Manage Risk With An Internal Control System – Part 1 of 2

What Is An Internal Control?

You may have heard of the term ‘internal control system’ in the context of small – medium enterprise (SME) vulnerability to fraudulent practices by employees. These are typified by the case of the SME owner who gets a call from the police one day because they are investigating the part time secretary who has been discovered stealing from one of her other employers.  And, sure enough, she has been stealing from him as well as it turns out upon investigation.

Then everybody throws up their hands – how could that happen, where were the checks and balances, the internal controls?

That’s the common face of an internal control system, but there’s more to it than that. A good internal control system will assist in achieving four things that are critical to your business’ security:

1. safeguarding your business’ assets
2. improving the efficiency and effectiveness of your operations
3. improving the reliability and completeness of your financial and management information
4. assisting in helping you comply with your organizational policies and procedures as well as any laws and regulations you operate under

A system of internal controls will consist of a set of policies and procedures designed to provide reasonable assurance that these four objectives are being achieved.

At the same time let’s look at some best practice ways of achieving that through the use of particular types of internal control:

1. your business risk areas and how internal controls can help manage them
2. the five essential components of an internal control system
3. understand the different types of internal control and when it is appropriate to use them
4. how to assess which risks are the critical ones to manage
5. developing an internal control system that’s right for your business

Risk Area: Your Assets

Think about the number of assets in your business. Some are obvious – such as cash, inventory, and the equipment in the office, the shop or on the factory floor. But you may have less obvious ones that are worth money as well – like product blueprints and specifications, your customer list and even the record of your debtors and what they owe you. These are worth
money also.

Add all that up and your assets are probably a considerable amount.

And all of them are open to a number of risks. Obviously physical assets can be stolen or even lost. A virus in your computer could wipe out your customer list and your debtor records. A fire could destroy the plans and specs.

Assets are vulnerable and need to be protected by some sort of measures that will minimize the opportunity for loss and, if the worst does occur, minimize the effects of loss. There are different things for different asset types of course so that they will range from a procedure
for securing the premises out of business hours to changing the access passwords to your computers on a regular basis. Those sorts of measures will minimize opportunity for things to go wrong. They are examples of asset security internal controls.

Risk Area: Efficiency And Effectiveness Of Operations

There’s a whole group of internal control measures that can assist in helping a business achieve the objective of getting things done efficiently.

These range from policies and procedures that describe the best methods of carrying out particular operations to compiling reports that allow a manager to keep informed on how the business is performing financially, whether targets are being reached on schedule and so on.

As a matter of fact they should also include policies on what to do when fraud or any other sort of improper practice, like using the Internet to download or distribute pornography, are identified. In the absence of a policy with approved procedures, trying to deal with situations like these can end up with you feeling like a victim and involving you in time wasting and
disagreeable activities.

Risk Area: Reliability And Completeness Of Financial And Management Information

Internal controls support the collection of accurate information for management and financial reports. Many decisions are based on the information in these reports so that accuracy is vital. Internal controls in this area help ensure the quality of internal and external reporting through
the maintenance of proper records and information flows.

And some of those reports can be critical to your business, like your cash flow situation or whether your inventory records are accurate and not being manipulated to cover theft; whether the statements in a request for a loan are verifiable, and particularly, that the tax man can’t
fault your return.

To get all those things right, and at the same time make sure there is no manipulation of the input numbers going on, internal controls over the way they are collected and the procedures behind the operations, like inventory management and cash handling procedures, are essential.

And a natural follow on from having systems that ensure accuracy is that you’ll minimize time lost correcting errors in the data.

Risk Area: Complying With Business Polices And Legislation

Businesses have to organize for things to get done according to their own accepted policies and procedures while remaining compliant with any number of laws and regulations imposed by government agencies and local authorities. These range from enforcing government mandated
workplace conditions like occupational safety and health to dealing effectively with customer complaints so as to retain the customer.

You need a system of controls to ensure these that polices are carried out and that your practices are in compliance to regulations – get these wrong and the business can suffer heavy financial punishment because of breaches or from loss of custom.

Internal Control Is A System

Looking at all those things we’ve mentioned you can see that your internal controls will consist of more than just a few procedures.  There will also be the policies to explain how they are to be carried out, and some monitoring activity to track how things are performing, as well as some
delegation and reporting responsibilities to see that things like financial reports and compliance documents get completed on time.

And what is considered just as important as these activities if you want your internal controls to actually be taken seriously, is to develop a workplace culture that lets employees know you take them seriously. That is to say, there are standards of behavior by you and your managers
that need to operate as well.

So internal control is best viewed as a system. Let’s look at the parts of that system.

Five Components Of An Internal Control System

1. developing the sort of culture that encourages responsibility by your employees
2. assessing the risks around each main business process e.g. around handling of monies or compliance with OS&H legislation
3. developing control activities to minimize identified risks
4. collecting the information that feeds into the control process promptly and accurately
5. monitoring how effectively the ICS is working – is it doing the job?

1: Create The Right Attitude In Your Team

If you are the sort of manager who doesn’t pay much attention to how the business is
running or how efficient people are; if your systems are sloppy and there’s no audit trail on activities; if you treat your team disrespectfully; or if you are seen being wasteful, then you are creating an environment that will encourage fraud or pilfering, lack of concern about following procedures, wasteful work practices and non-compliance with government regulations.

You are setting yourself up for trouble from one or all of these avenues. So step one is to act efficiently, decently, responsibly and ethically yourself.

You can build your view about these things into some of the policies and work practices, for instance by developing a code of conduct and a reward system for demonstrated high performance by team members. And incidentally, those things become internal controls for this area.

Structure And Competency

Apart from demonstrating personal integrity there are a couple of other steps you can take to improve the likelihood that your internal controls can work in practice.

First is to develop a formal organization structure that shows who reports to who, and just
as importantly, who is responsible for what. A set of job descriptions is the best way of doing this. The allocation of duties and responsibilities should ensure that there are no opportunities for procedures not to get done because nobody considers it their responsibility.

Secondly, you should demonstrate a commitment to competence. Start handing jobs to obviously underqualified or less than competent people and you are saying that you don’t particularly care how well that job gets done.

Personal Sense Of Responsibility

Of course taking internal control seriously isn’t just your responsibility. In varying degrees, internal control is the responsibility of everyone in the business. Almost all your employees will produce information that will go to form part of an internal control mechanism.

So an essential element of a strong internal control system is the recognition by every employee of the need to personally carry out their responsibilities effectively and to communicate to the appropriate level of management any problems in operations, instances of non-compliance with the code of conduct, or other policy violations or illegal actions that are noticed. But this will only happen where the environment is set up to promote it happening.

Don’t underestimate the importance of creating the right environment for internal controls to operate in – it’s the very foundation for making them work successfully, and while a good culture of itself can’t guarantee every internal control will work, you can guarantee that the lack of such a culture will provide greater opportunities for errors to go undetected or for improprieties to occur.