Internal Control issues can lead to losses for small companies related to limited resources. Businesses with fewer than 100 employees accounted for the highest percentage of fraud instances –nearly 29% – reported in the 2014 Report to the Nations by the Association of Certified Fraud Examiners (ACFE).
However, there are strategies that address operational and financial risks, resulting in the prevention and/or detection of fraud at your company. The following five internal control issues are commonly found in small businesses.
1. Separation of duties
Many small businesses with limited human resources often have a single employee exclusively responsible for multiple tasks in critical processes. The performance of these tasks in larger organizations are generally performed by multiple associates. A greater risk of error or fraud results when multiple tasks are managed by only one person.
Internal controls are enhanced when different people are responsible for authorizing and recording transactions, maintaining custody of related assets, and reconciling accounts. Sometimes employees outside the responsible department for various tasks need to be engaged, with each employee having specific job responsibilities defined in writing. Reassignment of specific duties within a process to other individuals can significantly help to mitigate risks.
2. Policies and Procedures
One of the most effective control tools is to have a well-written policy and procedure manual which helps to align business objectives and establish best practice operating procedures. Regardless of how simple or well known your business processes are, there is value in creating written policies and procedures for both management as well as employees.
The following common processes are important to define and document:
- Sales and accounts receivable
- Cash management and banking
- Purchases and accounts payable
- Payroll and human resources
- Financial statement closing and reporting
Documenting key metrics in these processes provides clear and consistent direction for the tasks to be completed and allows for specific roles to be assigned to associates. Further benefits result when a key employee leaves the company as it will be easier to train new and/or temporary employees with thoroughly documented procedures already in place. Documenting policies and procedures also confirms alignment with management’s expectations.
3. Documentation
Maintaining adequate supporting documentation is part of the foundation for developing an effective internal control framework within an organization. Absent supporting documentation makes it difficult to demonstrate that transactions were completed, procedures performed, and controls in place. Proper documentation can also make it easier to respond to questions from customers, management and auditors. Emphasizing the importance of maintaining proper evidence allows the management team to help reduce risks to customers, employees and the business.
4. Oversight and Review
Small business owners are often so involved in the strategic goals and development of their business that there is not enough time to ensure basic internal control monitoring procedures are in place. Proper oversight is essential to the internal control framework and an important aspect of fraud prevention and detection.
Each business must define the review of key metrics (e.g., sales, expense accounts, cash reports, variance reports, payroll summaries) and other data on a daily/weekly/monthly basis to help identify problems that may exist. Other benefits of knowing the pulse of your business’s performance keeps associates alert to being questioned about daily activities and provides valuable information for key decision making.
5. User Access Rights for Information Systems
Employees are often granted more access to information systems than they actually need to perform their responsibilities. Providing excessive access can expose the business to additional risks that are unknown to management.
Employees should start with limited access to information systems rights only needed to perform functions that are essential to their own work. As their workloads expand, additional access rights may be granted.
User rights should be reviewed at least annually and preferably more frequently to align the business purpose for the access granted to each user. While requiring more time and effort, this approach can enhance the system of controls and security in place.
Although small businesses may have limited resources, following these strategies can serve to prevent and detect fraud and mitigate operational and financial risk.