Professionalizing Your Internal Controls (And Why It Matters)
Internal controls are crucial for the success and security of your business. While some areas of running a business may allow you to make things up as you go, internal controls require careful planning and strategizing.
Professionalizing and formalizing your internal controls, in particular, needs to get done ASAP if you’re readying your company for an audit, a sale, or the capital raising process. Having strong internal controls in place prepares you for a smooth and efficient audit process. And speaking more broadly, strong internal controls protect the company’s financial information, financial data, and the money itself. Any vulnerabilities that might exist in your control processes could expose your business to some very expensive consequences. Let’s close those gaps before any problems start.
What Do Good Internal Controls Look Like?
One overarching goal for your internal controls is that an auditor could walk into your business and follow all your financial procedures from the documentation alone. Documentation is a fundamental element of creating good controls. Your business could be doing everything right in terms of creating and executing all your internal policies and processes, but that won’t help you pass an audit if all that information is only stored in the brains of you and your team and your auditor doesn’t know where to begin. Maintaining thorough, up-to-date documentation on all your financial procedures is an absolute must.
As for designing the procedures themselves, the segregation of duties is essential. You never want to have one person doing too many things. If a person can initiate a transaction into the accounting system and also record a transaction in the accounting system, that’s a recipe for potential fraud. Having one person performing a task like initiating transactions and another person recording them is an excellent example of checks and balances. (In small organizations, including nonprofits, which may not employ multiple people equipped to manage financial matters, getting the board of directors involved can be a good solution for segregating duties. For example, one of these organizations might authorize the board’s treasurer to initiate transactions and sign the checks.)
An area where you need to ensure you have robust controls is cash disbursements. There should be several steps in place to prevent cash from being disbursed for anything other than legitimate business reasons. Again, having segregated duties and a system of checks and balances is critically important here. It shouldn’t be possible for one person to initiate a wire or record a transaction in the accounting system without anyone else knowing about that transaction.
The Financial Consequences of Poor Internal Controls
Protecting your business from fraud is perhaps the top reason business owners should be concerned about the quality of all their internal controls. The weaker your controls are, the easier it is for someone to siphon money out of your business undetected. And once the fraudster confirms that your internal processes are vulnerable enough to steal from you once, what’s to stop them from doing it over and over again for as long as they possibly can? (Probably nothing!) Your professional reputation, your company’s future, and very possibly your own life savings are all at risk when fraud occurs.
Secondly, having good internal control processes is a vital part of ensuring a smooth succession whenever you have employee turnover. What would happen if the person who’s been in charge of all your financial processes for the last ten years suddenly quits or gets in a terrible accident? How would the next person know where to begin? What kinds of mistakes and oversights might happen while they’re using trial and error to figure everything out? And how much company time will be wasted while everyone tries to get on the same page?
(I’ve witnessed first-hand how expensive and inefficient the succession process can become when internal controls aren’t well managed! In one instance, a client brought me in a week before their CFO was leaving, and because none of their processes were documented, I spent the week taking copious notes while the CFO verbally downloaded everything they could remember. Then I had to compile those notes, send them to the CFO to ensure all my understandings were accurate, wait for their review, and make edits. It was a poor use of time for both of us, and could have been avoided entirely if everything the CFO told me had already been documented.)
A third and very significant consideration is that having poor internal controls could damage your reputation, especially if you’re a nonprofit that relies on donations. Let’s say you’re audited, and your auditor issues a negative opinion because you couldn’t provide adequate documentation of any of your financial procedures. Because your financial statements are public, your donors are going to be able to find out that you didn’t pass your audit because of poor internal controls. People are going to wonder, why would I donate to this nonprofit if I can’t trust them to protect my donation?
Internal control issues aside, your reputation could also suffer if you experience fraud because of poorly designed internal controls. Here’s a hypothetical example: a small community organization located in a low-income neighborhood discovered that an employee had been embezzling funds over the course of several years. After investigating the full extent of the fraud, the board struggled to decide whether or not to report the theft to the authorities. On one hand, the person who stole from the organization deserved to experience legal consequences. But on the other hand, going public would mean the community might lose trust in the organization, potentially causing harm to the organization’s mission. You don’t want to be forced to make these kinds of difficult decisions in the aftermath of a fraud discovery.
It’s crucial for the success of any business to have strong internal controls, including proper segregation of duties for cash disbursements. In today’s technological age, some businesses do not use checks to make payments but instead set up wire transfers. Nonetheless, it’s essential to have appropriate segregation between those who can initiate a wire transfer and those who can record a transaction in the accounting system.
Need Help with Internal Controls?
LGA can help you improve your internal controls so you’re ready for whatever your business’s next chapter brings. Whether you’re preparing for an audit or just concerned about vulnerabilities in your internal controls, I’m happy to answer any questions you might have. Contact me today!
About the Author
Daniel Paré, CPA has 8 years of experience in public accounting and has been with LGA for four years. He has been a licensed CPA since 2016 and specializes in non-profits, and governmental audits, including Single Audits and Yellowbook Audits. Dan also has experience working with for-profits in many industries and can advise his clients on improving their internal control processes.