Internal control: A highly misunderstood and ignored topic

Can you imagine driving your vehicle down a six lane interstate without any lane markers, signs that communicate specific regulations and warnings, and everything else we rely upon to safely stay in our lanes and arrive at your intended destination? In the absence of such lane markers and signs, you would not have any guidance for your trip or means of measuring progress. You would not know the applicable law, and what is and what is not acceptable. You would have difficulty staying safely away from obstacles since there would not be markers to keep you on track toward your objective–in this analogy, your destination. And this analogy relates to internal control.

Internal control in business may be most simply defined as the means by which an entity achieves reasonable assurance in achieving its objectives relating to compliance, reporting, and operations. It is also a method of safeguarding assets. They are the policies and procedures and lines of communications that are established and enforced. It is the tone from the top. Just as lane markers and roadway signs help you safely navigate and arrive at your destination, internal control does more than just attempt to mitigate the risk of fraud: it strives to help assure a company is postured and better able to achieve its objectives.

It is important to realize that internal controls are:

• intended to achieve objectives
• processes
• effected by all individuals associated with a company
• intended to provide reasonable assurance of achieving objectives
• highly adaptable to various businesses and structures
• designed to work to protect company assets

Whether you are a small mom-and-pop operation or a multi-billion dollar enterprise, you must have internal controls in order to survive and achieve your goals. Internal controls are fluid, with few staying the same over time. They evolve. Internal controls are a living and breathing component of every successful business.

Let me give an example of a poor internal control. A well-known company’s lack of internal controls allowed a former employee to remain a “full access account administrator” on a credit card with no pre-set credit limit, five years after the employee resigned. Had this been a vindictive employee, quite a bit of trouble could have been caused. Additionally, staff members that had not been employed by the company for a similar length of time still had their names listed as authorized users, which meant a physical card existed for each person. Why is this last part an issue? Well, it poses risks to assets–namely, cash. Secondly, it poses legal and credit account term risks since the company intentionally kept former employee accounts open and has continued to use the accounts for routine operations.

Greg Bennett, Owner and President of Cornerstone CPA Solutions, holds a certificate in the COSO Internal Control Framework. Internal controls can be difficult to identify and implement yourself, as they often require an independent eye and thought process. Contact us today to discuss how your company can benefit from an analysis of your internal controls and recommendations for new or modified controls.