Internal controls are the mechanisms, rules, and procedures implemented by your organization to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. The requirements of the Uniform Guidance (which many non-profits and governments fall under) further define internal control as a process to provide reasonable assurance regarding an organization’s effectiveness and efficiency of operations, reliability of reporting for internal and external users, and compliance with applicable laws and regulations. The status of your internal controls provides an effective benchmark of your organization’s strengths and weaknesses. An effective internal control structure also provides a crucial safeguard against fraud.
What is Not an Internal Control
A trusted employee is not an internal control (You want trusted employees, but you also need checks and balances. Remember – you are trying to prevent or detect errors and fraud.) Believing your organization would notice errors and fraud doesn’t work and is not an internal control. The annual audit is also not a part of your internal control; it serves to confirm that your financial statements are materially accurate. Listed below are some key things to keep in mind when assessing and improving your organization’s internal controls.
What Could Go Wrong
It is imperative that your organization’s internal controls be designed in such a way to not only hope they prevent and detect a ‘What Could Go Wrong’ scenario but actually prevent or detect and correct a ‘What Could Go Wrong’ scenario. So what are some things that could go wrong for your organization?
- Can someone steal? (common stolen items are cash and computer equipment; a building can’t be stolen)
- Can legitimate costs be charged to the wrong department? Are costs actually necessary? Are any legitimate costs missing from the accounts payable records?
- Are any services being provided to ineligible people?
- Are services not being performed correctly or not being delivered?
- Is the financial record keeping of your organization inaccurate? Is it behind?
Segregation of Duties
The most effective way to mitigate a ‘What Would Go Wrong’ scenario from happening is implementing an effective segregation of duties process at your organization. When it comes to handling revenues, specifically recording of revenues, receipt of funds, maintenance of accounts receivable, and bank reconciliations, you will want to separate the duties associated with handling of receipts, making deposits with recording revenue and maintaining accounts receivable records. With regards to expenditures such as purchase requests, purchase authorizations, recording of expenses, and bank reconciliations you will want to separate the duties associated with approving expenses with recording expenditures and maintaining the records. For typical payroll processes such as hiring and authorizing pay rates, authorization of time sheets, payroll processing, and bank reconciliation, you will want to separate the duties associated with human resources from time approval and the accounting function.
Implement an Actual Control Based System of Internal Compliance
While it’s useful to review and modify your organization’s processes as part of your internal control system, note that processes are merely procedures that originate, transfer, or change data and subsequently can also introduce errors. Controls conversely are procedures that are designed to prevent, detect and correct errors resulting from processing of accounting information. Controls cannot generate errors and are activities performed to prevent or detect errors or fraud.
Internal Controls Your Auditors Will Be Looking For
Listed below are some examples of internal controls your auditor will assess during the audit:
- Are time sheets approved by a supervisor?
- Does your software system reject duplicate invoice numbers and reject vendors not already in the system?
- Are old vendors removed from your system and vendors still in the system compared to an approved vendor list?
- Are invoices approved by a Manager?
- Does the individual who signs checks at your organization compare invoices to checks and review approval documentation?
- Are bank statements reconciled to the accounting records by someone independent of the processes for revenue and expenses?
- Does a supervisor review completed documentation and support and sign off on eligibility?
- Does an internal auditor randomly pull eligibility files to review for documentation?
With respect to the tools mentioned above, remember to document, document, document. If it is not documented, your auditor will consider it ‘not done’. If you think it, ink it. If you have any questions regarding your organization’s internal controls reach out to your audit manager.