Broadly defined, internal controls are the processes designed to safeguard assets, detect errors and fraud, and ensure accuracy of financial reporting. A lock on a door is one form of internal control; a bank reconciliation is another. It’s how we check on things or keep bad things from happening.
Internal controls are a weak spot for most nonprofits and small businesses. There are multiple underlying reasons, including ignorance, naivety, and turf wars.
Let’s discuss each of these, beginning with ignorance. Rules of internal control are not innate. They have to be learned. External auditors have a responsibility to examine controls, point out deficiencies, and recommend improvements. However, in practice, deficiencies are often overlooked, and when they’re noted, management often opts to ignore them.
This is the perfect segue to the most dangerous reason for internal control weaknesses -- naivety. Woe unto the organization that doesn’t prioritize internal controls because it “trusts” its staff members. There was a time when I collected newspaper articles about “trusted” bookkeepers and pastors who were “like family” until management learned about their long-standing embezzlement schemes. At some point, my collection seemed both futile and a fire hazard.
Study after study has confirmed that “honest” people will do dishonest things if it’s made too easy for them. It’s not cynical to believe in the psychology of human nature. In fact, it’s naive not to. Trust is not an internal control.
“Turf wars” are what happens when one person or department tries to maintain control of a process they shouldn’t control. One of the most basic principles of internal control is that duties should be segregated; for example, the custody of an asset should be separate from the recordkeeping of that asset. Even when auditors point out the need for segregation, managers have a tendency to resist and rationalize not doing so. After all, it’s easier to just let everyone do what they’ve always done.
One of the most important processes in most organizations is handling incoming receipts. A best practice might consist of having a receptionist open the mail, endorsing the checks “For Deposit Only” and listing them on an Incoming Checks Log. The receptionist passes on the checks to an administrative assistant who makes the deposits -- the same day -- using a “remote deposit capture” device. Finally, the Incoming Checks Log and the deposit record are passed on to a bookkeeper who confirms the matching records and enters the transactions in the accounting system.
In smaller organizations, it can be challenging to segregate duties because of the practical issue of having so few employees. Fortunately, there are ways to meet this challenge without succumbing to having no controls.
Do you agree with the importance of internal controls, or do you see them as an academic exercise?
Are your internal controls up to snuff? How will you fix them? Please share your thoughts.
Dan Weiss, founder and President of Counterpart CFO, leads a team of flexible, part-time CFO’s serving nonprofits and businesses. To read more from Dan, follow him on LinkedIn or subscribe to his blog at www.counterpartCFO.com.