Michael Goldman & Associates, L.L.C. - Consulting & CPA Services

Home Up Feedback Contents Search

Internal Control
  Unrecorded Income Fraud or Incompetence Overstated Income Employee Theft Internal Control Role of Corp. Overseers Forensics in Divorce Professional Practices

 

Goldman's Critical Support - Winter  2002

Use Internal Controls to Minimize Loss

If company owners did all the work themselves, assuming they always acted in their own best interest, there would be virtually no loss from internal theft, unreliable financial reporting, non-compliance with applicable laws and regulations, or inefficient use of resources.

 

As soon as you hire employees or outside contractors, you introduce those losses, or at least the risk of those losses. To control that risk, the owners then need to set goals and objectives for employees to strive for, define tasks, identify and quantify risks, establish policies, set boundaries, monitor progress, and take corrective action when needed.

 

The systems used by a company to minimize the risk of loss are known as internal controls. Internal control is the responsibility of both directors and managers of the company.

 

Control what?

Before designing a system of internal controls, it is important to understand what needs to be controlled. This involves identifying risks and the potential cost of each risk. Determine how often you expect each type of loss would likely occur, and what the cost per occurrence is likely to be. Multiply these two numbers together to get the total loss potential for each type of loss. Later you will compare loss potential with the cost of controls, in order to do a cost-benefit analysis and make sure controls don’t cost more than the potential losses they are designed to prevent.

 

The types of risks that need to be controlled include:

 

  • Loss of assets – theft, spoilage, squandering, etc.

  • Inaccurate transaction reporting or accounting entries that would render management information unreliable

  • Loss of documents required for tax, regulatory, control, or management purposes

  • Disregard for management policies, goals, and objectives

 

Control how?

There are two types of controls that help mitigate the above risks: preventive and detective. Preventive controls defend the company against specific risks and are usually stronger than controls that detect something after it has happened. Preventive controls are the most utilized type of control, and are usually done on a transaction-by-transaction or event-by-event basis. They are most noticed by the greatest number of employees and are most vulnerable to violation by both well-intentioned and devious employees. These types of controls are often expensive in terms of workflow disruption and implementation costs. Examples of defensive controls include:  

  • Obtaining pre-approval on actions or transactions before they can be processed

  • Using document control numbers to make sure all transactions are accounted for

  • Matching and comparing documents from different sources to ensure integrity

  • Testing clerical accuracy

  • Locks on doors and gates

  • Physical controls over cash, checks, signature plates, and  inventory

  • Computer passwords, access controls, and file locks, to prevent unauthorized electronic access

  • Computer backups for both audit trails and disaster planning

  • Batch totals on data entry work

  • Validating input data against established parameters to ensure accurate keypunching.

  • Segregation of duties, well defined job descriptions and standards

  • Job rotation, enforced vacations, etc., to reduce chances of long-term embezzlement schemes

  • Employee screening and training programs

  • Drug testing of employees and applicants

Preventive controls are subject to breakdown, with the biggest cause being individual circumvention. Sometimes it is malicious and sometimes it is well intentioned (we can get from one department to another easier if we prop the locked doors open, for example, or I can cut my data entry time by a third if I dummy my batch totals). In some companies physical controls are widely ignored – most major thefts of inventory happen in front of other employees who either assume that the thief is acting properly, or do not want to get involved.

 

Detective controls, on the other hand, help management identify when preventive controls have broken down and corrective action is needed. Examples of these supervisory and monitoring controls include: 

  • Enforcement of job descriptions and standards to keep employees acting as expected

  • Supervisory review and sign-off of accounting work, expense reports, commission statements, payroll data, etc.

  • Cycle counts of inventory

  • Surprise cash counts

  • Management review and approval of account write-offs

  • Review of monitoring information and reports to ensure that controls are functioning as planned

  • Exception reporting and resolution to highlight out-of-the-norm items

  • internal audit

  • Supervisory peer review

  • Comparison of actual results to budgeted or forecasted results

Detective controls tend to be less expensive and more reliable than the preventive controls discussed earlier, because they can often be applied over a large number of transactions in a short time.

 

If detective controls review less than 100 percent of a certain activity, their review has to be somewhat random. If cash drawers are “surprise” counted by management Mondays, Wednesdays, and Fridays (60 percent of all work days), the counts are predictable and cash skimming will most likely occur during the other days of the week. Random counts would tend to deter skimming because they are unpredictable.

 

Since fraud perpetrators either ignore or compromise the preventive controls in place, it is imperative that management perform its supervisory and monitoring functions. Do not be afraid to manage – people generally want and need both direction and feedback in order to feel satisfied with their work.

 

Like preventive controls, detective controls are also subject to breakdown. To minimize the chance of both types of control breaking down, it is important to design the controls so that they do not get subverted – control the right thing and make the control easy to follow, implement, monitor, and reinforce. Implement the control properly, monitor and evaluate any feedback related to the control, and whenever possible, tie controls to incentive systems.

 

Cost of controls

Costs of controls can include the price of physical safeguards, the value of additional hours of employee work incurred, your time, etc. The costs should be less than the benefits.  Employee supervision is where most owner-operated businesses get this comparison wrong, particularly by assuming too low a benefit to a control over a long-term and trusted employee. It is not uncommon for the been-there-forever, taken-for-granted, almost-a-member-of-the-family employee to take advantage of the paternal way in which he or she is treated to loot the company blind.

 

Implementing controls

Proper control design and selection are only the first steps. The most important factors in making them work are communication and organization. Simply putting the controls in place won't guarantee their effectiveness.

 

Make sure that your people are aware of and understand the controls; and then find ways to influence their behavior so that they agree to respect them. Organization issues involved include the chain of command structure, cost constraints, job descriptions, and the company’s formal and informal feedback loops.

 

Every control system needs to be flexible and change as the company evolves. No system of internal controls can completely protect against all risks of theft. Keep in mind that risk is a matter of possibilities and probabilities, and therefore must involve the analysis of both positive and negative outcomes. An analysis of internal controls needs to consider the key risks facing the company, the company’s objectives, and the existing controls and procedures.

 

Employee motivation: perceived equity

Since it isn’t always possible to eliminate the opportunities for theft, attention should also be paid to the rationalization used by wrongdoers. Most cases of employee theft or misbehavior involve issues of perceived equity. Employees who perceive that they are not being treated fairly are much more prone to steal from their employer. It is important to be perceived as being fair, but not weak. Make sure all of your employees know what is expected of them, and treat everybody consistently. Avoid setting unreachable goals or creating other pressures to commit fraud, remove obstacles that block effective performance, and establish clear and consistent procedures with no exceptions.

 

Lax management breeds lax employees. Dishonest acts by management, even if directed at people outside of the company, create a dishonest environment where theft is easier to rationalize. Even when an employee has a need and an opportunity to steal, it usually will not happen unless that employee also has a sufficient rationalization to commit the theft.

 

Related article: See also "Are Your Employees Stealing?" in the Fall 2001 issue of Goldman's Critical Support. To receive a copy of the Fall issue please contact Mike Goldman at 847-681-9020 or michaelgoldman@mindspring.com.

 

© Michael Goldman 2002

For more information, please go to www.michaelgoldman.com 

Editorial material in these newsletters is intended to be informative, and should not be construed as advice. For advice on any specific matter, please consult your financial or legal adviser.

 

 

 

 

Home ] Up ]

Send mail to michaelgoldman@mindspring.com with questions or comments about this web site.
Last modified: March 31, 2007