One police officer talking to
another on an embezzlement investigation:
Overheard “I wish I made enough money so someone
could steal $250,000 from me and I didn’t know it.”
And later we determine that the bank account
reconciliations had been manipulated and the former
controller was going to Sam’s Club and purchasing
personal items including thousands of dollars in gift
cards every month, with the payments automatically
deducted from the business account that the owner never
looked at. Charges filed. Former Controller Arrested.
How did it happen? Long-time trusted employee, off-site
management, no review of results by operations manager,
lack of segregation of duties and negative attitude of
Auditor discussing misappropriation with business owner:
“You mean she was buying this stuff with a credit card
or company check then putting in a check request for a
petty cash reimbursement? And the total is $20,000?”
did it happen? Lack of control over petty cash. Failure
to properly supervise and review, with documentation
supporting reimbursement simply initialed. Failure to
determine the “why” of increases in expenses.
Business owner to Accountant:
“Food sales and cost of sales seem normal, but
Beverages are totally out of whack. Beer, wine & liquor
have the highest margins, except for this store.”
Later: “Seriously? Separate cash registers for cash
vs. credit. Bringing in his own bottles, no adherence to
bottle control? Diluting liquor? No wonder! My profits
are going in his pocket.) Bartender fired.
did it happen? Failure to do background checks, No
follow-up when things appear “questionable” or “not
reasonable”, failure to timely investigate gross margin
fluctuations and failure to monitor whether established
control mechanisms were in fact operating and effective.
Controller of Jewelry Store business to auditor:
“He’s borrowing jewelry from his friends for the
Lo and behold, support cannot be located to substantiate
the cost so the owner offers the catalogue to validate
the inventory cost. Client gets fired.
did it happen? Business was failing, cash flows
inadequate to operate business, default on all lender
Internal Control Matters! Many small businesses and
quite a few large ones put internal control on the back
burner. They tell themselves, “We’re small,” or “I
trust my staff” or “We don’t have time for that” but
given motive and opportunity many employees will be
tempted to put their hands in the till. Nevertheless,
internal control is more than detecting employee theft.
Proper internal controls and policies & procedures, when
put in place and monitored, provide businesses with the
tools to prevent or detect errors and irregularities.
In days past, manual bookkeeping and software limited
the production of financial records to days or weeks
after the period end. In this age, we have moved to
up to the minute financial information. If you
establish proper controls and policies, you can produce
reliable financial information timely and even mid-month
or weekly if necessary.
Think this can’t happen to you? Sorry, it can; and the
conversations above are real-life examples. It’s
important to remember the basics of fraud. Three factors
are likely present for fraud to occur:
Motive – someone has a reason to steal
Rationalization – someone determines that it is okay to
Opportunity – someone can steal, potentially without
Motive and rationalization are factors that are beyond
your control and are usually a result of outside
influences, personal lives, and individual
personalities. Opportunity is the one factor that
management can control; therefore, focus needs to be on
eliminating or reducing the opportunities to commit
fraud. But keep in mind, internal control can provide
only reasonable assurance - not absolute assurance -
regarding the achievement of a business’s objectives or
the elimination of fraud in its entirety.
Everyone has heard of segregation
of duties and a lot of small businesses just pooh-pooh
it away, claiming the business is too small or there’s
not enough time. Wrong answer. It doesn’t take much
time to review the bank reconciliations or even open the
bank statements yourself and flip through them, and you
have to be looking at financials to manage the business.
As an owner/manager reportable to someone besides
yourself i.e. the other users, you have a responsibility
to create an environment where fraud is not tolerated,
to identify risks of fraud, and to take appropriate
actions to ensure that controls are in place to prevent
fraud. Keep in mind, a
devil may care attitude trickles down.
Insofar as opportunity, your job
is to set the tone at the top and put controls in place
to either prevent or detect errors or irregularities,
which is a nice way of saying theft. Generally
speaking there are two types of controls designed to
address this problem: preventive and detective controls.
Both types of controls are essential in the design of an
effective internal control system. From a quality
standpoint, preventive controls are essential because
they are proactive and emphasize quality; designed to
prevent errors, irregularities or undesirable events
from occurring. However, detective controls play a
critical role by providing evidence that the preventive
functioning as intended;
designed to detect and correct undesirable events after
Examples of preventive controls
of Duties: Duties are segregated among different people
to reduce the risk of error or inappropriate action.
Normally, responsibilities for authorizing transactions
(approval), recording transactions (accounting) and
handling the related asset (custody) are divided.
Authorizations, and Verifications: Management authorizes
employees to perform certain activities and to execute
certain transactions within limited parameters. In
addition, management specifies those activities or
transactions that need supervisory approval before they
are performed or executed by employees. A supervisor’s
approval (manual or electronic) implies that he or she
has verified and validated that the activity or
transaction conforms to established policies and
Assets (Preventive and Detective): Access to equipment,
inventories, securities, cash and other assets is
restricted; assets are periodically counted and compared
to amounts shown on control records.
Examples of detective controls
Performance: Management compares information about
current performance to budgets, forecasts, prior
periods, or other benchmarks to measure the extent to
which goals and objectives are being achieved and to
identify unexpected results or unusual conditions that
Reconciliations: An employee relates different sets of
data to one another, identifies and investigates
differences, and takes corrective action, when
Monitoring is also very
important. This is a process that assesses the quality
of internal control performance over time. Monitoring
helps management ensure that established control
activities are being carried out and that they are both
sufficient and efficient. Part of monitoring is
responding to internal & external events (economic
conditions, staffing changes, new systems, regulatory
changes, natural disasters, etc.), collectively known as
risks, that threaten the accomplishment of
objectives. Risk assessment is the process of
identifying, evaluating, and deciding how to manage
these events… What is the likelihood of the event
occurring? What would be the impact if it were to occur?
What can we do to prevent or reduce the risk?
control systems must be monitored to assess their
effectiveness… Are they operating as intended?
monitoring is necessary to react dynamically to changing
conditions…Have controls become outdated, redundant,
occurs in the course of everyday operations, it includes
regular management & supervisory activities and other
actions personnel take in performing their duties.
So, where do you start?
First you need to identify risks, understand them as
they relate to your business and finally assess them
against what you determine to be levels defined as
acceptable before you know what controls you need.
At the same time, you need controls to manage those
risks and ensure that they are at and remain at
Does the process start with risk? Actually, the process
starts with the setting of objectives. If the wrong
objectives are set, the organization is highly unlikely
to deliver best value to its stakeholders. Risks, or at
least the risks that matter, are identified and assessed
in relation to the objectives, so setting the objectives
is a pre-condition.
So, objective-setting is a pre-condition to risk
management and risk management is a pre-condition to
internal controls. Objectives are categorized as
operational, financial and compliance. A particular
objective can fall into more than one category.
Objective-setting is the initiation point of planning,
identifying procedures and controls, and
Primary objectives of an internal
control system (the end goal) are:
Compliance with applicable policies,
procedures, plans, laws, regulations and contracts;
Reliability and integrity of information;
Effective and efficient operations; and.
Safeguarding of assets.
Assume you’ve decided that
the above are your primary objectives and you recognize
that as a small business you must accept that sometimes
the cost outweighs the risk. The next step? Don’t
start from scratch. Some control activities are
inherent in the system simply to enable you to pay bills
and to prepare financial statements. And if you aren’t
generating monthly financial statements, WE NEED TO
TALK. You can’t accept shoebox accounting or a financial
nightmare if you plan to succeed.
In saying “don’t start from
scratch”, I mean that you can identify what controls you
do have or think you have. There are probably
controls or tools built into your accounting
There is a method called
EIOW, which stands for Extended Inquiry, Observation and
Walkthrough that is a good starting point. This process
will help you identify those controls that need
documenting or revisiting. A common example is
supervisory review and approval, vs. simply putting
initials on a piece of paper. If you document this
process you can end up with a very valuable policies and
procedures manual. That will be a dual control as one of
the risks of business is change in personnel. This
manual can be a training tool.
The intent of the EIOW is
to spot any controls that are missing or weak. Such a
finding does not automatically indicate the presence of
a control problem that requires remediation. If there
are offsetting controls elsewhere in the system, a weak
control could be considered acceptable. For example, if
a signature plate is used to sign checks, this could be
considered a control weakness, except that a formal
approval is required upstream for every purchase order
issued. This offsetting control ensures that purchases
are still approved somewhere in the purchasing system.
Here are a few suggestions
to get you started.
department heads on understanding financial
statements and internal controls. Discuss
budgeting and have them start the process. They
are much more accountable if they have a hand in
setting the budgets. Train the department heads
to review everything they sign or authorize.
Regularly review expenses
and constantly review actual results compared to
budget and prior year. Prepare an annual budget
in sufficient detail to establish expense
Deviations should be explained.
Segregate duties to
reduce opportunity for someone to be in a
position to steal and hide the theft in the
normal course of their duties. (This could be
as simple as having the receptionist open the
mail, copy the checks and restrictively endorse
the checks and someone else prepare the deposit
slip. With cross checks for agreement) Assign
different people responsibilities to authorize,
record and maintain custody of assets.
should be maintained. The primary methods for
such security are passwords and locks. Either
IT or the Owner should always have a list of
To understand business cycles as they relate to internal
controls, we will go through the basics then follow up
with subsequent articles for detailed suggestions for
A transaction cycle is a process that begins with
capturing data about a transaction and ends with
information output, such as a set of financial
statements. Thousands of transactions can occur within
each cycle, but there are relatively few types of
transactions in a cycle and each transaction cycle
relates to others and interfaces with the general ledger
and reporting system. The general ledger and reporting
system get data from all of the cycles and provide
information for internal and external users.
The expenditure cycle, which follows a purchase
from the decision to buy through the final payment. The
three basic activities performed in the expenditure
cycle are: (1) ordering goods, supplies, and services;
(2) receiving and storing these items; and (3) paying
for these items.
The revenue cycle includes
all activities that lead to the generation and
collection of income. The
revenue cycle can also be defined as a recurring set of
business activities and related information processing
operations associated with providing goods and services
to customers and collecting cash in payment for those
sales. Four basic business activities are performed in
the revenue cycle: (1) sales order entry, (2) shipping,
(3) billing, and (4) cash collection.
The other are Production, Human Resources, &
Financing. All cycles involve a give/get
relationship. You give up something and get something in
return, and it all gets recorded.
In pulling all the information together, here is a
QuickBooks Screenshot of the Home Page, showing the
Business Cycles and how they interrelate.
Hope this is helpful and
remember, there are “More Internal Control Matters” to
order to set up simple budgets in QuickBooks
Enterprise, Go to Company: Planning and
Budgeting; Set up Budgets; Create New Budget
(top right): Specify the Year and Select Profit
& Loss; Select No Specific Criteria and hit
Next; Create budget from Prior Year Actual Data,
and Finish. Once you have this data you can
modify according to the budget year