Internal controls are needed to
1) Protect the cash and other assets of a business,
2) Maintain the integrity of the financial information used to make business decisions and assist in fraud detection; and
3) Maintain compliance with laws and regulations, especially those where being offside can cause major risk to your company.
In small business, the owner can control every single transaction, and this is a very good control mechanism. However, it severely limits the size a company can get.
There are two main reasons why you should consider getting more formalized internal controls:
- You are planning to sell the business, or
- You are planning to grow the business.
If the only control mechanism is the selling business owner, the company has no controls and it is very difficult to sell. Likewise, an owner can only know a limited number of details. Internal controls are therefore not ‘red tape’ that slows a business down, on the contrary, if properly implemented they are the green light that allows for growth.
The following are some controls that sharply reduce the risk of loss of cash and other assets due to fraud or errors.
Financial statements and budgets
A business owner has several methods of control. The most overall is the budget whereby an owner can provide initial authorization to the purchasing manager, sales manager etc. and say: “This is how much you have to spend over the next budget period.” The business owner should then compare actual expenses and balances against the budget and to historical numbers line by line as to detect any discrepancies. For this to be effective, the financial statements have to be prepared on a timely basis after period end.
The business owner should also know expenses as a percentage of sales, i.e. gross and net profit margins.
Analyzing the numbers on a timely and periodic basis is not only important as means of running your business and making decisions, it is often the first indication of potential fraud and error.
Reconciliation of bank balances
Financial statements without the reconciliation of bank balances are unreliable. If the financial information does not record what actually went through the bank, the cash on hand, the revenue and the expenses shown on the financial statements cannot be trusted. So this has to be done, and it should be done immediately after month-end.
Segregation of duties (job descriptions)
Some business owners may think of job descriptions as inhibiting to getting the work done, especially when the business is small and with a small staff.
However, when it comes to the protection of assets and the reduction of for fraud, there should as much as possible be a strict segregation of duties and limits to what one person can.
The same person who receives cash and deposits it, should not also record the cash transaction. This is how fraud and errors can go undetected. Other areas where duties should be segregated are: the person who orders inventory should not be the same who receives it, the person who purchases goods or services should be different from the person who pays for it.
Supporting documentation and authorization
This is vital to ensure that all no fraudulent or erroneous purchases or payments are made or that here are no duplicate payments of legitimate invoices. Frequent occurrences are payments made in error or duplicate payments.
-Some of the controls are as follows:
– An invoice should be matched by a purchase order and a receiving order. This says that: goods or services were purchased for the business by persons approved to do so, the goods or services were in fact received and payment is going to an the same (approved) vendor.
All of these functions should as much as possible be performed by different people in order to prevent fraud.
There should also be limits to authority, purchasing, allowing credit, for various levels in the company to prevent loss of assets. Furthermore, it is important to have a system of authorization to see that the correct procedures are being followed.
Data Security and Disaster Recovery Plans
The loss, theft or compromise of data, especially sensitive customer data, is a serious risk to any company. The controls that should be in place relate both to access controls, loss of mobile data as well as backup plans and disaster recovery.