by Dinesh Bhola (Managing Director, DSB Financial Solutions Ltd)
Small businesses are sometimes guilty of not paying sufficient attention to controls. Typically, due to their small size, there is a large element of trust in employees. Typically, you hear responses like, “that is unlikely to happen”, “our employees have been with us for a number of years” and “we cannot afford to implement that control at this time”.
The last has some merit as it is important to note the cost of implementing a control must not exceed the perceived benefit to be derived from it.
So how do we go about implementing controls? Do we google “Top ten controls for small businesses”? That might work! But are those controls what you need? How do you know what you need?
That is where a Risk Assessment comes in. First of all, we must accept that there is risk in every business. In order to generate shareholder value, the business must take on some risk, after all there is no such thing as a “free lunch”.
Risks faced by a business can fall into the following categories:
- Strategic risks – (e.g. risk of a bad business model/idea, industry/sector downturn);
- Operational risks (e.g. fraud, human error, IT breaches/failures);
- Financial risk (e.g. credit risk/customers refusing to pay, liquidity risk, foreign exchange risk);
- Compliance risk (risk of error leading to a penalty for noncompliance with a law or regulation).
The risk assessment process involves:
- Identifying risks
- Assessing risks (consider risk interactions, impact and likelihood, assign scores, prioritize)
- Responding to risks (accept, reduce, share, or avoid)
The level of risk assumed should not be too high, nor too low, but at an optimal level. Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being “overcontrolled” or forgoing desirable opportunities.
Internal controls in small businesses go a long way to reduce risks to an acceptable level. For the purpose of this article, we will focus on the area of operational risk, with emphasis on fraud risk and controls.
The Fraud Triangle describes three factors that are typically present in a fraud case:
- Incentive/pressure (e.g. pressure to meet the deadline/sales target, brink of bankruptcy)
- Opportunity (e.g. weak controls)
- Rationale (e.g. everyone else does it, nobody will notice, need to take care of my family)
Looking at the above closer, while some of the factors are outside the control of the organization, quite a bit of issues start from within the organization (e.g. organization culture, weak controls, aggressive targets). In the small business environment, this is no different.
So the first and foremost measure in treating with fraud is dealing with the “control environment”, more specifically, the “tone at the top”. If this is not addressed, then there will be difficulty in enforcing ant-fraud controls throughout the rest of the organization.
In closing, in this article, we have introduced the area of Risk Assessment and Fraud which is quite a complex and extensive area to consider. This article just barely touches on some of the terminology and definitions.
In part 2 of our article, we will examine closely some of the popular fraud schemes impacting small businesses and the results of a recent Global Fraud Study.
Dinesh Bhola (FCCA, CA, CIA) is the Managing Director at DSB Financial Solutions Ltd, a company providing accounting, auditing, taxation and business advisory services. The above is for general informational purposes only and is not meant to serve as a substitute for formal advice. We urge you to consult with your service provider or us if you require further advice or recommendations.
