6 Questions to Ask About Your Internal Controls
ByBy Claire Pahlmeyer, Senior Associate
Well-designed internal controls are vital to the health and safety of an organization’s operations. Without internal controls, especially around financial transactions and accounts, it is easy for a transaction to be recorded for the wrong amount, the wrong invoice to go out, or money to be paid to the wrong person. On the flip side, internal controls can also be overly burdensome and unnecessarily inhibit the efficiency of the operations you are trying to protect. Asking yourself certain questions can help you analyze whether your controls are meeting the needs of your organization.
1. Are my internal controls documented?
Documenting controls can be a lot of work for smaller organizations that are often operating at maximum capacity, but the possibility of staff turnover makes documentation important. The accountant who has been with the business for over 15 years has an incredible amount of knowledge about how their position works, including: who reviews the checks, who counts the cash, who submits and receives invoices, and many other small but meaningful tasks. If that person leaves without their responsibilities and knowledge documented, their replacement will have a difficult time replicating those same tasks and the organization’s internal controls will not be as strong.
Documentation doesn’t have to be a herculean task; it can be as simple as following a piece of paper through its circuit in the office. Pick up a deposit from a customer when it comes in the door and follow it from person to person, writing down what is done until it is deposited in the bank and recorded in the accounting system. Writing a few paragraphs in a narrative or drawing up a chart will clarify the processes and enable others to repeat it.
2. Can my controls be bypassed?
No matter how well crafted a control may be, if it can be skirted by someone it likely will be at some point. Controls that are bypassed tend to be manual. For example, if the client’s name from an invoice needs to be entered by hand, a possible control over incorrect data entry is to review the client’s name from a separate list to make sure there are no misspellings. However, that control may be bypassed to save time, especially if the software receiving the data input is not aligned with a master list of clients and will accept an incorrect input. An automated control is that the data inputs are selected from a pre-populated list within the software, so no misspellings are possible.
Implementing automated controls can depend on the capabilities of your software but there are other ways to reduce the likelihood of bypassing internal controls as well. Review by a second person creates a stopping point where the first person must complete the data input, then send it to another person for their approval before it continues in the process. Neither solution is foolproof, but both can go a long way to reduce the chance of errors.
3. Are my controls overly cumbersome?
Cumbersome internal controls require significant amounts of time and effort to implement, sometimes to the extent that the benefits of putting the control in place are outweighed by the costs of the control itself. If a department required secondary review for every single expense that goes out the door, regardless of amount, the time spent on that review may overshadow the benefits of finding and correcting inaccuracies in small-value expenses.
Setting dollar amounts for review thresholds is a great way to mitigate risk without making too much work for staff. Conducting occasional random audits of smaller dollar transactions can help ensure those transactions are not wholly ignored, and replacing manual processes with automated processes will reduce the workload while maintaining strong controls over operations.
4. Is there proper separation of duties between my control activities?
Separation of duties is an important element of internal controls; it can turn a massive hole in control coverage into a safeguard that covers multiple areas. Separation of duties means making sure that no one person has too much control within the organization. Giving one person the ability to both write a check and make journal entries in the accounting system may lead to error or fraud.
There are three elements of control activities: authorization, recordkeeping, and custody. Access to any two of the three by one person can offer the opportunity to misappropriate assets.
- Authorization is given to those who approve transactions, including signing checks.
- Recordkeeping is done by those who record transactions to the accounting system.
- Custody is given to those who receive or possess an asset, including handling of cash and credit cards.
Balancing these responsibilities is key in setting up internal controls to protect your organization’s assets.
5. Are my controls preventative, detective, or corrective?
Internal controls are designed to address issues either before or after they arise.
- Preventative controls catch an issue before it occurs, such as a pre-populated list of client names or limited user access based on the position or level of the user.
- Detective controls catch an issue after it happens, such as secondary review of expenses or bank reconciliations.
- Corrective controls are aimed at correcting issues that have already occurred to ensure similar issues don’t arise in the future, including software updates, modifications to policies and procedures, and disciplinary action, when necessary.
A balance of control types will spread control responsibility across multiple positions and increase the likelihood of an error being caught. Too much emphasis on detective controls will create unnecessary work in correcting issues that may have been easier to prevent in the first place. Too much emphasis on preventative controls will leave the organization blind to how many errors may be slipping through the gaps in internal control processes. Corrective controls address progress in the internal control matrix and provide growth in controls for the future of the organization. All three play a role in a healthy internal control system.
6. Does my organization’s culture support our internal controls?
Underlying all internal controls are an organization’s culture and respect for the system in place. If the tone at the top shows a lack of concern for following correct processes, the employees will take note and follow suit. However, a strong show of support for internal controls and performing tasks with ethics and honesty will go a long way to set an organization on the right path.
There is no silver bullet to creating or updating internal controls, but a consistent effort to review and address gaps in controls over time can greatly benefit your organization.
Have questions or want to discuss more? Contact our risk advisory team today.