Internal controls are vital to help an entity operate effectively and efficiently, while also mitigating the risk of fraud and detecting errors or irregularities. Many small entities face the challenge of having strong and sound internal controls within their organization due to limited resources and personnel. Each organization is built uniquely, but all can have good internal controls. They should start by reviewing the following areas to evaluate their internal control structure.
The first step before evaluating internal controls for the entity is to have policies and procedures in place. The entity should start by defining and documenting the flow of significant transactions cycles, such as:
– Cash Receipts (Cash Management)
– Cash Disbursements (Cash Management)
– Payroll and Human Resources
– Financial Closing and Reporting
Each transaction cycle should outline what is being performed, by whom, and the frequency, which helps define the segregation of duties. A clear understanding of these policies and procedures is a must for effective internal controls.
Within the transaction cycles, the responsibilities of Authorizing, Recording, and Custody of Assets should be separated among individuals to create strong segregation of duties.
– Authorizing – Reviewing and approving the transaction
– Recording – Entering the transaction into the accounting software
– Custody of Asset – Having physical possession or control of the asset
Segregation of duties in the cash disbursement cycle:
One individual authorizes the transaction by marking approval on the invoice to be paid. Another individual receives the marked invoice, enters the details into the accounting software and prepares a check to be signed. A third individual receives the check, signs and mails the check to the vendor.
As you can see in the example above, not every step in a process needs to be separated, but identifying the key segregations and assigning separate individuals is key for an effective segregation of duties. If the organization is unable to segregate these responsibilities, then compensating controls should be in place.
Compensating controls are alternative controls implemented instead of the recommended best practice control because implementing the recommended control is considered too difficult or impractical. These controls typically occur after the transaction is complete. An example is monthly managerial reviews performed by management and/or the board of directors in place of an effective segregation of duties. It is important that the individuals performing this review be informed, and understand what they are reviewing, for this control to be effective.
One of the most important steps for having effective internal controls is the act of documenting the process. Without documentation, it is difficult to demonstrate that the control occurred as it was designed. The documentation should be in writing. This will improve efficiency when questions regarding the transaction arise, especially when the questions come up several months later.
Retaining physical support for each transaction, approving a transaction by signing off on the support, or writing additional details on the support when coding the transaction into the accounting software are a few ways to accomplish documentation.
Smaller entities (with limited resources and personnel) who are looking to maximize their effectiveness and efficiency of operations, should first evaluate their risks, and then design their internal control structure to respond to those risks. Having appropriate policies and procedures in place will help create the strong internal control structure they seek.