For most business owners, audit is a necessary evil. It irks them in paying a large chunk to the auditors for tracing the inherent loopholes in their businesses. For accountants, the minute the auditors enter the scene- the place transforms into a CBI inspection area, so much so that a few days down the line we’d have to consider a name for the phobia of “handling auditors”!
What many business owners don’t get is that in spite of deploying the best traditional internal controls, how is it that the auditors don’t think so. Maybe your internal control is good, but is it good enough to fool proof the whole system and make your system immune to fraud, tampering etc? There are many conventional systems that are deployed but in today’s technological era it doesn’t take much time to render it obsolete.
So you may ask, what’s internal control? In audit terms, internal control is a process designed and implemented by the management to prevent any inherent business deficiency.
In other words, it’s about devising unique process to carry on day to day business so that even in the absence of the management, the business is fool proofed and the data can be relied upon.
Be it a startup or a fortune 500 company- how well it functions is purely attributable to the internal control system they deploy.
Wonder how? Let’s consider a case in 2 different companies
Case : Release of payment to vendor
Company A: has computerized all it’s operations. To release a payment to a particular vendor, the purchase manager confirms the order placed and received, via invoice number. Then the stock keeper confirms the presence of the ordered and received stock. Once that is done, the purchase manager directs the accounts manager to release the payment. After the payment has been made, the vendor is directed to send a mail to the company confirming the receipt of the payment.
Company B: also has a computerized environment. The sole purchase manager confirms the order via invoice number and directs the accounts manager to pay. The payment is made but no acknowledgement for the payment is insisted on.
No prizes for guessing which system is immune to fraud. It’s Company A.
In Company B’s case, the presence of the purchased order received is not checked and for all we know the vendor is a dummy vendor created by the purchase manager because he knows no one will check the stock so he can direct the money to himself.
This is no made up scenario; you’d be shocked to know that the company B was KIA Motors, USA in 2002. Cecile Nhung Campbell, CPA, desperate for cash noticed a weakness in her highly profitable employer’s internal controls, embezzled almost $1 million.
An ideal internal control acts just like a firewall that burns up the system harming Trojans. Though many auditors will be happy to give you customized solutions to suit your needs, there are a few basic things that you already incorporate.
1. Choose your software:
There are many accounting and ERP software available in the market. Make sure to choose the one that best suits your company’s need. Thanks to the technology advancement and competition among the vendors, you can get the software of your choice at reasonable prices. Also ensure that the software doesn’t allow manipulation or any kind of tampering or rewriting of the financial data.
2. Accounting vs ERP software:
Many small businesses still work on just accounting software, but the ideal thing is to collaborate the business processes into one. Since ERP inter links the sales, purchases, HR, accounts etc, it’s an ideal choice. That way the whole business is in your control. Nowadays many companies are using the cloud technology, if you are doing so too, make sure you have extra protection.
As the business grows, you employ more staff to take care of the operations which you were once heading. You don’t have the time to sit and scan every authorization that is made during each business day. So to prevent any misuse, make sure each person has an authorization limit. That way no single person has the authority to sign cheques of any value.
Example: The purchase manager can authorize up to Rs.50,000, but value more than that must be authorized by the Purchase Executive.
This is what auditors always ask for. Make sure the whole system is followed strictly and as evidence, the documentation is present.
Example: If there is a leave in the salary register, make sure that the leave letter is present.
5. More than one person:
Ensure that every job is reviewed and no single person is assigned the same job for more than 6 months. Assign different works in the same department, job rotation helps too and that way your staff is well equipped with process and can handle any work in crisis. When there are more than 2 people checking the work, the chances of mistakes are pretty less.
Example: Mr. A, accountant finishes reconciling the bank statement, it’s important the accounts manager also checks it.
6. Schedule rechecks and reports:
Internal control isn’t only about setting up a error free system, it’s about reassessing and checking the reliability of the system before the auditor points it out. Have weekly/fortnightly reports checked for the performance of the company. Churn out the profitability, purchase, stock, sales reports to see how each department is functioning.
The objective of the setting up internal control is to make sure the business process doesn’t give any room to errors, so that the data sitting in your financial report is reliable. That way you can focus on other important matters that call for your attention. That’s exactly why deploying internal control system means “peace of mind”.