Question

Effective segregation of duties is sometimes not economically feasible in a small business. What internal control elements do you think can help compensate for this threat?

Answer 1

As a small business owner, you know that implementing properly designed controls with limited resources can be challenging. However, not addressing deficiencies can expose your business to operational and financial risks and losses.

Fortunately, there are steps you can take to help prevent and detect fraud at your company. The most common types of internal control weaknesses detected in small businesses can often be mitigated through implementing a combination of anti-fraud controls and/or slightly modifying existing processes.

The following five internal control challenges are some of the most common found in small businesses.

1. Separation of duties

In larger organizations, the performance of critical functions is typically divided among different employees. In small businesses with limited human resources, it’s not uncommon for a single employee to be solely responsible for completing multiple tasks in a critical process. However, failing to properly segregate duties can result in a greater risk of errors or fraud.

Generally, assigning different people the responsibilities of authorizing transactions, recording transactions, maintaining custody of related assets, and reconciling accounts provides for more effective internal controls. Each employee should have specific job responsibilities, preferably defined in writing. Reassignment of specific duties within a process to other appropriate individuals can significantly help to mitigate risks in many cases.

2. Policies and procedures

Effective policies and procedures can help you to align your business objectives and help establish best practice operating procedures – and they are also one of the most underused control tools. Even if you think your business processes are uncomplicated and well known by management and employees, there is value in creating written policies and procedures.

Although each business is different, the following are examples of common processes that are important to define and document:

• Sales and accounts receivable
• Cash management and banking
• Purchases and accounts payable
• Payroll and human resources
• Financial statement closing and reporting

Documenting key controls in each of these cycles can provide transparency and consistency and allow for specific roles to be easily be assigned to specific individuals. If a key employee leaves the company, it will be easier to train new and/or temporary employees with thoroughly outlined and documented procedures already in place. Documenting policies and procedures can also help to clearly define business operations and confirm alignment with management’s expectations.

3. Documentation

Maintaining adequate supporting documentation is part of the foundation for developing an effective internal control framework within an organization. Without it, it can be difficult to demonstrate existence of transactions completed, procedures performed, and controls in place. Proper documentation can also make it easier and more efficient to research and respond to questions from customers, management and auditors.

By emphasizing the importance of maintaining proper evidence, your management team can help reduce risks to employees and to your business.

4. Oversight and review

Small business owners are often so involved in the strategic and operational goals of their business that it is difficult to also pay enough attention to basic internal control monitoring procedures. Proper oversight is essential to the internal control framework and an important aspect of fraud prevention and detection.

Reviewing certain key metrics, sales, expense accounts, cash reports, variance reports, payroll summaries, and other data on a monthly basis may help you identify problems that may exist. Having your finger on the pulse of your business’ performance can also provide valuable information for key decision making.

5. User access rights for information systems

Employees are often granted more access to information systems than they actually need to perform their job responsibilities. This may be done for ease of application or because the person granting access (often the IT administrator) does not fully understand the new employee’s role. However, providing such access can expose the business to additional risks that business leaders may not be aware of.

Employees should start with very limited access to information systems with only the rights to perform functions that are essential to that user’s work. As the employee’s workload expands, additional access rights may be granted.

All users’ access rights should be reviewed on a periodic basis to ensure that there is a legitimate business purpose for the access granted to each user. Although this approach requires more time and effort, it can enhance the system of controls and security in place.

Although small businesses may have more limited resources than larger businesses, there are several controls that can be implemented and/or enhanced to help prevent and detect fraud and mitigate operational and financial risk.