What is an internal control procedure used to safeguard a companys assets?

Many business owners are discovering that their assets are not as well protected as they thought.  Smaller businesses with one or two employees managing all of the finances are particularly susceptible to misappropriation of assets.  Often there are no checks and balances to verify that transactions are accurate or appropriate.

According to the Association of Certified Fraud Examiners’ 2016 Report to the Nations, the median loss for all the cases in their study was $150,000. When schemes lasted more than five years, the median loss rose to $850,000.  Businesses with fraud hotlines were much more likely to detect fraud through tips than those without.

When proper financial and operational controls are not in place, employees (and owners!) can learn to manipulate the accounting system to their benefit.  Whether they take money from the company or their mistakes are undiscovered, the end result can greatly impact a company’s management decisions, financial reports, tax filings, and financial stability.

Unfortunately, once your financial records have been altered, discovering problems is extremely difficult.  Most standard accounting practices are not designed to uncover internal problems such as embezzlement.

Therefore, the best way to safeguard your company’s assets is to recognize and improve weaknesses in your internal procedures.  The following business practices and procedures can help you minimize potential internal control problems:

• Set the tone at the top: Management must set an ethical atmosphere in the workplace and uphold those values at all times.  Employees are more likely to behave in the same manner as management sets.

• Related duties should be assigned to different people: Certain accounting and operational functions are designed to cross-reference each other for accuracy:
  • Writing, signing, and mailing of checks
  • Ordering, paying for, and receiving of materials
  • Handling cash and recording cash in accounting system
  • Accepting customer orders, fulfilling orders, and invoicing customers

    These procedures can reveal inconsistencies in your records in a timely manner.

• Reconcile and scrutinize your bank statements every month: A bank statement can tell you a lot about your business if you review the information in a timely manner.  Examine checks and endorsements, track transactions between accounts, compare payroll checks with employee records, and ask questions.  Examine bank statements for unusual withdrawals.  To be more proactive, consider positive pay systems if your bank offers this service.

• Examine supporting documentation before you sign a check or authorize a transaction: When you insist on reviewing original documentation, your employees become more accurate and communicate their needs more clearly.  You should also verify the names of your vendors and your employees occasionally.  And remember to cancel supporting materials after signing a check.  Consider dual signatures on checks over a certain threshold.

• Lock and protect your valuables: Keep blank checks and signature stamps secured and deposit cash and checks daily.  Stamp all checks received “for deposit only”.  It’s also important to secure fidelity bonds and insurance for all accounting and key personnel.

• Know your employees and examine behavior changes: Always verify employee references before hiring.  Also, consider the need for conducting other background checks as appropriate, including but not limited to the need for credit information, motor vehicle reports, and criminal searches. Many white-collar crimes go unreported and continue to be repeated.  Watch for trouble signs: possible substance abuse, change in lifestyle, living beyond means, possessiveness of work, or not taking vacations.

This limited list of internal controls can help reveal financial discrepancies and protect your company’s assets as well as recognize the excellent efforts of your staff.

For more information on how Herbein + Company, Inc. can help you review your current internal controls or develop and implement the proper controls to protect your company, contact Steven M. Wolf at [email protected].

It is common to think that only large companies with thousands of employees and multiple locations are challenged to protect their assets from external and internal fraud. In fact, many small businesses, often family-run or closely held, tend to feel immune to these “big company problems” because their owners “know” where their money is. In reality, however, smaller businesses are frequent victims of asset misappropriation, often due to the limited resources they have to focus on their operating environment and internal controls.

In an effort to provide small business owners and executives insights on enhancing their internal control environment, this Client Alert provides 10 control practices that small businesses can implement to manage their operations and safeguard assets more effectively.

1. Expense Management

Some organizations do not have formal sourcing, bidding, and purchasing policies and procedures in place. They may not even utilize purchase orders. When vendor quotes are requested and vendor bidding is utilized, often there are no formal policies and procedures requiring a specific minimum number of bids based on the purchase size. In many cases, bidding support documents and vendor estimates may not be retained. In short, valuable transparent information is lost.

For projects or large purchases, not having an official policy for minimum bidding may preclude companies from getting the best price and/or quality of service. For maximum transparency, all bidding support documents from vendors should be retained — including justification and reasoning on specific vendor choices. Purchasing policies should be established and address a number of minimum bids based on the overall project/purchase size.

2. Supporting Documentary Evidence

Generating and storing critical supporting documentation are important parts, and the foundation, of a sound internal control environment. Easily retrievable and well-organized documentation help to verify transactions and serve as a reference tool for procedures and internal controls. In addition, well organized documentation provides transparency and assists an organization with researching and rectifying problems.

3. Policies and Procedures

Documented accounting policies and procedures help accounting and finance staff understand and follow formalized rules and maintain consistent controls. In turn, this allows for more accurate and complete financial statements. In addition, formalized policies and procedures contribute to safeguarding assets as well as to training and developing new employees and evaluating staff performance. Accounting policies and procedures should be updated periodically to ensure that the information is current and relevant to the organization.

4. Segregation of Duties (SOD)

At some organizations, the responsibilities of employees are incompatible with appropriate segregation of duties, specifically when employees manage the entire chain of disbursements. In these situations, employees may be able to add new vendors, process invoices, and print checks without any oversight. Sometimes these employees even have authority to sign the checks and prepare bank-to-book reconciliations. Similarly, employees responsible for depositing cash receipts may also be responsible for accounts receivable accounting functions.

Lack of segregation of duties increases the risk of unauthorized disbursements and defalcation of cash. Management should review and reallocate some of these responsibilities among staff members to achieve a more balanced segregation of duties. If staffing restrictions prevent duties from being fully segregated, then additional supervisory monitoring procedures should be put in place.

5. Access Rights and Roles to Critical Financial Applications

Organizations without well-defined processes of assigning and managing access roles to their critical systems and applications expose themselves to security breaches by allowing access to information that should not be visible to certain employees based on their roles and responsibilities. Access rights should be periodically reviewed and recertified to ensure that authorization levels are commensurate with job responsibilities and the proper segregation of duties is maintained. Any requests for access should always be submitted in written format. Access rights and related activities should be authorized only by personnel with the appropriate knowledge and authority.

6. Monitoring and Management Oversight

Monitoring and management oversight are critical for a sound control environment — even more so if a business has segregation of duties. Management review controls are only effective if designed appropriately. This means their level of precision must be designed in a way that will most likely identify important errors or misstatements. At the same time, the system should be designed to avoid inefficient use of time in identifying insignificant errors. Depending on the type of account under review, the business should hold to specific variance thresholds or key performance indicators (KPI). When designing controls, it is imperative to design threshold amounts, metrics, statistics (such as year-over-year or month-over-month variances), or other defined guidelines which dictate the precision of management review.

7. Critical Spreadsheets

Given the similarities between spreadsheet development and application development, it is appropriate to use industry-recognized best practices for controlling critical spreadsheets. Errors in spreadsheets are common and can include:

• Overwritten and unprotected formulas;
• Input errors;
• Redundant data;
• Outdated links; and
• Poor documentation.

These errors can cause significant deficiencies and material weaknesses in internal controls, which can have a direct impact on the financial statements. Businesses should develop policies that include risk assessment and related controls testing, reviewing, and updating on an ongoing basis. The controls should cover logical access, backup, changes, data input validation, and security, and be similar controls addressing financial application risks.

8. Employee Travel and Personal Expense Reimbursement

Businesses that lack formal personal and travel expense reimbursement policies and procedures risk exposure to the misappropriation of funds. To help circumvent this problem, every employee should prepare an expense report addressing all business-related expenditures. Included in the report should be supporting receipts above a specific threshold amount established by the business. The report should explain the purpose of each expenditure — ideally, a legitimate business purpose — and include other individuals attending the event or benefiting from the expenditure. In addition, a travel expense reimbursement policy addressing allowable and nonallowable expenditures and methods for requesting reimbursements should be issued to all employees.

9. Credit Cards

Many smaller and family-run businesses have alarmingly informal control policies for credit card activities. Business owners and employees with corporate credit cards often commingle personal and business-related purchases. Then, at the end of a billing period, an aggregate bill from the credit card company is paid without detailed scrutiny over expenditures. This lax policy opens a window of opportunity for misuse, intentionally or otherwise, for covering personal expenses unrelated to a business.

Instead, formal policies should be put in place that include full and complete accounting and approval processes for every corporate credit card transaction incurred by every employee and business owner. In addition, based on their position within the company, each employee should have a defined spending limit.

10. Third Party Monitoring

At times, businesses may outsource certain business function cycles to third party service providers. These functions can be in any area, including payroll, human resources, benefits, bill payment, accounting, compliance, customer service, or IT services, to name a few. In these situations, even when a function, task, or process is transferred to a third party, many of the associated risks remain with the business. While the business may put its trust in these service providers, it remains the responsibility of the business to manage and monitor third parties and the potential risks associated with the relationship.

What are internal controls designed to safeguard?

How can internal controls help to protect these assets?

Which areas of internal control is concerned with safeguarding of assets?

What are the internal control procedures for fixed assets?