Fraud Lurks: So you need internal controls – MUST READ

This is the fourth installment of our “Fraud Lurks” series. In the initial article, I pointed out an all too common fraud technique using information found on any corporate check. The second and third installments concentrated on occupational fraud which is generally internal fraud, using statistics in the 2020 Global Report to the Nations published by the Association of Certified Fraud Examiners. If you missed those I suggest you read them because if you did, you should now be convinced your business needs internal controls.

I added “Must Read” to the title because I know what you’re thinking when you hear internal controls:

• Boring
• Complicated
• Costly

Internal controls need not be any of those.

I once asked a prospective client what he knew about internal controls.  He answered “That’s where you tell me I need to add three people to spread the duties so no one has conflicting roles.  Meanwhile, the added payroll puts me out of business.” He understood the idea of segregation of duties but otherwise had it all wrong.  An effective system of internal controls must:

• Be specific to your Company
• Be considerate of the size and complexity of your Company
• Be easy to follow and administer
• Become part of the Company’s culture
• Promote operational efficiency

There are two ways to develop internal controls for your company, the way I am about to describe and the wrong way. Search the internet for “best practices” internal controls and you can be looking for days finding all sorts of ideas. Sorry, but you are wasting your time; the internet posters don’t know your company, your people, or you.

Instead, get your management group together and, in what shouldn’t take more than a couple of hours, identify your business functions. Discuss what could go wrong in each area by asking two questions:

1. What is the likelihood of occurrence?
2. If it happened, what would be the impact on the Company?

It’s that simple. You might find it enlightening; maybe even fun.

With that done, you likely have items in all four categories.

1. High likelihood of occurrence; major impact on the company. These are your control priorities. Potentially falling here are issues relating to cash and inventory (depending on how mobile it is and how easy it would be to move it on the outside) but there may well be other areas. You simply must have controls covering these areas.
2. Low likelihood of occurrence; major impact on the company. Here we’re looking at fire, flood, death of an owner or key employee, etc. Generally, controls in this area include insurance products (don’t forget cyber and business interruption insurance) and a disaster recovery plan – or you can choose to just lose sleep over what might happen.
3. High likelihood of occurrence; minor impact on the company. Consider a fast food business. Certainly, it is likely an employee might give a soda or sandwich to a friend; Minor impact – unless many employees are giving many sandwiches to many friends. Unless you want to hire someone to watch every employee (see my prospective client above), detective controls work well here. For example, if you sell super-burgers, take inventory of super-burgers at the beginning of the day and again at the end of the day. If 200 super-burgers are gone from inventory, 200 super-burgers should have been sold. If not, perhaps product is being pilfered or your cook can’t cook – either way, you want to know. This is why, if you ask for a glass of water at a fast-food chain you will receive it in a different cup from what the sold drinks come in – they are controlling the cups!
4. Low likelihood of occurrence; low impact to the company. These items deserve little to no attention. I once had a client who was quite proud of his controls over petty cash. Seems his former auditor always had a comment about petty cash (an entirely different problem) and he tightened things up. I asked him how much was in petty cash and he said $200. Follow up question was how often did they replenish petty cash? – the answer was once a month. I pointed out to him his best controls were protecting an account with a maximum exposure of $2,400.  Seriously?

So there you have it; nothing to it. Knowing WHAT to control is half the battle at least. How to control the impactful areas is a bit tougher but certainly not impossible. If you’re struggling with that, you might want to get some help from your independent accountant.

In the next article, we will review some controls that most every company needs (some of which cost next to nothing) and give some examples of effective and efficient controls.