We know what internal controls are meant to do, but what process do staff within businesses follow to design internal controls?
Thinking back to the triangle diagram of internal controls – it starts with a risk assessment.
Look at the business process that you’re going to develop internal controls for and think about the risks. How could a transaction be mis-recorded? Are any assets at risk of theft? What are the opportunities for fraud? To be able to identify these risks, you’re going to need to understand the business and the types of transactions it engages in.
My tip here is to conduct this risk assessment in separate transaction processes of the business – the sales revenue and cash receipts process/cycle; the purchasing, accounts payable and cash payments process; the wages process. This will make it much simpler to consider the potential areas that need a control.
When conducting a risk assessment, you also need to consider the potential implication if there was an error or fraud – conduct a cost-benefit analysis. Would a specific error or fraud have a big impact on a business and its operations? Or a small one? Remember the example about supermarkets and how they expect some people to steal small items? This is an example where the business has decided the cost of implementing controls to protect every piece of inventory in a supermarket is not worth the cost.
Design of an internal control
This links back to our section Identifying common components of internal controls – should we have separate people doing parts of a job in a process? What tools or technology could we use?
Designing internal controls requires an understanding of the technological tools available, the risk, the business processes and some creativity. The way to become competent at designing internal controls is to practice and build a collection of internal controls you could draw from.
How do you build this collection though? Look around – everywhere, anywhere – internal controls are everywhere you look.
For example, consider this envelope – how could it be used as a form of internal control?
Consider if you had to send letters to many customers. If each customer’s letter is different, using an envelope without a window means that you would have to write the address by hand, or print a sticker with the name and address and affix it to the envelope. The risk here is that you might put the wrong sticker on the envelope and a customer might not receive the correct letter.
A window-faced envelope, however allows you to print the name and address on the letter and then fold the letter to have the address appear in the window – reducing any risk of mis-direction of mail.
Source: Commbank website – https://www.commbank.com.au/content/dam/commbank-assets/credit-cards/2019-03/sample-statement.pdf
As you go to the movies, the supermarket, catch public transport, pay your bills, engage in online shopping – internal controls are everywhere and you can identify them by simply thinking about business processes and whether something may be a control (it is a bit like becoming Neo in The Matrix – once you can understand internal controls, you’ll see them everywhere!)
So to design an internal control – you have to understand the risk you want to minimise and figure out how you can PREVENT or DETECT it. You can design it using the common components that we’ve previously discussed as well as your own imagination.
Example – Tiny Holidays
Remember our example case Tiny Holidays owned by Hazel Nguyen? The business offers short term rentals of tiny homes on rural properties. There is a risk that customers may steal items from the holiday rental that they are staying in. What sort of controls might Hazel implement?
- Some items may be securely affixed – for example, a TV might be wall mounted and plugs and cables hidden out of sight.
- For movable items like plates and cutlery – the welcome packet might include a list of all these items and clearly state any missing items will be charged to the customer’s credit card.
This is an example of controls related to the general business. But what about controls related to accounting? For example, Hazel has an employee Anna who does the cleaning of the properties after customers have gone home. Anna has access to the company credit card to purchase supplies. What sort of controls might Hazel put in place to minimise the risk of mis-use of the credit card? Some examples include:
- Setting up alerts to her mobile phone banking app every time the card is used.
- Requiring Anna to provide receipts for every transaction – an invoice or receipt from the store as well as the credit card slip.
- Hazel conducts a reconciliation at the end of each month – matching each credit card transaction to a receipt provided by Anna or her own receipts for transactions she has engaged in.