Have You Reexamined Your Internal Controls Lately
Written by Victoria Dailey
Internal controls should be the root of every organization. Strong internal controls can help ensure reliable financial reporting, compliance with laws and regulations, safeguard assets, deter fraud, waste, and abuse, and improve efficiency and effectiveness. When an organization has effective internal controls, the opportunity to commit fraud or errors is greatly minimized. The strongest internal controls involve segregation of duties, documentation, approvals, reconciliations, safeguarding of assets, and information systems security.
Segregation of duties means that no one person should have complete control over all aspects of a financial transaction. The same person should not be able to authorize a transaction, record the transaction in the general ledger, and have custody of the asset related to the transaction. The level of segregation can vary depending on an organization’s size and structure. These duties should be clearly defined, assigned, and documented. An organization would also benefit by periodically rotating duties and requiring employees to take vacation. Segregation of duties prevents errors as well as the opportunity for someone to commit fraud.
Documentation is any type of support, whether paper or electronic, for a transaction. This support provides a financial record of each event or activity, and therefore ensures the accuracy and completeness of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching any discrepancies. Consistent forms and templates should be used for efficiency. Retention policies should be in place for all types of documentation.
Approvals require certain higher level employees to authorize certain types of transactions. This can add an extra layer of protection to accounting records by proving that transactions have been reviewed and approved by someone else in the organization. These approvals should be documented, timely, and the individual approving the transaction should have knowledge of the transaction being approved.
Account reconciliation is the process of comparing transactions using an organization’s accounting system against information that supports the accounts’ ending balances. For example, the accounts receivable balance should agree to the aging of the accounts receivable. Bank reconciliations should be completed monthly by reconciling the balance in the general ledger cash account to the bank statement. Reconciliations ensure the accuracy and validity of financial information and are most effective when they are consistent and thorough.
Safeguarding of assets can prevent unauthorized access, loss, or damage to an organization’s assets or records. Only those who have been authorized should have access to assets and records. Physical locks, safes, and passwords should be used when appropriate. A process should exist so that past employees of an organization no longer have access to assets and records. Valuable assets should be insured so that it can be repaired or replaced if needed. Inventory should be properly and routinely tracked to reduce costs, forecast demand, and prevent shortages and spoilage. A surprise audit of inventory provides an additional control to ensure amounts on hand agree to the amounts recorded in the accounting system.
Information systems security means protecting information and systems from unauthorized access, use, modification, or disruption. It is the process of identifying and assessing risk, realizing the limitations in reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. Risks include physical damage, equipment malfunction, inside and outside attacks, misuse of data, loss of data, and application error. An organization should adopt a risk management policy that addresses all issues of information security, provide direction on how the risk management team or individual relates information on company risks to management and how to properly execute management’s decisions on risk mitigation. An information systems security policy should include what is being secured, who is expected to comply with the policy, and how enforcement will be carried out. This should be documented and every employee should be made aware of the policy and possibly sign to document his/her understanding. Strong passwords, routine backups, access control mechanisms within an operating system, and antivirus software are examples of safeguards an organization can use.
Strong internal controls increase the likelihood of achieving and maintain business health. They should be evaluated routinely as the organization adapts and grows. When in doubt, obtain outside consulting to help strengthen these controls to ensure your organization is operating most effectively and efficiently.
Victoria Dailey, CPA, Audit Manager
Hochschild, Bloom & Company LLP
15450 South Outer Forty Road, Suite 135
Chesterfield, MO 63017-2066