Simplifying Internal Controls

Internal controls are essential to safeguarding an organization from risks such as fraud, mismanagement, and embezzlement. However, despite their importance, internal controls are often either overlooked or implemented in overly complex ways that hinder efficiency – especially in small to medium-sized organizations. These businesses frequently face the challenge of striking the right balance of implementing sufficient controls to ensure security without hindering operations or overwhelming staff.

By simplifying and tailoring internal controls to fit your team’s size and roles, you can enhance both security and efficiency. This article explores key internal controls and best practices for streamlining them.

What Are Internal Controls?
Internal controls are policies and procedures designed to protect your organization’s assets, maintain the integrity of financial reporting and accounting, and help prevent fraud. Effective internal controls begin with the organization reviewing its current processes and identifying potential risks to the organization. Management must use their best judgment in determining which internal control procedures are critical for mitigating risk at their organization and which risks are tolerable given size or capacity constraints.

Using the “COSO” Internal Control – Integrated Framework* , the essential components of internal controls include:

● Control environment: The foundation of strong internal controls set by the organization’s leadership, including policies, procedures, and ethical standards.
● Risk assessment: The evaluation of potential risks your organization may face in pursuit of its goals and creating plans to mitigate those risks.
● Control activities: The specific actions taken to minimize risk, like surprise audits, segregation of duties, reconciliations, etc.
● Information and communication: The process of telling employees about the controls, the reasons they exist, and what their roles are in maintaining them.
● Monitoring: The ongoing evaluation of the effectiveness of the controls.

Internal controls increase transparency and lower the risk of internal fraud. They also help your organization comply with Generally Accepted Accounting Principles (GAAP) and increase confidence with donors about your fiscal stewardship of their donated funds.

Types of Internal Controls
Internal control activities fall under two umbrellas: preventative controls and detective controls. Preventive controls head off and defend against fraudulent activities, maintaining the integrity of the organization’s financial practices. Detective controls, on the other hand, find the problems that have already occurred. Here are a few examples of preventive and detective internal controls that any organization can implement.

Preventative Internal Controls

Segregation of Duties
In segregation of duties controls, different people handle various aspects of a task or activity. For example, in a revenue receipt cycle, a log of revenue receipts is prepared by the person who opens the mail, while a different person makes the deposit to the bank account. This prevents a single person from having control over every step of the revenue receipt cycle, reducing the chances of embezzlement or other fraudulent activities when receiving and depositing checks.

Approval and Authorization
A form of segregation of duties, approval and authorization requires separate people to complete each task. For instance, in the cash disbursement cycle, an employee familiar with disbursement approves the transaction, while another person enters the activity into the accounting software. Often, the approver will also have the authority to initiate the charges on the organization’s behalf to ensure expenditures are appropriate.

Detective Internal Controls

Reconciliation
Reconciliation is the process of comparing two sets of records to check for accuracy or discrepancy — for example, checking your monthly bank and credit card statements against internal financial records. It’s important that monthly bank and credit card statements be reviewed by someone outside of the reconciliation function for any odd or unusual activity and compared to account reconciliations.

Regular audits
In addition to ensuring compliance with Generally Accepted Accounting Principles, Regular audits of financial records help you to identify anomalies in reports, processes, or transactions before they become larger issues. Executive directors can conduct monthly internal reviews while the finance committee or board of directors can perform more comprehensive reviews at least quarterly. External auditors provide independent oversight, which increases the likelihood of detecting fraud or other irregularities.

Tips for Simplifying Internal Controls
Internal controls are important, but they are not one-size-fits-all. Depending on the size and structure of your organization, some internal controls may be easier to implement than others. However, simplifying your internal controls to meet the needs of your organization (instead of changing your business to fit the controls) allows you to protect your assets and your reputation while working within the confines of your internal capacity.

Here are some best practices for simplifying your internal controls.

Document Your Internal Controls
Documentation of your policies and procedures is essential for ensuring consistent implementation of internal controls. Clear documentation serves as a practical blueprint for creating, updating, and executing control measures. It also defines the roles and responsibilities of key stakeholders, reducing ambiguity and streamlining operations. Thorough documentation supports regulatory compliance by providing evidence of established and maintained control systems.

Enforce Your Policies
Your internal control policies form the foundation of your organization’s security practices, providing clear guidance for employees, leadership, and the board on expected procedures. However, even with well-documented policies, they’re only effective of consistently followed – and unfortunately, noncompliance can still occur, exposing your organization to risk. To reinforce accountability and reduce these vulnerabilities, it’s critical not only to enforce your policies but also to clearly communicate that enforcement will occur. Setting the public precedent that internal controls are actively monitored and violations will have consequences serves as an effective deterrent, encouraging adherence and strengthening your overall control environment.

Train Your Team
Compliance is a collective responsibility and the more informed and empowered your team is, the more effective your internal controls will be. Regular training engages key stakeholders, fosters open communication, and encourages shared accountability. It also helps streamline processes, making the execution of internal controls more efficient and consistent across the organization.

Keep Your Business in Mind
Risks are universal, but some may be unique to your business size, model, structure, or goals. Simplify your internal controls by designing policies and procedures that fit your needs while maintaining the principles of preventative controls, instead of trying to fit your business into the mold of what may seem standard.

Internal Controls Made Simple
Internal controls are designed to help organizations safeguard their assets, mitigate risk, and follow best business practices. They help businesses prevent and detect threats to financial integrity and maintain compliance.

Though internal controls can be overcomplicated, they can be simplified by following best practices. Documentation creates a source of truth for internal controls, helps to streamline the checks and balances that protect your business. A culture of review and enforcement serves as a both a deterrent against fraud and a confirmation that control procedures are upheld; and regular analysis of your operations and control environment year allows you to determine what changes might require updated controls.

*The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, originally issued in 1992 and refreshed in 2013 (ICIF-2013 or Framework), was developed as guidance to help improve confidence in all types of data and information and is the standard on effective internal controls.