The Bonadio Group | CPAs, Consultants & More

Internal Controls Not Just for Public Companies

Don Eichenauer

Originally Published In:
BUSINESS STRATEGIES MAGAZINE
February 2007
Author: Donald T. Eichenauer, CPA

Sarbanes-Oxley legislation has led to an outcry from public companies regarding the time and expense for complying with the Act’s internal control requirements.

Regrettably, this may have led private and non-for profit entities to conclude that addressing their internal controls would be time consuming and cost prohibitive.

A system of internal controls includes policies, procedures and information systems developed to protect an organization’s assets, create reliable financial reporting, promote compliance with laws and regulations, and achieve effective and efficient operations. In developing a system of internal controls, the objective is to remove or reduce opportunities to commit fraud.

The details of complying with the Sarbanes-Oxley Act has caused great difficulties. Documentation requirements, the need for external auditors to attest their agreement with the conclusions of management, the fact that there was no definition of “materiality”, and little guidance for compliance led to wide variations in interpretation of what was required to achieve compliance.

We are familiar with the stories of major corporate fraud, but it is just as prevalent at smaller organizations. While the dollar magnitude may be smaller and less publicized, small business fraud is just as devastating to the organization, its employees and stockholders. An internal control strategy begins with hiring the right people. Consider background checks, especially of those who will be handling cash, inventory or accounting record. Being diligent in the hiring process reduces the chance that you’ve hired a future problem.

The centerpiece of an internal controls strategy is a risk assessment of your business and the environment in which you operate. High risk areas for many companies include:

Cash –
Cash is one of the most common assets stolen in small businesses. Consider whether you have controls to assure that individuals responsible for dispensing cash as a check signer or those with electronic banking authority are restricted from authorizing the expenditure or reconciling the bank accounts.

Inventory –
Consider whether your systems allow you to identify shortages, and make sure the people controlling inventory are segregated from those people ordering inventory.

Accounts Receivable –
Determine if the staff that issue credits and record payments are segregated from the people who perform the billing in order to reduce the potential for stealing cash while adjusting the customer’s balance.

Expenditures –
Are expenditures and the checks issued to pay the bills approved by you or someone in management? Are new vendors approved or set up by management independent of the staff that pays the bills to assure fraudulent vendors or “friends” of the staff are not established as vendors and paid?

Computers -
Information technology has been a boon to business efficiency, but many entities have not considered the additional control risks inherent in easy access to data. This includes the risk that your competitor or a recreational hacker could get to that data, a terminated employee could take the data or financial information could be corrupted, manipulated or erased by an employee committing fraud.

A risk assessment should identify what could go wrong, where are you vulnerable and how someone could steal from you.

Once risks are identified, the next step is to develop policies and procedures to address these risk areas, and then put them in writing to assure everyone is aware of and adheres to your designed controls.

Unfortunately, many smaller businesses and tax-exempt entities have not invested the internal or external resources to consider or implement even the most basic of internal controls, which can lead to disaster.

Sarbanes-Oxley did get one thing right: an ounce of prevention today is worth its weight in gold later if a risk is identified and the potential for fraud is eliminated.

Disclaimer: The Bonadio Group provides the information in Viewpoints for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Tax articles in Viewpoints are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided "as is," with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose.