Is it possible to have internal controls in small businesses – part 3?

In our previous articles in this series, we provided an introduction to the Risk Assessment Process, Fraud Risk, the various types of Fraud and the results of a recent Global Fraud Study.

Now that we fully understand the risks facing entities, which can vary depending on the size and type of business, we can now visit the concept of internal controls

International Standards for the Professional Practice of Internal Auditing Glossary defined internal control as “Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”

Controls can be at the entity level, process level or at the transaction level. They can be automated or manual and can be subdivided between key controls and non-key controls.  The aim is to select a few key controls which can protect against multiple risks.

Controls can be categorised as follows:

• Preventative (e.g. authorization/approval of transactions prior to execution, a reward mechanism based on a KPI)
• Detective (e.g. account reconciliations, exception reports)
• Corrective (e.g. audit trails, backup/recovery procedures)
• Directive (e.g. guidelines, training programs, incentive plans)
• Mitigating (e.g. insurance)
• Compensating (e.g. close supervision in lieu of segregation of duties)
• Redundant (e.g. a spillover pool)

In the above list, we introduced the concept of Segregation of Duties (SOD). This is one of the key concepts of internal controls. It is also one of the most effective internal controls in combating employee fraud. The concept of SOD is to separate the following responsibilities in each business process:

• Custody of assets (e.g. inventory, petty cash, cheque books, ACH passwords)
• Record keeping (e.g. ability to create POs/invoices/journals/credit notes, receipts/payments)
• Authorization (e.g. ability to approve POs/invoices/journals/credit notes, add/edit customers/vendors)
• Reconciliation (e.g. bank reconciliation, payroll reconciliation)

Ideally, no individual employee should handle more than one of the above-noted functions in a process.  A deliberate fraud will now be more difficult to undertake because it requires collusion of two or more persons. SOD is best achieved by through mapping out of functions through the use of a SOD matrix. Conflicting roles can be identified and SOD Risk Levels assigned.  

SOD is easier to implement in a large organization. However, most small businesses do not employ enough people for this to happen and people often are asked to do jobs they wouldn’t otherwise have been qualified for or interested in. Also, in a smaller organization with fewer staff members, especially in those cases where the “tone at the top” is questionable, employees are more likely to unite with a “us against them” attitude, which ultimately increases the likelihood of collusion.

Small businesses can consider the following controls:

• Lead by example, as a Business Owner/Director, ensure you set the appropriate tone at the top, engage in ethical and fair business practices, have adequate compensation packages, employee handbooks and whistleblower/hotline facilities in place.
• Utilise Information Technology (IT) application controls to reduce the opportunity (e.g. biometric scanners to track employee clock-ins/outs, GPS devices on vehicles, RFID security devices on inventory and critical assets, ensure that the accounting system prevents a person preparing an invoice from posting a credit note, restrict the posting of journal entries to certain users, enable audit logging and password lock out procedures etc.)
• Owners/Directors should retain the responsibility for all approval functions (e.g. signing cheques and approving purchase orders, access to add/delete customers). When signing cheques, ensure all original supporting documents are attached and initial each document.
• Typically, a small organization may have one Accounts Officer and a Receptionist/Administrator. Consider having certain tasks (e.g. petty cash, receipt of supplies etc) transferred to the Administrator (to separate custody from record keeping)
• Consider using a Risk and Control self-assessment (CSA) questionnaire within the organization to gain buy-in as to importance of internal controls.
• Have an external accountant come in periodically to prepare or approve reconciliations, approve journal vouchers, review credit notes and adjustments, review additions/deletions to customer/vendor master files, sign-off on the CSA and perform other agreed-upon procedures
• Depending on the size of the small business, an internal auditor can come in once per year and perform testing of transactions in critical business processes, perhaps on a rotation basis
• Engage a consultant to assist in the risk assessment process, including the implementation of recommendations e.g. setting security levels on accounting systems and selecting an appropriate suite of internal controls.

As we conclude on the 3-part series on Risks and Controls, we begin to appreciate the importance of assessing risks and implementing controls in a business.

A small business may not, and probably does not require a dedicated Risk Officer, Internal Auditor or even a full time Accountant to oversee the area of Fraud and Internal Controls. Therefore, it is important to ensure that your External Accounting Service Provider (whether large or small) is suitably experienced in the field of internal auditing and has the appropriate qualifications (e.g. the Certified Internal Auditor-CIA designation).

The key take-away is ensuring you set the appropriate tone at the top, effectively utilitise your limited resources and consult with experts in the field. 

Dinesh Bhola (FCCA, CA, CIA) is the Managing Director at DSB Financial Solutions Ltd, a company providing accounting, auditing, taxation and business advisory services. The above is for general informational purposes only and is not meant to serve as a substitute for formal advice. We urge you to consult with your service provider or us if you require further advice or recommendations.