Every organization, no matter the size, should have internal controls implemented in their operations. Internal controls can be defined as the processes designed to provide assurance that the following objectives are being achieved in a particular organization:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
There are five main components of effective internal controls. These components include the control environment, risk assessment, information and communication systems, monitoring, and control activities.
The control environment is the foundation for the other internal control components and sets the overall tone of the organization. The ethics, goals and overall workplace atmosphere is set with top management and then trickles down throughout the various levels of the organization. Particularly in small organizations, “tone at the top” is key, where an active owner can serve to mitigate risks.
Risk assessment can be described as identifying and managing the risk of an organization. Risk assessments should be performed at a high level of the organization as a whole, as well as at each individual division and department. It is also important to note that this assessment should not be a one-time event, but rather a recurring process within your organization. Risk assessments should be done internally by management, but can be aided by an external evaluation of the organization’s internal controls. Hiring a Certified Public Accountant (CPA) or Certified Fraud Examiner (CFE) to assess the risks of your organization can help uncover weaknesses within your organization, areas where controls can be strengthened effectively, and areas that are especially susceptible to theft and fraudulent activity. An internal control evaluation could also unveil fraudulent activity or misappropriation of income or assets that is occurring within your organization.
Information and Communication Systems
The information and communication systems component focuses on determining what is essential information for the organization to have effective internal controls and how that information is communicated across the whole organization. With small organizations, this is usually done more informally, but can be just as effective as more formal systems.
Monitoring is assessing the performance of an organization’s internal control over time. The monitoring process of the internal control system is similar to glue holding all the pieces of the other internal control components together to ensure everything is being properly implemented and utilized. The monitoring process can be aided by outsiders such as a CPA firm, but day-to-day internal oversight (particularly by the owners) is the best deterrent.
The control activities are essentially the nuts and bolts of how the organization implements particular actions to insure policies and procedures are being implemented throughout the organization. There are both preventative and detective controls. Preventative controls attempt to avoid an undesirable action from occurring. Detective controls attempt to identify an undesirable action that is occurring. Both types of controls are essential in order to most effectively achieve the internal control objectives. The following are some scenarios of preventive and detective controls an organization might use.
A fundamental control activity to evaluate is looking for proper segregation of duties within the organization. When proper duties have been segregated, no one employee should be able to authorize or initiate transactions, record the transactions and have custody of the assets behind those transactions.
Examples of improper segregation of duties include:
• Collect pledges and prepare deposits
• Approve invoice/payment and record payable
• Preparation of payroll and sign checks.
Many times, perfect segregation of duties is difficult to implement in smaller organizations, given the lack of staff. Again, in these cases, risk can be mitigated greatly with on-site owner involvement. Even the appearance that the owner is reviewing items on a regular basis can be a powerful control. Obviously, the control is much more effective if the detective control is actually being performed.
Although implementing policies and procedures based on the above internal control components helps provide some assurance that the effective control objectives are being met, it does not provide absolute assurance. There is always a need for continuous analysis looking for opportunities to improve an organization’s internal controls in order to more efficiently and effectively run its operations. Work with your outside financial advisor to help with how best to approach internal controls for your organization. Doing so could ultimately protect your organization and assets. iBi