10.10.19 | Client Alert
It is common to think that only large companies with thousands of employees and multiple locations are challenged to protect their assets from external and internal fraud. In fact, many small businesses, often family-run or closely held, tend to feel immune to these “big company problems” because their owners “know” where their money is. In reality, however, smaller businesses are frequent victims of asset misappropriation, often due to the limited resources they have to focus on their operating environment and internal controls.
In an effort to provide small business owners and executives insights on enhancing their internal control environment, this Client Alert provides 10 control practices that small businesses can implement to manage their operations and safeguard assets more effectively.
1. Expense Management
Some organizations do not have formal sourcing, bidding, and purchasing policies and procedures in place. They may not even utilize purchase orders. When vendor quotes are requested and vendor bidding is utilized, often there are no formal policies and procedures requiring a specific minimum number of bids based on the purchase size. In many cases, bidding support documents and vendor estimates may not be retained. In short, valuable transparent information is lost.
For projects or large purchases, not having an official policy for minimum bidding may preclude companies from getting the best price and/or quality of service. For maximum transparency, all bidding support documents from vendors should be retained — including justification and reasoning on specific vendor choices. Purchasing policies should be established and address a number of minimum bids based on the overall project/purchase size.
2. Supporting Documentary Evidence
Generating and storing critical supporting documentation are important parts, and the foundation, of a sound internal control environment. Easily retrievable and well-organized documentation help to verify transactions and serve as a reference tool for procedures and internal controls. In addition, well organized documentation provides transparency and assists an organization with researching and rectifying problems.
3. Policies and Procedures
Documented accounting policies and procedures help accounting and finance staff understand and follow formalized rules and maintain consistent controls. In turn, this allows for more accurate and complete financial statements. In addition, formalized policies and procedures contribute to safeguarding assets as well as to training and developing new employees and evaluating staff performance. Accounting policies and procedures should be updated periodically to ensure that the information is current and relevant to the organization.
4. Segregation of Duties (SOD)
At some organizations, the responsibilities of employees are incompatible with appropriate segregation of duties, specifically when employees manage the entire chain of disbursements. In these situations, employees may be able to add new vendors, process invoices, and print checks without any oversight. Sometimes these employees even have authority to sign the checks and prepare bank-to-book reconciliations. Similarly, employees responsible for depositing cash receipts may also be responsible for accounts receivable accounting functions.
Lack of segregation of duties increases the risk of unauthorized disbursements and defalcation of cash. Management should review and reallocate some of these responsibilities among staff members to achieve a more balanced segregation of duties. If staffing restrictions prevent duties from being fully segregated, then additional supervisory monitoring procedures should be put in place.
5. Access Rights and Roles to Critical Financial Applications
Organizations without well-defined processes of assigning and managing access roles to their critical systems and applications expose themselves to security breaches by allowing access to information that should not be visible to certain employees based on their roles and responsibilities. Access rights should be periodically reviewed and recertified to ensure that authorization levels are commensurate with job responsibilities and the proper segregation of duties is maintained. Any requests for access should always be submitted in written format. Access rights and related activities should be authorized only by personnel with the appropriate knowledge and authority.
6. Monitoring and Management Oversight
Monitoring and management oversight are critical for a sound control environment — even more so if a business has segregation of duties. Management review controls are only effective if designed appropriately. This means their level of precision must be designed in a way that will most likely identify important errors or misstatements. At the same time, the system should be designed to avoid inefficient use of time in identifying insignificant errors. Depending on the type of account under review, the business should hold to specific variance thresholds or key performance indicators (KPI). When designing controls, it is imperative to design threshold amounts, metrics, statistics (such as year-over-year or month-over-month variances), or other defined guidelines which dictate the precision of management review.
7. Critical Spreadsheets
Given the similarities between spreadsheet development and application development, it is appropriate to use industry-recognized best practices for controlling critical spreadsheets. Errors in spreadsheets are common and can include:
- Overwritten and unprotected formulas;
- Input errors;
- Redundant data;
- Outdated links; and
- Poor documentation.
These errors can cause significant deficiencies and material weaknesses in internal controls, which can have a direct impact on the financial statements. Businesses should develop policies that include risk assessment and related controls testing, reviewing, and updating on an ongoing basis. The controls should cover logical access, backup, changes, data input validation, and security, and be similar controls addressing financial application risks.
8. Employee Travel and Personal Expense Reimbursement
Businesses that lack formal personal and travel expense reimbursement policies and procedures risk exposure to the misappropriation of funds. To help circumvent this problem, every employee should prepare an expense report addressing all business-related expenditures. Included in the report should be supporting receipts above a specific threshold amount established by the business. The report should explain the purpose of each expenditure — ideally, a legitimate business purpose — and include other individuals attending the event or benefiting from the expenditure. In addition, a travel expense reimbursement policy addressing allowable and nonallowable expenditures and methods for requesting reimbursements should be issued to all employees.
9. Credit Cards
Many smaller and family-run businesses have alarmingly informal control policies for credit card activities. Business owners and employees with corporate credit cards often commingle personal and business-related purchases. Then, at the end of a billing period, an aggregate bill from the credit card company is paid without detailed scrutiny over expenditures. This lax policy opens a window of opportunity for misuse, intentionally or otherwise, for covering personal expenses unrelated to a business.
Instead, formal policies should be put in place that include full and complete accounting and approval processes for every corporate credit card transaction incurred by every employee and business owner. In addition, based on their position within the company, each employee should have a defined spending limit.
10. Third Party Monitoring
At times, businesses may outsource certain business function cycles to third party service providers. These functions can be in any area, including payroll, human resources, benefits, bill payment, accounting, compliance, customer service, or IT services, to name a few. In these situations, even when a function, task, or process is transferred to a third party, many of the associated risks remain with the business. While the business may put its trust in these service providers, it remains the responsibility of the business to manage and monitor third parties and the potential risks associated with the relationship.
Questions. If you have questions related to any of the points covered, contact Alexander Moshinsky at 212.331.7448 | firstname.lastname@example.org.
Berdon LLP New York accountants