cards, fences, cash registers, fireproof files, and locks) or computer-related controls dealing with access privileges or established backup and recovery procedures.
5) Independent checks on performance, which are carried out by employees who did not do the work being checked, help ensure the reliability of accounting information and the efficiency of operations.
In theory these activities make sense and can be reasonably incorporated into the processes and procedures and of a business. In reality, though, internal controls are often not strong enough to prevent errors, monetary loss, risk exposure, and potentially the integrity of financial data. So where does the breakdown typically arise? Number 5 — Independent Checks on Performance. This control activity is not merely a periodic review of transactions or entries. It has more far reaching implications which place the burden on management and supervisors to ensure their subordinates are adequately trained for their responsibilities and are performing their duties properly. An adequate system for independent checks on performance will identify not only errors but also procedural deficiencies or staff incompetence that cause repeated mistakes or expose the company to risk. Reviewing subordinates’ work product and processes should be done on a routine and non routine basis. Routine activity should be reviewed when tasks and transactions are completed, as well as on a spot check basis which is not predictable. Non routine activity encompasses such things as processing unusual transactions, hiring new staff, implementing new systems or upgrades, changing processes and procedures, or addressing new industry regulations/requirements. Review of non routine activity should be done as situations arise or periodically if no events trigger the need. The detection of errors and inefficiencies can lead to stronger controls when management and supervisors use the information to identify the need for improved documentation, more efficient processes, proper authorizations, and staff training.
II. Preventing Errors and Losses
The following checklist provides a framework for implementing or strengthening internal controls for conducting independent checks on performance.
1) Transaction Review: Verify supporting documentation or other information to substantiate transactions, including correspondence and communication prepared by staff, to ensure accuracy and timeliness.
ü Transactions which are over or outside a pre-determined limit, based on value/amount, volume and dates.
ü Activity in large customer and vendor accounts, based on value/amount, volume, and dates.
ü Adjustments, corrections, or write offs which are over or outside a pre-determined limit, based on value/amounts, volume, and dates.
ü Reconciliations of accounts or balances for reconciling items which are over a pre-determined limit.
ü Handling and disposition of unusual transactions.
2) Workflow Review: Conduct a review of processes and procedures from initiation to completion to identify weaknesses which can create errors or wasted resources.
ü Duplication of procedures by more than one individual.
ü Unnecessary steps or document preparation.
ü Missing or inadequate reviews or document preparation needed to support an audit trail or regulatory compliance.
ü Record retention for completeness and accuracy.
3) Systems Review: Verify that systems are used correctly and functionality is maximized.
ü Staff knowledge of system functionality, including upgrades, is tested.
ü Workarounds are used only if approved by management.
ü Records created outside the system are approved by management as necessary and are verified routinely as part of transaction review.
ü Reports available through the system are used to facilitate tasks and communicate information.
The time it takes to complete the steps above may be a burden on managers who are already stretched thin. In the long run, though, the cost savings to a business in terms of reduced errors and risk exposure can be substantial, especially in a highly competitive or regulated industry.
C3 Advisors, LLC
February 14, 2014
C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.
C3 Advisors 