The use of internal controls differs significantly across organizations of different sizes. In the case of small businesses, implementation of internal controls can be a challenge, due to cost constraints, or because a small staff may mean that one manager or owner will have full control over the organization and its operations. An owner in charge of all functions has enough knowledge to keep a close eye on all aspects of the organization and can track all assets appropriately. In smaller organizations in which responsibilities are delegated, procedures need to be developed in order to ensure that assets are tracked and used properly.
When an owner cannot have full oversight and control over an organization, internal control systems need to be developed. When an appropriate internal control system is in place, it is interlinked to all aspects of the entity’s operations. An appropriate internal control system links the accounting, finance, operations, human resources, marketing, and sales departments within an organization. It is important that the management team, as well as employees, recognize the importance of internal controls and their role in preventing losses, monitoring performance, and planning for the future.
Elements of Internal Control
A strong internal control system is based on the same consistent elements:
- establishment of clear responsibilities
- proper documentation
- adequate insurance
- separation of assets from custody
- separation of duties
- use of technology
Establishment of Clear Responsibilities
A properly designed system of internal control clearly dictates responsibility for certain roles within an organization. When there is a clear statement of responsibility, issues that are uncovered can be easily traced and responsibility placed where it belongs.
As an example, imagine that you are the manager of the Galaxy’s Best Yogurt. On any shift, you have three employees working in the store. One employee is designated as the shift supervisor who oversees the operations of the other two employees on the shift and ensures that the store is presented and functioning properly. Of the other two employees, one may be solely responsible for management of the cash register, while the others serve the customers. When only one employee has access to an individual cash register, if there is an overage or shortage of cash, it can be traced to the one employee who is in charge of the cash register.
An effective internal control system maintains proper documentation, including backups, to trace all transactions. The documentation can be paper copies, or documents that are computer generated and stored, on flash drives or in the cloud, for example. Given the possibility of some type of natural (tornado or flood) or man-made (arson) disasters, even the most basic of businesses should create backup copies of documentation that are stored off-site.
In addition, any documentation generated by daily operations should be managed according to internal controls. For example, when the Galaxy’s Best Yogurt closes each day, one employee should close out and reconcile the cash drawer using prenumbered forms in pen to ensure that no forms can be altered or changed by another employee who may have access to the cash. In case of an error, the employee responsible for making the change should initial any changes on the form. If there are special orders for cakes or other products, the order forms should be prenumbered. The use of prenumbered documents provides assurance that all sales are recorded. If a form is not prenumbered, an order can be prepared, and the employee can then take the money without ringing the order into the cash register, leaving no record of the sale.
Insurance may be a significant cost to an organization (especially liability coverage), but it is necessary. With adequate insurance on an asset, if it is lost or destroyed, an outside party will recoup the company for the loss. If assets are lost to fraud or theft, an insurance company will investigate the loss and will press criminal charges against any employee found to be involved. Very often, the employer will be hesitant to pursue criminal charges against an employee due to the risk of lawsuit or bad publicity. For example, an employee might assume that the termination was age related and is going to sue the company. Also, there might be a situation where the company experienced a loss, such as theft, and it does not want to let the general public know that there are potential deficiencies in its security system.
If the insurance company presses charges on behalf of the company, this protects the organization and also acts as a deterrent if employees know that the insurance company will always prosecute theft. For example, suppose the manager of the Galaxy’s Best Yogurt stole $10,000 cash over a period of two years. The owner of the yogurt store will most likely file an insurance claim to recover the $10,000 that was stolen. With proper insurance, the insurance company will reimburse the yogurt store for the money but then has the right to press charges and recover its losses from the employee who was caught stealing. The store owner will have no control over the insurance company’s efforts to recover the $10,000 and will likely be forced to fire the employee in order to keep the insurance policy.
Separation of Assets from Custody
Separation of assets from custody ensures that the person who controls an asset cannot also keep the accounting records. This action prevents one employee from taking income from the business and entering a transaction on the accounting records to cover it up. For example, one person within an organization may open an envelope that contains a check, but a different person would enter the check into the organization’s accounting system. In the case of the Galaxy’s Best Yogurt, one employee may count the money in the cash register drawer at the end of the night and reconcile it with the sales, but a different employee would recount the money, prepare the bank deposit, and ensure that the deposit is made at the bank.
Separation of Duties
A properly designed internal control system assures that at least two (if not more) people are involved with most transactions. The purpose of separating duties is to ensure that there is a check and balance in place. One common internal control is to have one employee place an inventory order and a different employee receive the order as it is delivered. For example, assume that an employee at the Galaxy’s Best Yogurt places an inventory order. In addition to the needed inventory, the employee orders an extra box of piecrusts. If that employee also receives the order, he or she can take the piecrusts home, and the store will still pay for them. Check signing is another important aspect of separation of duties. Typically, the person who writes a check should not also sign the check. Additionally, the person who places supply orders should not write checks to pay the bills for these supplies.
Use of Technology
Technology has made the process of internal control simpler and more approachable to all businesses. There are two reasons that the use of technology has become more prevalent. The first is the development of more user-friendly equipment, and the second is the reduction in costs of security resources. In the past, if a company wanted a security system, it often had to go to an outside security firm, and the costs of providing and monitoring the system were prohibitive for many small businesses. Currently, security systems have become relatively inexpensive, and not only do many small businesses now have them, they are now commonly used by residential homeowners.
In terms of the application of security resources, some businesses use surveillance cameras focused on key areas of the organization, such as the cash register and areas where a majority of work is performed. Technology also allows businesses to use password protection on their data or systems so that employees cannot access systems and change data without authorization. Businesses may also track all employee activities within an information technology system.
Even if a business uses all of the elements of a strong internal control system, the system is only as good as the oversight. As responsibilities, staffing, and even technology change, internal control systems need to be constantly reviewed and refined. Internal control reviews are typically not conducted by inside management but by internal auditors who provide an impartial perspective of where controls are working and where they can be improved.
Purposes of Internal Controls within a Governmental Entity
Internal controls apply not only to public and private corporations but also to governmental entities. Often, a government controls one of the most important assets of modern times: data. Unprotected financial information, including tax data, social security, and governmental identifications, could lead to identity theft and could even provide rogue nations access to data that could compromise the security of our country. Governmental entities require their contractors to have proper internal controls and to maintain proper codes of ethics.
Ethics in Governmental Contractors
Government entities are not the only organizations required to implement proper internal controls and codes of ethics. As part of the business relationship between different organizations, governmental agencies also require contractors and their subcontractors to implement internal controls to ensure compliance with proper ethical conduct. The Federal Acquisition Regulation (FAR) Council outlines regulations under FAR 3.10,7 which require governmental contractors and their subcontractors to implement a written “Contractor Code of Business Ethics and Conduct,” and the proper internal controls to ensure that the code of ethics is followed. An employee training program, posting of agency inspector general hotline posters, and an internal control system to promote compliance with the established ethics code are also required. Contractors must disclose violations of federal criminal law involving fraud, conflicts of interest, bribery, or gratuity violations; violations of the civil False Claims Act; and significant overpayments on a contract not resulting from contract financing payments.8 Such internal controls help ensure that an organization and its business relationships are properly managed.
To recognize the significant need for internal controls within the government, and to ensure and enforce compliance, the US Government Accountability Office (GAO) has its own standards for internal control within the federal government. All government agencies are subject to governance under these standards, and one of the objectives of the GAO is to provide audits on agencies to ensure that proper controls are in place and within compliance. Standards for internal control within the federal government are located within a publication referred to as the “Green Book,” or Standards for Internal Control in the Federal Government.
Government organizations have their own needs for internal controls. Read the GAO “Green Book” to learn more about these internal control procedures.
Purposes of Internal Controls within a Not-for-Profit
Not-for-profit (NFP) organizations have the same needs for internal control as many traditional for-profit entities. At the same time, there are unique challenges that these entities face. Based on the objectives and charters of NFP organizations, in many cases, those who run the organizations are volunteers. As volunteers, leaders of NFPs may not have the same training background and qualifications as those in a similar for-profit position. Additionally, a volunteer leader often splits time between the organization and a full-time career. For these reasons, internal controls in an NFP often are not properly implemented, and there may be a greater risk of control lapse. A control lapse occurs when there is a deviation from standard control protocol that leads to a failure in the internal control and/or fraud prevention processes or systems. A failure occurs in a situation when results did not achieve predetermined goals or meet expectations.
Not-for-profit organizations have an extra category of finances that need protection, in addition to their assets. They need to ensure that incoming donations are used as intended. For example, many colleges and universities are classified as NFP organizations, and donations are a significant source of revenue. However, donations are often directed to a specific source. For example, suppose an alumnus of Alpha University wants to make a $1,000,000 donation to the business school for undergraduate student scholarships. Internal controls would track that donation to ensure it paid for scholarships for undergraduate students in the business school and was not used for any other purpose at the school, in order to avoid potential legal issues.
Identify and Apply Principles of Internal Controls to the Receipt and Disbursement of Cash
Cash can be a major part of many business operations. Imagine a Las Vegas casino, or a large grocery store, such as Publix Super Markets, Wegmans Food Markets, or ShopRite; in any of these settings, millions of dollars in cash can change hands within a matter of minutes, and it can pass through the hands of thousands of employees. Internal controls ensure that all of this cash reaches the bank account of the business entity. The first control is monitoring. Not only are cameras strategically placed throughout the store to prevent shoplifting and crime by customers, but cameras are also located over all areas where cash changes hands, such as over every cash register, or in a casino over every gaming table. These cameras are constantly monitored, often offsite at a central location by personnel who have no relationship with the employees who handle the cash, and all footage is recorded. This close monitoring makes it more difficult for misuse of cash to occur.
Additionally, access to cash is tightly controlled. Within a grocery store, each employee has his or her own cash drawer with a set amount of cash. At any time, any employee can reconcile the sales recorded within the system to the cash balance that should be in the drawer. If access to the drawer is restricted to one employee, that employee is responsible when cash is missing. If one specific employee is consistently short on cash, the company can investigate and monitor the employee closely to determine if the shortages are due to theft or if they are accidental, such as if they resulted from errors in counting change. Within a casino, each time a transaction occurs and when there is a shift change for the dealers, cash is counted in real time. Casino employees dispersed on the gaming floor are constantly monitoring play, in addition to those monitoring cameras behind the scenes.
Technology plays a major role in the maintenance of internal controls, but other principles are also important. If an employee makes a mistake involving cash, such as making an error in a transaction on a cash register, the employee who made the mistake typically cannot correct the mistake. In most cases, a manager must review the mistake and clear it before any adjustments are made. These changes are logged to ensure that managers are not clearing mistakes for specific employees in a pattern that could signify collusion, which is considered to be a private cooperation or agreement primarily for a deceitful, illegal, or immoral cause or purpose. Duties are also separated to count cash on hand and ensure records are accurate. Often, at the end of the shift, a manager or employee other than the person responsible for the cash is responsible for counting cash on hand within the cash drawer. For example, at a grocery store, it is common for an employee who has been checking out customers for a shift to then count the money in the register and prepare a document providing the counts for the shift. This employee then submits the counted tray to a supervisor, such as a head cashier, who then repeats the counting and documentation process. The two counts should be equal. If there is a discrepancy, it should immediately be investigated. If the store accepts checks and credit/debit card payments, these methods of payments are also incorporated into the verification process.
In many cases, the sales have also been documented either by a paper tape or by a computerized system. The ultimate goal is to determine if the cash, checks, and credit/debit card transactions equal the amount of sales for the shift. For example, if the shift’s register had sales of $800, then the documentation of counted cash and checks, plus the credit/debit card documentation should also add up to $800.
Despite increased use of credit cards by consumers, our economy is still driven by cash. As cash plays a very important role in society, efforts must be taken to control it and ensure that it makes it to the proper areas within an organization. The cost of developing, maintaining, and monitoring internal controls is significant but important. Considering the millions of dollars of cash that can pass through the hands of employees on any given day, the high cost can be well worth it to protect the flow of cash within an organization.
Internal controls are as important for not-for-profit businesses as they are within the for-profit sector. See this guide for not-for-profit businesses to set up and maintain proper internal control systems provided by the National Council of Nonprofits.
Hiring Approved Vendors
One internal control that companies often have is an official “approved vendor” list for purchases. Why is it important to have an approved vendor list?
- 7 Federal Acquisition Regulation. “Subpart 3.10: Contractor Code of Business Ethics and Conduct.” January 22, 2019. https://www.acquisition.gov/content/...cs-and-conduct
- 8 National Contract Management Association. https://www.ncmahq.org/