From mom and pop shops to global corporations, in my thirty-plus years of working with entrepreneurs, I can’t think of anyone willing to throw away 5% of their annual revenue. Yet, by ignoring the potential for fraud within an organization and failing to establish internal controls to detect and prevent theft, that’s precisely the sacrifice many business owners are unknowingly committing. According to the 2014 Global Fraud Study by the Association of Certified Fraud Examiners, the typical organization loses 5% of revenues each year to fraud. The kicker is that this 5% has an even greater impact when you consider that the best-in-class businesses, otherwise known as your competitors, are successfully lowering their costs by proactively combatting fraud.
Whether you have two, ten or 100 employees, internal controls are a necessity for any business wishing to limit
- Control Activities
- Risk Assessment
- Information Systems and Communication
- Monitoring
- Environmental Control
Control Activities
Control Activities are actions a company takes to minimize risk. Some are preventative measures, while others are used to monitor and identify undesirable events; thus providing
Common forms of business fraud, including the creation of bogus vendors, erroneous deposits, and fake checks, occur when duties aren’t separated and delegated to selected individuals. This is especially true for the accounts receivable position – when a single employee has control over billing, collections, and balancing the books. The person who cuts your check should never, ever be the same person who signs them and records the transaction in the ledger. Creating a chain of command for processes by separating duties among employees reduces risk and ensures that multiple eyes are keeping tabs on your books and your account.
Reconciliation of accounts is one control activity that serves to reduce risk, identify fraud, assist in the case of an audit, as well as protect your company if one of your vendors is ever audited. Many small businesses lack an internal
Another critical control activity is limiting the user permissions and number of authorized users for specific financial processes. For instance, only certain members of your staff should be authorized to manage the general ledger, which can be accomplished easily enough by setting users in
Risk Assessments
After reviewing and implementing control activities, businesses need to run a risk assessment on their organization. Knowing what specific internal or external factors pose a risk to your company allows management to establish preventative strategies while also defining objectives to help keep the business on track.
Internal risk factors are usually events related to
A proper risk assessment will not only shed light on your business’s potential vulnerabilities, but it will also serve as a baseline for management to create systems and processes to mitigate and overcome such risks.
Information and Communication Systems
Without a clear understanding of what constitutes fraud, and what is expected of both management and staff, it’s not surprising how many faulty transactions and other unsavory business activities go on unreported. Setting the right ethical tone from the top down and adopting a simple “see something, say something” attitude goes a long way towards not only preventing fraud, but also detecting it much sooner when it does occur.
To be successful, internal information including business objectives, contingency plans, and policies and procedures need to be clearly communicated across the organization. Having systems in place for disseminating information as well as encouraging communication amongst employees as well as between employees and upper management helps to keep everyone on track.
Once you have implemented your control activities, run risk assessments, and optimized your information and communication systems – you need to make sure that your internal control system is running as it was intended to run. The last two components of a complete system of internal controls involve monitoring and reviewing environmental controls.
Monitoring
Many times, a review of internal controls is often overlooked, and unfortunately only occurs in reaction to an instance of fraud. While monitoring is an important task that needs to be done with consistency, utilizing tools for review and establishing protocols for the review process can help to simplify it.
There are numerous tools that a business can leverage to help identify fraud. For instance, the QuickBooks Audit Trail Report can be filtered to identify discrepancies, and some banks and credit card companies offer fraud monitoring to their business customers.
Additional monitoring activities to consider are a periodical review of which employees have access to which systems; mandatory vacations with job duty rotations, requirements for frequency of password changes; and protocols for protecting proprietary information when an employee leaves the company – whether on good terms or not.
Environmental Control
Whether it is through internal documentation, digital information, staff
From
Whether you have two, ten or 100 employees, it has nothing to do with need, greed or trust; fraud is all about opportunity. Since your finances are the foundation of your business, it’s a matter of good business practice to make sure you’re staying on top of protecting your bottom line.