The Five Pillars of Internal Controls

Fraud never seems to go out of style — and much of it comes from within. It is common for fraudulent activity to be committed by insiders. Many fraudsters act either alone or in cooperation with peers rather than with outside parties.

For any type of company, the most effective overall way to combat fraud is to build a strong framework of internal controls. When doing so, you’ll heighten your odds of success by reinforcing the following five pillars.

1. Ethics and responsibilities

They say responsibility begins at the top — and they’re right. For any internal control system to be effective, its first pillar must be the establishment of a strong ethical position by management and a clear delineation of responsibilities thereafter.

Many businesses have taken to formally drafting an ethics policy. This document can help management clearly express its approach to doing business and apply those philosophies to its internal controls. When employees know such a policy exists, and management is following it, they’ll also know that any attempt to commit fraud will be much riskier.

Equally important to a strong ethical position is a clear delineation of internal control responsibilities. Again, formally documenting this can be helpful.

2. Segregation of duties

You’ve probably heard it before, but spreading out risk-intensive tasks among several employees remains fundamental. To the extent possible, segregate the handling of key assets into three categories: Authorization, Custody and Record keeping.

Take a very simple example: your petty cash drawer. Ideally, one employee should be in charge of authorizing its use; another should keep it safe and make disbursements; and a third should maintain records regarding its usage.

Handling all major assets in this manner creates a system of checks and balances that will hamper any one dishonest employee from misusing the item. Smaller businesses may have a harder time spreading duties among a more diminutive staff. But it’s here that owners must step up and keep an active hand in oversight.

3. Expansive controls

The days of an office safe and a locked desk are long gone. Today, every business needs to implement expansive controls throughout their facilities. You can organize these into categories such as:

Physical. These would include locked doors, safes, vaults and even specially designed rooms or structures to hold valuable assets.

Mechanical. This category generally comprises video monitoring systems, time clocks for tracking the work of hourly employees, and alarm systems for regulating entry access to buildings and rooms.

Information technology. Companies now need comprehensive IT security policies to prevent fraudsters from stealing or vandalizing critical information (or just money and products). Specific controls here include passwords, server and software authentication, and source code/document version control procedures.

4. Sound, detailed records

Complete documentation is important for knowing not only what you have, but also what you don’t have. For starters, you need to scrupulously maintain your financial statements and regularly review them for, among other things, suspicious budget-to-actual variances.

But airtight financial statements alone don’t a fraud-free company make. There are other forms of documentation that can help you detect and prevent fraud. For example, create invoices that are distinctive to your company and sufficiently informative. Doing so will make them more difficult to fabricate.

Also, whenever possible, use prenumbered, consecutive documents. That way, if one falls out of order, you have a quick indicator of something gone awry. In addition, prepare paperwork in a timely fashion. When documentation falls behind, it can be easier for a fraudster to step in and take advantage.

5. Internal and external audits

As you probably know, large companies have internal auditors on staff to regularly evaluate the effectiveness of internal controls. Small to midsize companies can’t always afford to keep such staff members on the payroll. But you still need an internal auditing process to periodically review and reconcile internal control data and procedures.

The audit process should be planned well in advance. Many companies perform internal auditing in stages over the course of a calendar year or even over multiple years. For many aspects of an audit, the element of surprise can be helpful. When employees don’t know when the process is scheduled to begin, they can’t preemptively fix mistakes or, in worst cases, cover their tracks after committing fraud.

External audits are also highly advisable. Your CPA can perform an audit to determine whether your financial reporting follows the standards prescribed under Generally Accepted Accounting Principles (GAAP). Although this process doesn’t specifically focus on fraud detection, it can reveal critical details about the soundness of your financial reporting. (There are also two, less comprehensive alternatives to consider: a compilation or a review. They’re also not designed to detect fraud.)

For fraud-specific services, consider a forensic accountant. He or she can either conduct an actual investigation, if you believe fraud has occurred, or simply review your internal controls and provide insights into their effectiveness.

Assess and fine-tune

A system of internal controls built on these five pillars stands an excellent chance of being solid as a rock. Of course, there are other details to consider, and your company’s specific control needs may vary depending on its size, industry and location. Contact Holbrook & Manter today for more information on this topic.