Successful businesses have good internal control practices. They know their assets must be appropriately secured and maintained, used for the purpose intended, periodically accounted for, and properly disposed of.
An organization’s leadership sets the tone to ensure internal controls are effective. Senior management and the board of directors establish the policies and procedures to safeguard assets and help prevent or detect fraud. These include establishing employee handbooks, codes of conduct, conflict of interest policies, and whistleblower policies, among others. Additionally, management needs to communicate to all of its employees that they too play a significant role in the organization’s internal control structure.
A common deficiency in the internal control process centers on segregation of duties, particularly when one individual controls multiple phases of a transaction. This problem has become a bigger issue in the past few years as organizations reduce staffing levels to cut costs in the face of the struggling economy.
One particular concern is cash. Cash is the lifeblood of an organization, with everyday operations dependent upon the cash flowing in and out. More than 90 percent of all asset theft frauds involve cash, with roughly two-thirds of those thefts involving outgoing cash.
The most effective way to prevent theft of cash disbursements is to segregate the duties of preparing checks and signing checks. Check signers should carefully review the checks as well as the supporting documentation. Additionally, check signers need to be familiar with the organization’s vendors to ensure those receiving checks are legitimate. Companies may also want to consider using lock boxes or other programs offered by financial institutions, such as positive pay, which add an additional level of scrutiny to the process.
Electronic transfer payments, either by wire transfer or ACH, have increasingly played a bigger role in organizations’ finances. Controls established around electronic transfers are as important as controls established for traditional check writing. They should include requiring a separate initiator and authorizer for every electronic transfer. Restrictions should be placed with the financial institution as to who at the organization can set up vendors or payees. Companies can also set up a call back provision with the financial institution in which someone at the organization, independent of the initiator and authorizer, is notified when a transaction is set up to be paid.
Effective internal controls surrounding cash receipts include separating the individual who handles cash from the recorder of cash. Regular preparation of reconciliations by an individual separate from the handler adds an additional level of control that can help assist in the detection of errors or mistakes.
Finally, computers play a significant role in each organization as they are used to create, receive, process, and record transactions, as well as provide valuable information to the end user. The controls surrounding an organization’s use of computers is sometimes taken for granted. These controls include passwords, authorization, backup, and storage of information, to name a few. Organizations must also be aware of external issues such as viruses, phishing emails, and malware, which can cause significant harm to both individual and company computers.
Properly designed and implemented internal controls provide an organization the stability and structure to run its day-to-day operations while safeguarding the assets of the organization. But companies should not rest after the implementation. Continuously monitoring and reassessing control structures can thwart new risks that can occur in today’s ever-changing business environment.
Richard Snyder can be reached at Email or 215.441.4600.