Evaluating internal controls

February 5, 2018

I’ve spent 25 years supporting organizations in several capacities. One of the matters that I’ve been routinely asked about is how to evaluate the business office’s internal controls to mitigate the risk of fraud or human error.  It can seem overwhelming to balance practicality, due to limited staffing, with implementing an effective set of internal controls.

Without being too technical, accounting transaction cycles are generally organized as a.) revenues and receipts, b.) expenses and disbursements and c.) payroll.  Others cycles may include accounting for fixed assets and even cash management.  The overarching key is to ensure that one person does not have control over the entire cycle – initiation of the transaction, recording of the transaction and review/monitoring. A quick example likely clarifies this concept:  On their own, a person should not be able to set up a new vendor, order goods or services from that vendor, receive the invoice from that vendor, pay the invoice by writing/signing the check and mailing it, record the expense and disbursement in the general ledger, and then eventually receiving and reconciling the bank statement to the general ledger.  There is too much room for error or worse, theft, with that much oversight in the cycle.  Therefore, it’s important to have “multiple sets of eyes” involved with all those steps.  It will reduce the risk of error and risk of fraud. This example scenario actually happens all the time (but not with my clients!).  When I’ve advised organizations to split up those duties the common response is “Our accountant would never steal corporate money. He/she is too honest! We don’t have any staffing that can help, so why do we need to make the changes?”  100% of people currently on this earth make mistakes, and studies show that a very high percentage of corporations are unknowing victims of some sort of fraud. If your accounting staff do indeed maintain the highest level of integrity, a good set of controls will at least help to protect them from being too quickly blamed as thefts!  Best case scenario is that your systems will be a little more mistake proof. 

With all this in mind, the American Institute of Certified Public Accountants has issued a little-known set of examples that can help an organization evaluate its systems.  The organization issued the guidance in its not-for-profit section but it really applies to all businesses.  The guidance provides suggestions for how to split up operational duties for an organization that has two, three or four people available, respectively.

In order to spur some thought, I’ll give one of the examples.  If you have three people available in the business office, the guidance offers the following suggestions:

1. Executive Director/Chief Executive Officer
   1. Sign contracts
   2. Make compensation adjustments
   3. Sign checks
   4. Complete deposit slips
   5. Perform interbank transfers
   6. Perform analytical procedures of internal financial reporting
   7. Review monthly bank reconciliations
   8. Review wire transactions
   9. Review account activity
2.  Accounting staff
   1. Write checks
   2. Reconcile bank reconciliations and petty cash
   3. Record accounting transactions in general ledger
   4. Distribute payroll
3. Accountant/other (receptionist or other administrative personnel)
   1. Process and approve payroll
   2. Process vendor invoices
   3. Mail checks
   4. Assist with performing analytical procedures
   5. Approve invoices for payments
   6. Disburse petty cash
   7. Open mail and log cash receipts
   8. Receive and open bank statements

Seems practical, right? Receipts, disbursements, payroll and cash management are appropriately split up in the best way possible with the limited staffing.  Each organization is different, so the guidance can be modified for the applicable situation.

I think it is good to periodically evaluate your controls even if you have no concerns.  Hopefully these examples can kickstart some questions and ideas.  Email me, and I’ll be happy to help if you have questions about your systems.   

[email protected]