We know theoretically what a control is – it prevents or detects an error in a business process – but in reality – what sort of characteristics or components do internal controls have?
Elements of internal control
A strong internal control system is based on the same consistent elements:
- establishment of clear responsibilities
- proper documentation
- adequate insurance
- separation of duties
- use of technology
Establishment of clear responsibilities
A properly designed system of internal control clearly dictates responsibility for certain roles within a business. When there is a clear statement of responsibility, issues that are uncovered can be easily traced and responsibility placed where it belongs.
As an example, imagine that you are the manager of the Galaxy’s Best Yogurt. On any shift, you have three employees working in the store. One employee is designated as the shift supervisor who oversees the operations of the other two employees on the shift and ensures that the store is presented/displayed/organised and functioning properly. Of the other two employees, one may be solely responsible for management of the cash register, while the others serve the customers. When only one employee has access to an individual cash register, if at the end of the day the cash register is short of funds (money is missing) or has too much cash, it can be traced to the one employee who is in charge of the cash register.
Where there are not clear descriptions of job responsibilities, an important task may end up not being performed by anyone, thus increasing the risk of fraud.
An effective system of internal controls maintains proper documentation, including backups, to trace all transactions. The documentation can be paper copies, or documents that are computer generated and stored, on flash drives or in the cloud, for example. Given the possibility of some type of natural (tornado or flood) or man-made (arson) disasters, even the most basic of businesses should create backup copies of documentation that are stored off-site. With current technology, most businesses use software that is Software as a Service (SaaS) where the software provider ensures that the system captures the information required and stores this data in the cloud. However, a business must also ensure that access to this data is by authorised persons only. The data stored by many business can be a valuable commodity to those looking to use credit card details or personal information for fraud.
Any documentation generated by daily operations should be managed according to business procedures in terms of storage. For example, when the Galaxy’s Best Yogurt closes each day, one employee should close out and reconcile the cash drawer using prenumbered forms in pen to ensure that no forms can be altered or changed by another employee who may have access to the cash. In case of an error, the employee responsible for making the change should initial any changes on the form. If there are special orders for cakes or other products, the order forms should be prenumbered. The use of prenumbered documents provides assurance that all sales are recorded. If a form is not prenumbered, an order can be prepared, and the employee can then take the money without ringing the order into the cash register, leaving no record of the sale. If the owner wishes to review the orders and notices a number missing from the sequence – they can enquire as to what happened to that order (did an employee sell an item to a customer and then keep the cash and remove the order from the list?).
Insurance may be a significant cost to a business (especially liability coverage), but it is necessary. With adequate insurance on an asset, if it is lost or destroyed, an outside party will recoup the company for the loss. If assets are lost to fraud or theft, an insurance company will investigate the loss and then refer the case to law enforcement authorities so that criminal charges can be filed. Most business owners and managers are not experts in the area of fraud investigation, so having insurance allows them to utilise the expertise of the insurance provider. If youf inventory was destroyed in a fire and you did not have insurance – then all the asset is completely lost – with insurance, you would receive money from the insurer to purchase more inventory.
Separation of duties
To minimise the risk of fraud, staff members who have the authorisation power for transactions should not have access to those assets, and also should not have access to the accounting records. This prevents me from authorising the purchase of a fancy sports car, taking delivery and then hiding the payment under a random business expense.
A properly designed internal control system assures that at least two (if not more) people are involved with most transactions. The purpose of separating duties is to ensure that there is a check and balance in place. Imagine a busy cafe. At the end of the day, the chef will place an order for fresh produce required for the next day’s menu. The business owner will receive that order from the supplier and be required to sign as proof of delivery. This will prevent the chef from ordering excessive produce and taking some home because the owner is monitoring the deliveries. The owner will also be required to pay the supplier for these deliveries – thus (hopefully) monitoring the purchases closely.
In a larger business, such as a university, an order for a new laptop may need to be requested by the Head of the Department and approved by the Faculty Manager. A Purchasing Department will then place the order. The loading dock staff will receive the laptop delivery and confirm in an online system that the goods have been received. They will arrange delivery of the computer to the staff member’s office. The invoice for the computer will be sent straight to accounting, who will check that the invoice matches what was ordered by Purchasing. Someone else with the right level of authority will approve the electronic funds transfer to the computer supplier. In large organisations or for large transactions, two people may be required to approve the electronic funds transfer.
The number of different steps and separations of duties will depend on the size of the business. The larger the business, the greater the number of steps of approval and separation of duties.
The role of technology in internal controls
Technology has made the process of internal control simpler and more approachable to all businesses. There are two reasons that the use of technology has become more prevalent. The first is the development of more user-friendly equipment, and the second is the reduction in costs of security resources. In the past, if a company wanted a security system, it often had to go to an outside security firm, and the costs of providing and monitoring the system were prohibitive for many small businesses. Currently, security systems have become relatively inexpensive, businesses as well as individuals are likely to have security cameras with automatic cloud recording and event notification (for example motion sensor activated cameras). Popular options in Australia include Ring and Google Nest.
In terms of the application of security resources, some businesses use surveillance cameras focused on key areas of the business, such as the cash register and areas where a majority of work is performed. Technology also allows businesses to use password protection on their data or systems so that employees cannot access systems and change data without authorisation. Most business software applications allow them to set up specific security profiles for employees that state what the staff member can and cannot do. For example, a store sales person may be able to make a sale to a customer, but cannot provide a discount greater than 15%. If a customer is attempting to negotiate a larger discount, a manager may be required to authorise the transaction. Often refunds can only be processed by certain staff.
Even if a business uses all of the elements of a strong system of internal controls, the system is only as good as the oversight – remember the need to monitor the controls? As responsibilities, staffing, and even technology change, the system of internal controls need to be constantly reviewed and refined. Internal control reviews are typically not conducted by inside management but by internal auditors who provide an impartial perspective of where controls are working and where they can be improved. If a business is large enough to require an external audit (for example, a publicly listed company) – the auditor will often also provide a list of control deficiencies or weaknesses that the business should attempt to remedy in the future.
Importance of internal controls to government entities and departments
Internal controls apply not only to public and private businesses but also to governmental entities. Often, a government controls one of the most important assets of modern times: data. Unprotected financial information, including tax data, social security, and governmental identifications, could lead to identity theft and could even provide rogue nations access to data that could compromise the security of our country. Two factor authentication (where to log in to a system, you’re required to provide a time-limited access code in addition to your username and password, or some similar system) to access government systems is one example of additional controls in place.
Not-for-profit organisations also have a need for internal controls
Not-for-profit (NFP) organisations have the same needs for internal control as many traditional for-profit entities. At the same time, there are unique challenges that these entities face. Based on the objectives and charters of NFP organisations ations, in many cases, those who run the organisations are volunteers. As volunteers, leaders of NFPs may not have the same training background and qualifications as those in a similar for-profit position. Additionally, a volunteer leader often splits time between the organisation and a full-time career. For these reasons, internal controls in an NFP often are not properly implemented, and there may be a greater risk of a deviation from an internal control. A deviation occurs when there is a departure from standard control protocol or procedure that leads to a failure in the internal control and/or fraud prevention processes or systems. A failure occurs in a situation when results did not achieve predetermined goals or meet expectations.
The use of internal controls differs significantly across businesses of different sizes. In the case of small businesses, implementation of internal controls can be a challenge, due to cost constraints, or because a small staff may mean that one manager or owner will have full control over the business and its operations. An owner in charge of all functions has enough knowledge to keep a close eye on all aspects of the business and can track all assets appropriately. In slightly larger businesses in which responsibilities are delegated to other employees, procedures and processes need to be developed in order to ensure that assets are tracked and used properly.
When an owner cannot have full oversight and control over a business, systems of internal control need to be developed. When an appropriate system of internal control is in place, it is interlinked to all aspects of the business’s operations. An appropriate internal control system links the accounting, finance, operations, human resources, marketing, and sales departments within a business. It is important that the management team, as well as employees, recognise the importance of internal controls and their role in preventing losses, monitoring performance, and planning for the future.
What happens when a control is missing?
It is critical that businesses implement internal controls, but sometimes implementation or design of controls doesn’t go to plan and you may have a gap – weakness in your internal controls system that might result in an error or more dangerously, intentional fraud. Another possibility is that you have a control, but it doesn’t operate as it was designed – staff can work around the control, or the control might be broken. In this instance – you have a control failure.
To minimise control weaknesses, businesses should evaluate and test their internal controls regularly. They should also conduct their risk assessments frequently in case a new risk arises that requires a new control. For example, pre-pandemic – Zoom allowed all participants to share screen, change their names, mute and un-mute the microphones of other meeting attendees. Teaching online during the pandemic resulted in additional risks associated with using Zoom like Zoom-bombing of meetings and inappropriate behaviour by students in classes. The pandemic highlighted a risk in using Zoom, and in response, additional controls were implemented – such as only the host can mute another participant. Hosts can control who can share screen. Even automatic recording of all Zoom meetings might be a control.
It is critical that any business monitor its internal controls – we want to know that they are operating correctly, but more important we want to know when some controls STOP operating correctly. Consider a bank ATM – there are a multitude of systems and internal controls built into these machines. Of course, we want to know when the ATM correctly dispenses cash to a customer. However, more importantly – we want to know when the bank starts incorrectly dispensing cash! This happened in real-life where a customer discovered a glitch in an ATM and proceeded to withdraw US$1.6m undetected by the bank! You can read more in Business Insider.