How often does your organization complete a detailed review of its internal controls? How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?
Every organization develops internal controls to achieve the following objectives:
- Reliability of financial reporting
- Safeguarding of assets
- Complying with laws and regulations
- Effectiveness and efficiency of operations
These controls should be re-evaluated on a routine basis to ensure that they are operating properly and still meet their objectives. When designing internal control policies, there are some common risks that every organization should consider, including:
- Management Override of Controls – Management is primarily responsible for the design, implementation, and maintenance of internal control and therefore, there is the inherent potential for management to override these controls. If an executive has the ability and an incentive – such as earnings targets or personal financial issues – to override controls and commit fraud, it is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified. In addition, setting the proper tone at the top can help the organization and its employees maintain their integrity.
- Limited Segregation of Duties – No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed. Smaller organizations need to implement compensating controls to help ensure the objectives are met, such as oversight, supervision, and monitoring by management or those charged with governance.
- Overreliance on Detective Controls vs. Preventative Controls – Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls, but also has preventative controls. Preventive controls can include things such as ongoing training of policies and procedures, implementing user names and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests prior to purchase.
- Informal vs. Formal Controls –Smaller organizations may have key controls that are performed at the entity level vs. at the activity level. These entity level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
- Overly Trusting – When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected. An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”
Internal controls serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks. Consider the internal controls risks outlined above when evaluating your organization’s existing internal controls. It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate those risks, and implementing those controls successfully.
Mark A. Guillaume can be reached at Email or 215.441.4600.