Businesses are always looking for ways to improve the security and efficiency of their accounting and financial systems. We tell them one of the best ways they can increase their protection and improve their accuracy is to establish and enforce strong internal controls.
Let’s talk about the importance of creating these internal standards and procedures for your accounting team to follow:
What Are Internal Controls in Accounting & Finance?
Investopedia defines internal controls as “accounting and auditing processes used in a company's finance department that ensure the integrity of financial reporting and regulatory compliance.”
To simplify that definition, these controls are rules and procedures your company makes to keep your accounting information accurate and safe.
While there are many types of internal controls, a few examples may be:
Password-protecting certain digital accounting or financial files so only those with special permissions can access them
Adding fob scanners to your accounting department to ensure only certain employees can enter barred offices and rooms
Establishing standards for when and how financial information is shared or audited
What is the Purpose of Creating Internal Controls?
Everyone has heard a story about a seemingly trustworthy employee who has worked in the business for many years. No one would ever suspect them of foul play or fraud, and yet, they are the one caught using company funds to pad their own wallet.
Oftentimes, this employee can steal from the company’s cash flow and assets because the organization lacks effective and efficient internal controls.
The Benefits of Enforcing Internal Controls
Organizations develop internal control standards to achieve the following:
Having reliable and accurate financial reporting, thanks to solid processes and procedures
Safeguarding monetary and business assets to keep money where it properly belongs
Complying with filing laws, regulations, and compliance to reduce risk, audit fees, and error
Improving the effectiveness and efficiency of operations with organized information systems and timely financial statements
What Risks Should Be Considered When Establishing Internal Controls?
When designing internal control policies and procedures, there are some common risks that every organization should consider, including:
Risk #1: Improper Override of Controls
Management is primarily responsible for the design, implementation, and maintenance of internal control and, therefore, there is the inherent potential for management itself to override the very controls they establish or supposedly maintain.
If an executive has the ability and an incentive to override controls and commit fraud — such as to deceptively achieve earnings targets or to assuage their financial issues — this is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified.
Setting the proper tone at the top can help the organization and its employees maintain their integrity and uphold internal accounting controls.
Risk #2: Limited Segregation of Duties
No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed.
Smaller organizations need to implement compensating controls to help ensure supervision and monitoring by management or those charged with governance.
Risk #3: Overreliance on Detective Controls vs. Preventative Controls
Detective controls are internal controls that happen after preventative controls, acting as a second line of defense. For example, a preventative internal control could require two-factor authentication and increased access controls to view certain financial spreadsheets. We are trying to prevent them from accessing the information unless they have authorization. But once someone bypasses this first control and gains access to the files, it’s important to also have detective controls to find errors or problems after a transaction has occurred. A detective control, for instance, maybe a monthly reconciliation of departmental transactions — wherein an employee may catch an unusual withdrawal of money allocated to a suspicious line item.
While both preventative and detective controls work well hand-in-hand, some companies rely too heavily on finding errors after they occur rather than catching them before they happen. Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls but also has preventative controls.
Other preventive control examples can include things such as ongoing training of policies and procedures, implementing usernames and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests before purchase.
Risk #4: Having More Informal Controls Than Strict Policies & Formal Controls
Smaller organizations may have key internal controls that are performed at the entity level vs. at the activity level. These entity-level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
Risk #5: Overly Trusting
When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected.
An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”
Also, consider the fact that not all theft and criminal behavior is performed by an employee. Cyber security threats and physical break-ins also stand as active threats. Therefore, proper internal controls should consider all.
How Often Should Internal Control Procedures Be Reviewed?
We often get asked how often an organization should complete a detailed review of its internal controls. To that, we ask, “How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?” Oftentimes, the answer is “yes, yes, yes.”
That’s why these controls should be re-evaluated semi-annually or annually to ensure that they are operating properly and still meet their objectives.
Remember, internal controls in accounting serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks.
Maintain Proper Internal Control Standards & Procedures
It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate them, and implementing them successfully.
If you need help assessing the completeness of your internal control procedures or would like to discuss how to determine whether your internal controls need to be enhanced to mitigate risk in your business, please contact us or click here to learn more about our Audit & Accounting services.