Too often internal controls are put in place by an organization because its auditors advised that it was necessary to deter fraud and other reasons. Segregation of duties among personnel is one of the biggest issues that companies have to tackle. My opinion is that cash disbursements and cash receipts are the two biggest reasons segregation of duties is needed. There are other area that need best practices for internal controls, such as fixed assets and inventory tracking, payroll review and approval (especially as related to overtime), ensuring that reconciliations are done accurately and timely, and many others. I would like to know about your company’s internal controls and how to effectively implement them. What are your best practices? Emphasis being on YOUR best practices, not what a search engine comes up with from a myriad of examples.
What list of internal controls does your company consider to be its best practices?
Answers
Internal controls, particularly segregation of duties, are extremely difficult to institute in small organizations. That doesn't mean they shouldn't be in place but, there is a limit as to what one can do due to organizational size.
In my experience, auditors often recommend large organization internal controls in their verbal discussions of MOIC items with staff because they just don't understand why such controls are impractical, if not impossible, at a small firm.
That doesn't mean one should not have them. Just that they must be appropriate to the firm's size and ability. And, they shouldn't hinder business activity.
Also, as you state Chris, most non-finance people from board members to cashiers, see internal controls as fraud deterents and that audits are about fraud detection rather than certified financial statements. IMHO, this is sad and reflects poorly on financial officers such as us for not communicating with outsiders better than we do.
In my many years of experience, out and out fraud has been relatively uncommon. But, employee theft of company assets or inventory, sloppy cash handling and resulting slippage along with abuse of overtime have been much more prevalent. In fact, in small companies, it's often the part-owner/operators and their cronies who engage in this in my experience.
Where I am now, we've minimize our administrative cash handling because we can and that relieves a great deal of the control burden. In the field, we use vaults, drops, security cameras, automatic counters and armored cars which keeps employee theft down to zilch. I only wish I could say the same for our customers who steal from us regularly while our exec and board refuse to address it head on because we are political here.
Cycle counts on inventory and restrictions on vendor access to our parts room has eliminated a lot of issues there.
Employees sign for any FA easily converted to personal use that they have control over and we've had no problems there either.
The biggest problems I've had in instituting internal controls was the resistance I got from other chiefs and the CEO. This was a small, public agency (less than $10M) which grew (more than $20M operating and $20M capital now). But, not everyone grew with it and the very suggestion of internal controls such as a Purchase Order policy or a T&E policy is met with resistance and derision. If I harp on it long enough, even exaggerate
I've decided I don't care as long as we get something in place. Although, most of the ones he's written are fraught with peril and tend to favor his slanted take on what is and isn't allowed and who has the authority to authorize things. Seperation of duties is not something he understands.
1
There's a ton of wisdom in what you are saying. The part about auditors suggesting large organization internal controls to smaller organizations need to be addressed by the auditors. You are absolutely correct, within small organizations their guidelines are too restrictive. A best practice that auditors could utilize to combat this is by using a few metrics based on revenue, employee count, geographics of the company to determine how to best implement internal controls for that organizational size.
That is sad that customers are stealing from the company, but encouraging that employees aren't. Hopefully the employees aren't funneling information to them, or making it easier for them in some way to steal. Many organizations have to worry about employees, especially in retail, stealing.
You mention the issues with the chief, that reminds me of a publication I get, Tone at the Top. Many chiefs at organizations are too entitled in their minds to embrace internal controls. I think the reason is because internal controls limit their power to do things. We are all under some type of authority, even the CEO is under the authority of the Board, unless that CEO is the Board or controls the people on the Board.
Thank you so much for sharing.