I recently attended a luncheon hosted by the Northeastern Oklahoma Chapter of the MGMA. The keynote speaker was Brett Johnson, CPA of EideBailly and he spoke on internal controls and the importance of supporting documentation. As a CPA myself, I sometimes take the need for internal controls for granted; that everyone in business understands what this is and why it is critical in a business operations environment. Then I read an article in the paper where yet another business has been a victim of fraud and theft perpetrated by a trusted individual within the company. Brett made a number of great points worth repeating so here goes:
Wikipedia defines internal controls in accounting and auditing as “…a process for assuring achievement of an organizations objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations, and policies. A broad concept, internal control involves everything that controls risks to an organization.”
Brett asserted that in accounting, internal controls should be applied through a multi-tier approach.
Tier 1 involves written policies and procedures. This includes employee handbooks, credit card use policies, computer use policies, systems use policies, late payment application policies, month-end checklists and the like. This can also include maintaining adequate records, making deposits in a timely manner, conducting background checks, performing personality profiles, and setting up anonymous reporting systems.
Tier 2 includes implementing proper security over assets such as cash, checks, inventory, equipment, etc. This is achieved by performing physical inventory counts on a regular basis, reducing the amount of cash on hand at an given time, verification of vendors, validation of customer balances, regular collection efforts of past due receivables, and managing approval processes for purchases and check writing.
Tier 3 is provided by things like annual external audits, management oversight, and proper security rights assignments within accounting and line-of-business transaction applications. This also includes proper separation of duties where the roles for authorizing, recording, and maintaining custody of assets don’t all lie in the hands of a single person, regardless of their position, longevity, or trust.
The role of proper documentation in accounting is critical but remember, not all documentation is created equal where internal controls are concerned. Documents derived from outside, independent sources have more credibility than those created internally. This includes things like bank statements, canceled checks, vendor statements, customer statements, physical counts, customer purchase orders, and contracts. It is important to note however, proper support should be the original document received from the outside source, not a copy. Copies can be manipulated. If unsure of a documents validity, new versions should be requested from the original source for verification.
Internal controls can at times seem tedious, unnecessary, and even overbearing. However, if looked upon a little differently, proper internal controls are in place as much to protect the employee as they are to protect the organization.
It’s never too late or too early to address risk within any organization. Risk management is all about identifying risks and deploying mechanisms to either avoid them, mitigate them, transfer them, or accept them. Not having proper internal controls in place to avoid, transfer, or mitigate the risk of fraud simply means that you have chosen to accept them and the consequences they can bring if it occurs.