Internal Control: Why It’s More Important for Small Businesses
Businesses with fewer than 100 employees accounted for the highest percentage of fraud instances and higher median loss than their larger counterparts, as reported by the Association of Certified Fraud Examiners (ACFE).
The ACFE has classified fraud into three categories:
- Misappropriation of Assets – stealing or misuse of an organization’s resources
- Corruption – an employee using their influence in business transactions in a way that violates their duties in order to obtain a benefit for themselves
- Financial statement – involves the intentional misstatement or omission of material information from financial reports
Fortunately, there are steps your company can take to help prevent and detect fraud. The most important step for any small business owners is to implement properly designed internal controls.
Internal controls are procedures or processes put in place by a business to:
- Safeguard assets
- Ensure financial reporting is accurate and meet all financial reporting requirements
- Ensure compliance with operational requirements
There are five factors necessary for establishing effective internal controls.
- Segregation of Duties
- Policies and Procedures
- Oversight and Review
- User Access and Rights
SEGREGATION OF DUTIES
Creating separation or segregation of duties entails the assignment of the various components of a process to different employees. Proper segregation of duties should ensure that different people should be responsible for authorizing transactions, recording transactions, maintaining custody of related assets and reconciling account balances. If a single employee is responsible for all these tasks, that person is in a position to perpetuate and conceal fraud.
While larger companies with thousands of employees can easily segregate duties, small companies that don’t have a large enough in-house staff can outsource one or more of these duties. Public accounting firms offer accounting services to small and medium size companies. The Company can outsources some of these functions to the CPA firm and obtain a level of expertise not available from their in-house staff.
POLICIES & PROCEDURES
All businesses should have written policies and procedures—even if you think your business operations are uncomplicated. Although businesses are different, the following common processes should always be documented:
- Sales and Accounts Receivable
- Cash and Banking
- Purchases and Accounts Payable
- Payroll and Human Resources
- Financial Statement Closing and Reporting
The policies and procedures for each process should include all the tasks and steps needed to complete a process. Documenting each process provide transparency and consistency and allow for specific duties to be easily assigned to separate individuals. Detailed policies and procedures also facilitate the training of new or temporary employees.
While it might seem obvious, maintaining adequate supporting documentation is essential to developing effective internal control. All transactions must be documented in sufficient detail to allow management to support the existence of the transaction. Standardized documentation enable faster and more efficient review of accounting documents by management and is an important aspect of fraud detection.
Thorough, standardized documentation also allows for discrepancies and errors to be more easily identified. Not having standard documentation for all internal accounting procedures puts you at risk of errors and that fraudulent activity will go unnoticed or overlooked.
OVERSIGHT & REVIEW
The best way to reduce the risk of fraud is management oversight and review; in other words, showing your employees that you are checking up on them and reviewing documentation. In most fraud cases, the employee was allowed to perform their duties without oversight or review which enable them to perpetuate the fraud over an extended period of time.
Management must be committed to implementing and following their own internal controls. The tone is set at the top. They should review financial reports periodically and on a random basis which includes identifying significant variances and the reason for the variances.
USER ACCESS & RIGHTS
Another important consideration for preventing potential fraud and maintaining security within a business is the prevention of any unauthorized access to the key databases, systems, and programs used for accounting operations.
Employees should be given limited access to information systems with only rights to perform function necessary to their work assignments. Often employees are given more access to information systems than they actually need to carry out their duties. Most software allow the Company to setup individual users with specific access to or deny access to specific areas of the system.
On a periodic basis, all users’ rights should be reviewed to ensure there is a legitimate business purpose to support them having this access.
Since every business is different, small business owners are likely to apply a combination of different strategies to put procedures in place that works best for their unique needs. The guidelines presented above are standard components that should be applied to ensure a strong foundation of internal controls and security no matter the size of the company.
As accounting professionals, we are trusted advisors to our clients and need to educate them about the risks of fraud and the importance of good internal controls and to play a key role in designing and implementing effective internal controls. For more information about this topic or our outsourced accounting services, please contact us at firstname.lastname@example.org or (212) 245-5900.
Marisa Pershad, CPA, CVA, is an Accounting & Audit Partner at Farkouh, Furman & Faccio with over 35 years of experience. Marisa’s industry expertise includes clients predominantly in the commercial, financial services (including investment partnerships and broker-dealers), and not-for-profit industries. She specializes in the audit of GAAP and OCBOA basis financial statements.