Internal Controls: Best Practices
by Michael Ploskonka, CPA, CFE | Selden Fox
An organization is best set up for success when it has strong internal controls. For an organization to develop and maintain effective controls, they must first understand the purpose of internal controls; identify who is responsible for setting and maintaining the controls of the business; and be familiar with the most common control activities. A company’s internal control framework will look different for each type of business, but if management understands these three points, they will be well on their way to success. To help clients, prospects and others understand internal controls best practices, Selden Fox has provided a summary of key points below.
Purpose of Internal Controls
Internal controls are processes that an organization develops to prevent or detect deviations from pre-determined standards, errors or fraud, which ultimately help management achieve their goals. Internal controls can be designed to:
- Safeguard company assets;
- Guard against theft of both physical and intellectual property;
- Mitigate risks to acceptable levels
- Enable reliable financial reporting;
- Promote efficient operations (e.g., reduce waste or improve timeliness); and,
- Ensure compliance with federal regulations, if required.
Internal controls are highly customizable and are unique to each organization, but all businesses should have a framework in place, even companies that undergo internal or external audits.
Management and the Board of Directors have a fiduciary responsibility to establish the organization’s internal controls and to ensure they are updated and functioning properly. They are also responsible for communicating their expectations to the organization’s employees. Customary in larger organizations, management may choose to create a specific department to monitor and assess the effectiveness of the system of internal control.
The common types of control activities that all organizations should consider implementing include the following:
Separation of Duties
Separation of duties requires different individuals to be responsible for different tasks to ensure more than one set of eyes is part of an entire process. For example, someone who authorizes a transaction should not also be executing the transaction; two different people should perform these roles independently.
Physical Control over Assets
Physical assets and the physical access points to intangible assets should always be safeguarded. Cash should be stored safely, equipment should be locked away, and access to sensitive records should be limited.
Proper Authorization and Training
Only authorized employees should have access to the most sensitive information or be able to approve or execute certain activities, and they should be well-versed in how the system works. These privileges should be reviewed regularly and updated as duties change. All employees should receive sufficient training to be able to identify and respond to a deviation or a potential issue.
Independent Checks and Review
Employees independent of the activity should perform periodic reviews, and the review process should be well-documented. For more complex or crucial processes, multiple levels of review may be needed.
The steps in any sensitive business process should be recorded, and the records should be routinely reviewed for accuracy. Using standardized documentation can help, such as reconciliations, invoices, expense reports, and receipts with documented approvals. When searching for the cause of an error or a discrepancy, these records can be referenced to help pinpoint the breach or the mishandling of information.
Maintaining a robust internal controls program will help ensure your company is addressing various risk factors and taking steps necessary to prevent or detect issues which may negatively affect your business objectives. Since each company is different the specifics of their internal controls approach will vary. If you have questions about your internal controls program or need assistance reviewing or refining it, Selden Fox can help. For additional information please call us at 630.954.1400 or contact us directly.
Michael Ploskonka, CPA
As a member of the Selden Fox Auditing and Assurance Group, Michael conducts independent reviews of financial statements and audit reports prepared by the firm for a variety of clients. He also monitors and develops procedures to minimize high-risk areas for the firm’s clients.