Successful businesses thrive on good processes.
Internal controls are the processes, policies and procedures that organizations rely on to ensure that financial reporting is accurate, operations are conducted in a manner that is efficient and in compliance with applicable laws and regulations, and assets are safeguarded against theft or misuse. A well-designed and implemented system of internal controls allows management to stay focused on operational and financial performance goals and objectives, without the distractions of unexpected errors, inefficiencies, and surprises. The nature and type of internal controls will look different for every organization, but internal controls should serve one common purpose: to create an environment that promotes sound business practices, reliable financial reporting, and efficient operations, allowing for effective management of changes in economic and competitive environments, changes in leadership and priorities, and changes in business practices. When business practices are based on sound controls, organizations are able to operate efficiently and grow quickly.
Every Organization Needs Internal Controls – Even Small Ones
It can be easy for new business owners to overlook controls when just starting out. Some think they don’t have enough employees to perform proper checks and balances, and others just don’t know where to begin. A system of internal controls at a small business does not have to be as robust as that of a Fortune 500 company, but understanding the importance of internal controls and building them into business practices is critical to the success of any business. Keep in mind that internal controls are also for the benefit of shareholders, investors, creditors, employees, vendors and customers.
Categories of Controls
Because companies differ, so will their internal controls, but all entities’ controls will fit into one of the following three categories.
Preventive controls stop mistakes or fraud from occurring.
A simple example of a preventive control is a password. By requiring your users to log in, you are preventing a non-authorized person from accessing your sensitive information.
Detective controls find errors or abnormalities after they have occurred.
Inventory counts and bank reconciliations are examples of detective controls. The purpose of inventory counts and monthly bank reconciliations is to find mistakes that have already occurred. If a physical inventory count is off from what is on the books, or if the bank statement can’t be reconciled to the books, you know to dig further into the problem to see what went wrong. The simple process of reviewing activity on the bank statements for unusual activity is a very important, yet simple, detective control that every business owner should do to detect unauthorized transactions.
Corrective controls help correct mistakes once they are known.
Data backups can restore data that was lost or corrupted; insurance can help replace stolen or damaged items; and firing an employee who mismanaged company assets can remove the threat of future errors. These are all examples of controls that correct a problem once it has been detected.
When used together, these three categories of controls will promote a healthy and robust control environment.
Assess Your Risk First
Internal controls will never be perfect; the risk of human error, in particular, can never be fully mitigated. Instead, the system of internal controls should create reasonable assurance that an organization’s financial reports are reliable and operational objectives are met, within the confines of laws and regulations. The first step to developing a system of appropriate internal controls for any business is a comprehensive risk assessment. What could go wrong, and how would it get caught? Ask yourself some of these questions:
- What information must be safeguarded, and what avenues are there to access that information?
- Where is there opportunity for human error or fraud? Do we rely too heavily on one individual for critical processes?
- Where in our processes do we rely on judgement?
- What are our main objectives, and what mistakes could be made that would prevent us from meeting those objectives?
- If one of our systems breaks down, will we be able to continue business while it is being repaired?
Although this is not a comprehensive list of all of the questions that need to be asked, the answers to these and other similar questions will help you design a control environment tailored to the unique aspects of your business. After going through the risk assessment process, you will be prepared to explain to your employees the “why” behind your new policies and procedures. Because, remember…
You Are Responsible
A well-controlled environment is impossible to achieve without buy-in from the Board or business owner(s), management, and employees. The members of the Board of Directors or the owner(s) exercise oversight of the system of internal controls; management is responsible for designing and implementing controls to achieve objectives; and employees are tasked with executing those policies and procedures. In the end, a company’s system of internal controls communicates values and promotes integrity and ethical business practices to everybody in the organization. As the saying goes, nothing is more important than the “tone at the top.”
Uncertainty and ambiguity surrounding business processes can result in costly mistakes or invite fraud. It is imperative that each company implement processes, policies and procedures that are appropriate based on the nature of the entity and are well designed and implemented. Contact us if you have questions about formalizing your own internal control measures or if you have any other questions about starting a new business. We look forward to hearing from you.