For small businesses, internal control is both necessary and difficult to implement.  According to the Association of Certified Fraud Examiners, U.S. companies lose an estimated 7% of their annual revenue due to fraud.  Their most recent study found that the median loss for small businesses (those with fewer than 100 employees) was $200,000/year.  Think about the impact that either a 7% or a $200,000 loss would have on your company.  I believe that you will come to the conclusion that implementing an Internal Control System will be well worth the time and resources.

What is an Internal Control System?

Companies that have made internal control a priority will develop an Internal Control System specific to their organization. Such a system will be designed to ensure reliable financial reporting, effective and efficient operations, and compliance with applicable laws and regulations. Protecting assets against theft and unauthorized use, acquisition, or disposal is an essential element of internal control. 

The five interrelated components of an Internal Control System are:

  1. Control environment: The workplace atmosphere; the extent to which internal control is given lip-service or taken to heart. 
  1. Risk assessment: Determining what could impede the organization’s achievement of its goals and objectives and how to manage these impediments. 
  1. Control activities:  The nuts and bolts of internal control.  The actions and steps taken to reduce risk.
  1. Information and communication: Reporting timely and relevant information widely across an organization.  Good information is vital to internal control. Good communication includes conveying expectations to employees.  
  1. Monitoring:  Taking the time to evaluate the effectiveness of internal control regularly.  Reflecting on what has worked and what needs improvement. Making the appropriate changes, as needed. 

What kind of control activities should be in place?

Control activities are the specific policies and procedures management uses to achieve objectives. The most important control activities involve:

  • Segregation of duties: This is the “checks and balances” of internal control.  Different employees are responsible for the different parts of related activities.  They check each other’s work and keep each other honest.
  • Proper authorization of transactions and activities:  Makes sure that employees follow company rules for all company activities. Following the rules minimizes the ability for employees to be creative in absconding with company resources.  Any deviations from the rules must be authorized by the appropriate manager. 
  •  Adequate documents and records: These include purchase orders, invoices, and other documents that create a paper-trail for organizational activities. These documents provide evidence that financial statements accurately reflect company performance. 
  • Physical control over assets and records:  These are the tangible safeguards of company assets such as safes, locks, fences, fireproof file cabinets, etc… In addition to the tangible protections, electronic protections such as computer backup and recovery procedures are necessary in modern businesses.
  • Independent checks on performance:  This can be as formal as internal auditors or as informal as a supervisor spot-checking a subordinates “numbers.”  This ensures that the information used for accounting and operational purposes is accurate and reliable.

This has been a brief overview of what is required to have an effective and reliable Internal Control System. In instances where the accounting department is a department of one, or where management is both employee and supervisor, many of these steps can be challenging.  However, while the 7% annual revenue of a small company or $200,000 median loss due to fraud may be a drop in the pond to large companies, these amounts can be the difference between staying in business or closing up shop for a small company.  The effort and expenditure just may pay for itself!