Have You Reexamined Your Internal Controls Lately?
Have You Reexamined Your Internal Controls Lately?
From The Asset July/August 2019
By Victoria Dailey, CPA
Since the Sarbanes-Oxley Act, there has been an increased concern regarding internal controls and prevention of fraud. Failures in internal control have created serious issues for organizations and auditors. Internal controls should be the root of every organization. Strong internal controls can help ensure reliable financial reporting, maintain compliance with laws and regulations, safeguard assets, deter fraud, waste, and abuse, and improve efficiency and effectiveness. When an organization has effective internal controls, the opportunity to commit fraud or errors is greatly minimized. Given the importance of these measures, it’s important to periodically review the core principles. The strongest internal controls involve segregation of duties, documentation, approvals, reconciliations, safeguarding of assets, and information systems security.
Segregation of duties means that no one person should have complete control over all aspects of a financial transaction. The same person should not be able to authorize a transaction, record the transaction in the general ledger, and have custody of the asset related to the transaction. The level of segregation can vary depending on an organization’s size and structure. These duties should be clearly defined, assigned, and documented. An organization could also benefit by periodically rotating duties and requiring employees to take vacation. Segregation of duties prevents errors as well as the opportunity for someone to commit fraud.
Documentation is any type of support, whether paper or electronic, for a transaction. This support provides a financial record of each event or activity, and therefore ensures the accuracy and completeness of transactions. Proper documentation provides evidence of what has transpired as well as information for researching any discrepancies. Consistent forms and templates should be used for efficiency. Retention policies should be in place for all types of documentation.
Approvals require certain personnel to authorize transactions. This can add an extra layer of protection to accounting records by providing evidence that transactions have been reviewed and approved by someone else in the organization. These approvals should be documented, timely, and the individual approving the transaction should have knowledge of the transaction being approved.
Account reconciliation is the process of comparing transactions using an organization’s accounting system against information that supports the account’s ending balance. For example, the accounts receivable balance should match with the aging of the accounts receivable. Bank reconciliations should be completed monthly by reconciling the balance in the general ledger cash account to the bank statement. Reconciliations ensure the accuracy and validity of financial information and are most effective when they are consistent and thorough.
Safeguarding of assets can prevent unauthorized access, loss, or damage to an organization’s assets or records. Only those who have been authorized should have access to assets and records. Physical locks, safes, and passwords should be used when appropriate. A process should exist so that past employees of an organization no longer have access to assets and records. Valuable assets should be insured so that they can be repaired or replaced if needed. Inventory should be properly and routinely tracked to reduce costs, forecast demand, and prevent shortages and spoilage. A surprise audit of inventory provides an additional control to ensure amounts on hand agree to the amounts recorded in the accounting system.
Information systems security means protecting information and systems from unauthorized access, use, modification, or disruption. It is the process of identifying and assessing risk, realizing the limitations in reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. Risks include physical damage, equipment malfunction, inside and outside attacks, misuse of data, loss of data, and application error. An organization should adopt a risk management policy that addresses all issues of information security, provides direction on how the risk management team or individual relates information on company risks to management and outlines how to properly execute management’s decisions on risk mitigation. An information systems security policy should include what is being secured, who is expected to comply with the policy, and how enforcement will be carried out. This should be documented, and every employee should be made aware of the policy. Strong passwords, routine backups, access control mechanisms within an operating system, and antivirus software are examples of safeguards an organization can use.
Strong internal controls increase the likelihood of achieving and maintaining business health. They should be evaluated routinely as the organization adapts and grows to ensure your organization is operating most effectively and efficiently.