Internal controls are the procedures and methods used to help companies to achieve their performance and profitability targets and prevent the loss of resources/assets. They are also used to ensure financial reporting is accurate and reliable and that the company is compliant with regulations and laws.
In other words, internal controls can help your company achieve its goals, and limit the internal and external risks and threats you’re likely to encounter.
Every business will feel the pain of not being in control at some point in the growth cycle and, therefore, implementing internal controls in a measured and methodical manner will become essential at some stage.
It’s better to establish internal controls now rather than continuing to operate without them. Not only do they give you more time and freedom but they enable you to manage and control the business rather than allowing the business to control you. In these articles, you will see:
- The essential elements of an internal control system
- The benefits of an internal control system
- The main reasons companies don’t use internal controls
- How a part-time CFO can create internal controls for you
Many SME owners mistakenly believe that internal controls are the domain of publicly listed companies or government departments but they are just as critical for small to medium sized businesses too.
Michelle Long, author and financial consultant, says internal controls are necessary for SMEs to reduce the risk of fraud.
“Without any controls or oversight, it is like leaving the door unlocked with the cash register drawer open hoping that no one will steal any money,” she says in a report for Intuit.¹
“Even employees who are honest can be tempted when they see large sums of money right in front of them,” says Long. “This is especially true if the business owner has not implemented any access controls or set up shared control over the company finances.”
“Also, without internal controls, a business owner can never know if their information is complete, accurate, or reliable. Time should be taken to set-up, implement and review a policy of internal controls. Once the policy has been established, management should ensure that the controls are being followed.”
The need to have robust internal controls is highlighted by the case of the Royal Bank of Scotland (RBS), which fell victim to a rogue trader in Hong Kong.
In 2014, the RBS was fined $850,000 by Hong Kong financial regulators after “seriously inadequate” internal systems and controls failed to detect a rogue trader hiding losses totalling tens of millions of dollars.²
The employee was found to have hidden losses of $46 million over a three-year period by regularly cancelling or amending transactions that had been entered into RBS’s internal trading systems.
A subsequent investigation by the Hong Kong Securities and Futures Commission (SFC) found that RBS’ risk management and internal controls within its Emerging Markets Rates business were “deficient and failed to prevent misconduct.”
The losses suffered by RBS are small compared with the staggering $6.8 billion losses announced by French banking group Société Générale (SocGen) in 2008. There too a rogue trader was found to have hidden enormous trading losses. The Paris-based trader used his “in-depth knowledge” of the bank’s fraud control systems to circumvent internal checks.³
This was a lone man who built a concealed enterprise within the company, using the tools of Société Générale, and who had the intelligence to escape all control procedures.Your Balance Sheet shows what your company owes and what it owes at a given time.- DANIEL BOUTON, FORMER SOCGEN CHAIRMAN
SocGen’s Chairman, at the time Daniel Bouton, said: “This was a lone man who built a concealed enterprise within the company, using the tools of Societe Generale, and who had the intelligence to escape all control procedures.”
It’s not enough to create internal controls: they need to be regularly reviewed to ensure they are keeping pace with the company’s growth. Pressure to create, develop and innovate means that old systems can quickly become redundant and need rethinking and rebuilding. This is really one of the biggest headaches a business owner faces. Creating products is easy by comparison.
You have probably experienced a shift from knowing every last detail about the inner workings of your business in the early days to losing a lot of control over the processes which allow the business to operate.
In other words, you have become removed from the day to day operating procedures. This means you probably can’t see what is going on in the way that you would like to or, at least, you can’t see as much as you would like to see. This can manifest itself in different ways. You might not realize that your customers are not paying since you don’t have a system for alerting you to such occurrences or you might have several unproductive employees but have neither the tools to identify these employees nor the time to do anything about it.
Instead, you are frustrated with your staff because you want them to fix the problem (using their own initiative). They, in turn, are frustrated with you for not providing them with clear job descriptions and responsibilities.
It may be that your cash flow is very poor or you are accumulating excess inventory. It may be that you are always turning up for meetings unprepared because the work it would take to uncover the information you need to run a good meeting would just take too long to collect.
You probably initiate a lot of the activity in the business (creating policies, signing CRA documentation, sending off legal forms necessary for compliance) but you may not have the systems set up to manage these various projects going forward. This means that your head is full of concerns which rear their head at the very point at which you have the least time to deal with them. Usually, by then the problem has escalated.
All of this leads to a feeling of being disorganized and overwhelmed. If you were able to delegate the work and feel confident that your business had a stable framework, you would feel much happier about redoubling your growth efforts (a lot of business owners we work with hold themselves back because they instinctively know the business lacks the systems and structure to grow in a manageable way).
The essential elements of an internal control system
There are five key elements in a good internal control system:
- Separation of duties. Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions and events should be separated among individuals. This not only protects employees but prevents and detects both unintentional and intentional errors. It also encourages better job performance.
- Authorization. Every transaction must be authorized and carried out by people acting within the scope of their authority. This will help prevent invalid transactions.
- Documentation. Every transaction (event or activity) must be documented. It helps ensure that assets are properly controlled. It also helps to ensure each transaction is accurate and complete.
- Supervision. Competent supervision must be provided to ensure the objectives of the internal controls are achieved.
- Reconciliation. This ensures the accuracy and validity of your records. It also means that discrepancies can be resolved quickly and that unauthorized changes don’t occur.
To be effective, internal controls must be appropriate, must function consistently as planned, and must be cost-effective.
An effective control environment will ensure the following:
- The effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
- Safeguarding of assets.
The benefits of an internal control system
Having an internal control system in your organization will help:
- Prevent errors and irregularities from occurring. If they do occur, they will be detected quickly.
- Ensure that errors that do occur are minimized and resolved quickly.
- Safeguard employees by clearly outlining their responsibilities and roles; by providing checks and balances; and from being accused of errors, irregularities, or fraud.
The main reasons companies don’t use internal controls
The owners don’t realize such controls are necessary
Forensic accounting expert Steve Dawson says placing your faith in people’s honesty leaves you vulnerable to fraud.
“Believing you don’t need internal controls because you don’t have evil people working for you is irrelevant,” he says.⁴
“Evil people don’t represent the majority of fraud instances: desperate people do. Remember that 95 percent of those I have investigated are truly decent people who rationalize their fraud because of a severe financial crisis. They are able to take advantage of the company simply because their position has weak internal controls.”
One of The CFO Centre’s part-time CFO’s recalls how one of her clients was nearly sent to the wall because its CEO had stolen large amounts of money.
“I got involved immediately after they discovered the fraud. In the first 6 months, it was very doubtful whether the business had any future because of all the money which had been stolen. What I was able to do was give the different stakeholders enough confidence to be able to pull together something which secured its long term viability”.
I immediately called the CRA to explain who I was, what I was doing, and what I was going to do. I asked them to give me a few weeks to sort something out, during which I’d provide constant feedback to them.- THE CFO CENTRE’S PART-TIME CFO
“On my first day, we found out that we were under pressure from a large creditor who was planning to force the organization to court because it had a large amount of payables which hadn’t been paid over a long period”.
“I immediately called the CRA to explain who I was, what I was doing, and what I was going to do. I asked them to give me a few weeks to sort something out, during which I’d provide constant feedback to them”.
“The combination of who I was, what I was doing, and how I was going to do it was enough to persuade them to give me some time”.
“The company had another equally large creditor who also wanted to be paid immediately.”
“I put a survival plan together, and luckily there was someone connected to the business who had funds. We persuaded that third party to provide the business with a long-term loan worth several hundred thousand dollars.”
“That allowed us to pay the creditor, to pay the other creditor and to have some money to go forward so we could try to recover the money that had been stolen.”
Lack of time
Creating internal controls does take time. The consequences of not investing energy into creating internal controls, however, are likely to be very damaging to a company.
Philip Ratcliffe, an Internal Audit Consultant, says in a serious case the opportunity cost of the time that management will lose in attending to the consequences of an internal control breakdown can be massive.
“Strategic issues, tactical issues, business development – all these and many more normal concerns of senior management will have to take a back seat until the problem is resolved. Add to this the loss of reputation and of confidence, inside and outside the organization, because news will inevitably leak out however carefully those involved try to prevent it.”⁵
A lower ratio means your company is more financially stable and is probably in a better position to borrow now and in the future.
It’s too difficult
Creating internal business controls, which are the systems and frameworks that allow all departments of the business to keep up to speed with changes is plain hard work.
To some extent, this hard work is simply a part of building a fast growing business. That said, a lot of it can also be avoided by understanding business growth cycles and by designing an architecture which means your business is able to grow at a steady pace rather than allowing it periodically to outgrow itself (as you struggle to put out the fires).
Strategic issues, tactical issues, business development – all these and many more normal concerns of senior management will have to take a back seat until the problem is resolved.- PHILIP RATCLIFFE, INTERNAL AUDIT CONSULTANT
¹ ’Internal Controls for Small Businesses to Reduce the Risk of Fraud’, Long, CPA, MBA, Michelle L., Intuit, Intuit Inc., 2009
² ‘RBS reprimanded for systems failures following £25m trading losses: Hong Kong regulator fines bank £450,000’, Finnegan, Matthew, Computerworld UK, www.computerworlduk.com, Apr 22, 2014
³ ‘Rogue trader exploits tech knowledge to cost SocGen £3.6bn: Biggest fraud in investment banking history’, Chapman, Siobhan, ComputerWorld UK, www.computerworlduk.com, Jan 25 2008
⁴ ‘Internal Control/Anti-Fraud Program Design for the Small Business: A Guide for Companies NOT Subject to the Sarbanes-Oxley Act, Dawson, Steve, (Wiley Corporate F&A), April 13, 2015
⁵ ‘Engaging Senior Management in Internal Control’, Ratcliffe, Philip, QFinance, www.financepratitioner.com