To prevent internal fraud and theft, a business needs more than a set of values and morals. While ensuring employees want to do the right thing is always a good business model, mistakes and bad apples do crop up from time to time. Adopting a set of internal controls that make sure duties are properly segregated is the best way to ensure things run smoothly.
Internal controls are part of a segregation of duties policy and are the rules and procedures used within an organization to ensure financials and accounting are accurate and compliant with laws and regulations. They are used to prevent fraud and theft as well as to promote accountability among managers and approvers.
Outside of financial departments, internal controls are also used to ensure business objectives related to operations, reporting and compliance are met without issue.
Internal control procedures specifically define how each department will need to participate and commit to ensuring reporting integrity. These philosophies usually consist of five components:
- Control Environment: Making sure the company has an obvious commitment to compliance, ensuring company culture supports ethical business practices and ensuring structure and roles are designed and defined to support this environment.
- Risk Assessment: Identifying the company’s objectives, the risks that threaten those objectives and analysis of these risks with an eye to developing methods to prevent these risks.
- Control Activities: The actual policies, procedures and structures in place to ensure physical and electronic information and assets remain secure and accurate.
- Information and Communication: Ensuring all information recorded is accurate and safe and can be accessed and reviewed to identify any anomalies.
- Monitoring: Continually assessing the quality of these internal controls over time, including periodic reviews, internal and external audits and reporting.
One of the most important philosophies in support of internal control is the concept of segregation of duties: separating out key steps in a process to ensure more than one person contributes in any critical task.
For example, imagine a cashier at a retail shop who has the access to override, void or delete transactions. This could easily lead to employee theft because an employee could check out a number of items and then void the transaction while still taking the items.
For another example, imagine someone with the ability to write a business check, access the money and record the transaction. He could easily record amounts that are less than he takes out and pocket the difference. These are examples of petty fraud, but imagine someone in a large organization with the power to execute on a larger scale.
Types of roles that should require segregation include:
- Record Keeping: Roles that create and maintain the records for business transactions.
- Authorization: Roles that review and approve said business transactions.
- Asset Custody: Roles that can access or otherwise control the physical assets involved in these transactions (cash, inventory, etc.)
- Reconciliation: Roles that oversee and verify that transactions have been completed properly.
In order to check for potential lack of segregation, it’s best to make a list of the roles within a certain department and then make a checklist involving all of the tasks involved in these four categories.
For example, a review of purchasing procedures might check to make sure managers don’t have the ability to approve their own purchase requisitions. It might also check to make sure an inventory clerk is not solely allowed to verify receipt of items.
Whether an organization is large or small, it pays to invest some time and thinking into proper segregation roles in order to stay compliant and avoid errors, intentional or not.