Keep Your Money in Your Company –January 2016

This post is about Internal Controls.

Internal controls are procedures the CFO implements to manage risk and fraud. They are an important element of good management in small business, where some sources estimate the median loss due to fraud is $190K per year.

Even a good internal control system will never eliminate fraud, but it will have procedures that detect signs of fraud and encourage swift corrective. These procedures, which will vary by business type and operating philosophy, are applicable for financial risks, operational risks, and strategic risks. Given the limited resources of most small businesses, it is critical to prioritize one’s efforts based ion the likelihood and magnitude of the risks described above.

In determining this prioritization effort, the CFO must take several steps. First, identify the relevant risks. This stems from understanding the desired results are achieved, particularly in regard to cash receipts and disbursements. Next, assess the probability and impact if the risk is realized. Finally, the CFO must weigh the alternatives. For instance, what is the cost if nothing happens? Is it worth the number of employees necessary to prevent the risk? Is the expense of compliance greater than the potential loss? The CFO must carefully analyze such trade offs in construction a system of internal controls. An important element of this process is to understand who commits fraud and why.

A robust internal control culture can also help the firm determine who may commit fraud and why, though we stress this is a very difficult task. Small businesses are often tightly knit organizations. Thus, there is a natural resistance to the probability that a colleague may be cheating the company. This an understandable emotion, but it must be considered in light of the characteristics of many fraudsters. Many such individuals are often viewed as trustworthy. In addition, they are usually intelligent, making the fraud difficult to detect.

The reasons people commit fraud are many, but the most common include personal financial problems; extravagant lifestyles; obvious vices such as gambling; and grievances (real or imagined) against the company. Warning signs that fraud has occurred include missing/altered documents; excessive number of voided transactions; duplicate or photocopied invoices; unfamiliar vendors; change in vendor addresses; and unsupervised temporary employees.

Basic internal controls to detect fraud are crucial in any organization. The implementation and enforcement of such controls are often driven by the tone set by the owner and CFO. If these parties are not supportive of the benefits of the controls, neither will the rank and file. Critical elements for internal controls apply across industries and operating styles, though the actual controls will vary based on the same variables. These critical elements include segregation of duties; well defined authorization procedures; documented policies and procedures such as numerically controlled documents; physical security of assets; and reconciliation of financial data.

While financial loss is the key risk internal controls are designed to mitigate, internal controls are applied in a much larger context. They are applied to three types of risk. Financial risks focus on losses due to fraud and theft; damaged or loss of assets; and pilferage of cash. Operational risks entail disruption of daily operations; and bad publicity risks. Either can result in financial statements that do not reflect reality. Strategic risks involve failure to meet financial goals; and being outflanked by competitors. Importantly, strategic risks also include risks incurred in Management Information Systems (MIS) and the havoc this can wreak throughout the organization.

In our view, key best practices to control financial risk include positive pay, electronic disbursements and purchase orders, and reconciliation of the cash account to bank statements. Positive pay is a system whereby the company’s bank matches checks presented for payment to a list provided by management. Checks not on the list are investigated. In regard to bank reconciliations, it is important to have an independent reconcilor (one who nether signs nor prepares the checks); a set time for each month’s reconciliation; rotation of reconcilors, if feasible; and prompt investigation of differences between the bank statement and cash ledger.

We think the best practices to control operating risks include: background checks; enforced adherence to policies and procedures; clear lines of supervision; no one individual totally controls and entire process; enforcement of required vacations and authorization procedures; and rotation of assignments. While these are self explanatory, we emphasize that enforcement and accountability are important to prevent a “leaky” process where money can disappear rapidly before anyone know it is gone.

As we mentioned earlier, a key strategic risk involves MIS controls. These controls are important because MIS now plays a central role in all company functions. We will briefly address the unique risks along with the major risks MIS poses. We also address the relevant target and basic controls.

MIS poses several unique risks. First, the speed of a computer system causes issues to develop rapidly. Second, skilled users can deliberately create problems. Third, skilled users can inadvertently create complex issues. In our view, the major risks posed by MIS includes unauthorized use of data; unauthorized transactions; unauthorized access to computer files; modification, loss or destruction of data; and disruption of key processes.

To address these unique and major risks, the CFO must target several controls. One is to prevent unauthorized access. another is to establish a system to back up data. key considerations for this control include the cost and robust testing of the back up plan. The system must also incorporate a means of offsite back up.

We believe several basic controls address these concerns. Unauthorized access can be governed by controls such as approved passwords, strict guidelines on password sharing; changing passwords on a regular schedule; and disabling a password promptly upon an employee’s departure. Automatic logoff functions and strict controls on wireless or remote access are also useful. Data should be backed up at least once per day and copied to an offsite server promptly.

Internal controls are procedures the CFO implements to manage risk and fraud. They are an important element of good management in small business, where some sources estimate the median loss due to fraud is $190K per year. A robust internal control culture can also help the firm determine who may commit fraud and why, though we stress this is a very difficult task. Even a good internal control system will never eliminate fraud, but it will have procedures that detect signs of fraud and encourage swift corrective. These procedures, which will vary by business type and operating philosophy, are applicable for financial risks, operational risks, and strategic risks.

Capitol CFO Solutions serves clients in Washington, D.C., Maryland, and Virginia. Real financial fraud takes many forms. If you are interested please contact us for some real life examples and a free consultation.