top of page

INTERNAL CONTROL & the ACCOUNTING PROCESSING SYSTEM

Internal controls are simply accounting for all transactions coming into & out of an entity!!!

 

Internal Control as defined by AICPA's AU-C Glossary of Terms is "a process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal Control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls related to financial reporting and operations objectives."

TRUST should never factor into developing and implementing internal controls. We are all human and make mistakes. Having controls can help eliminate these human errors or mistakes. Entities should develop controls to protect their employees, information, reputation in the community, and assets. 

 

For small entities several factors can limit their ability to have successful controls:

 

  • A lack of segregation of duties, due to small staffs and resources; No single person should have complete control over a single transaction

  • Susceptibility of management or boards to override the controls

  • Low pay scales can cause employees to rationalize fraudulent behavior because they feel they deserve more; feeling entitled to more than the entity can provide

  • Employees of small entities sometimes have to carryout more duties than they expected when they were hired. "It's not in my job title." "I don't like numbers (accounting)." "It won't happen to us." These type attitudes can make controls weak because the employee simply doesn't want to do them. The employee's training may be limited too.

 

PREVENTING and REDUCING FRAUD

 

Below lists procedures an entity can implement to help develop strong internal controls to reducing fraud, errors, or illegal acts. An entity can't eliminate fraud 100%!

 

 

  • Have background checks when hiring a candidate (past employment, criminal background, drug testing, education and licensing)

  • Check the candidate's credit. Low scores may indicate a financial need or incentive

  • Actually check the candidate's references and ask if the candidate was eligible for rehire

  • Have employees bonded who handle cash

  • Conduct an annual Fraud Brainstorming Session with all employees, board members, and volunteers. With ever-changing staff, this meeting should be conducted at the beginning of every fiscal year or just before. The session should begin with a brief introduction on the definition of fraud, categories of fraud, and conditions present for fraud to occur [click here for my section on Fraud]. This session should discuss fraud that has actually occurred at the entity, fraud occurring in the news or the community, ways in which fraud could occur at the entity, and ways to help safeguard the entity from possible threats.

  • Having an anonymous Fraud Tip Hotline is proven to be an entity's greatest asset on fraud. Tip lines reinforce company policies, making it clear that unethical conduct is unacceptable, and help set a tone of control for an entity. Basic annual fees average $500 to $1,200.

  • Keep good, dedicated employees and board members. Sounds easy enough, but it isn't. Due to by-laws, some non-profits change board members after a certain amount of time. Board members tend to care three ways: a lot, some, or not much at all. Get board members who want to be there and care about the entity, its policies, and assets. In my professional opinion, it is good to change board members sometimes. But, having the same dedicated board members can really bring a benefit. Indefinite members who want to be there and care about the organization are the best in my opinion. They show up for the meetings and give input. Moreover, churning new members or employees means they have to learn everything about the entity from the start. Important topics and happenings from prior years may have to be rehashed with them. Also, they may feel since they weren't there initially for a certain topic or decision, their input won't be as acceptable to other board members. Note: if your by-laws don't allow an indefinite board term, simply change them!

  • Always have someone higher-up review reimbursements for personally paid expenses for the entity, especially travel. Travel is highly subjective to fraud! Example: Never have an employee lower than the director sign-off on these reimbursements. If it is subjective, this may put the employee in a difficult situation. Always have the board's treasurer or another board member review, inquire, and sign-off on the reimbursement. Authorizing certain travel arrangements, beforehand, can help too.

  • Try and segregate internal controls on relatives and family members who work or volunteer together. Special events usually involve handling cash. Having non-related party relationships work together, like at the entrance gate or near the donation lock box, can help prevent collusion.

  • Have two signatures on checks and never have anyone sign a check without proper invoice documentation in front of them. After reviewing the documents, cancel the documents (so they can't be duplicated), then sign and mail the payment.

  • Printout a master list of vendors (from your computer software) the entity is using and pass it out for review. Boards and employees could find problem vendors they know about. Or, they could inquire on billing amounts to suggest other vendors that may be more inexpensive for the entity. This could also help with recognizing conflicts-of-interest or related parties.

  • Inquire if there is a bidding process on vendors to lower cost. Moreover, the entity should research and make sure their vendors are properly licensed with the proper agencies.

  • Lock up valuables at all times. Use a cash register, lock boxes, filing cabinets, and safes. That's common sense. In my experience, most entity's leave sensitive information unlocked during business hours. Then, before leaving, they lock it up. Having filing cabinets unlocked gives anyone access to employee or client files. These files can have social security numbers, addresses, wages, medical information, etc. Identity theft is a growing industry and needs to be taken seriously. A simple picture from a camera phone can take seconds and bring thousands of dollars on the black market.

  • Be observant when an employee is unwilling to learn or adapt to a change in controls or a new system.

  • Be observant if an employee is unwilling to take vacation time. They may feel their fraud could be found while away from the office.

  • Encourage employees to report concerns about fraudulent activities to management or board

  • Have reward programs for employees who report fraudulent activities

  • Have written policies stating that everyone associated with the entity will be prosecuted to the fullest extent of the law. Individuals need to know your entity takes fraud seriously. Most individuals realize that most entities won't contact the law because it may hurt the reputation of the entity in the public's eye or it may cost the entity too much in legal fees.

  • Always have backup documentation of receipts and reimbursements before paying or signing the check, especially credit card reimbursements.

  • Always document and disclose all potential Conflicts of Interest with related parties, on a regular basis. Related parties can include family, being a board member, close personal relationships, or an ownership in a conflicting business. Conflicts of interest can still be performed if the entity follows the proper procedures and documentation. Always get independent multiple bids on professional services. Be sure the conflicting person excludes themselves from oversite on the conflict. EXAMPLES #1) A board member's father wants to perform construction work for the entity. That board member should exclude themselves from voting and the remaining board members should obtain proper documentation (proper licenses), including obtaining other proposed bids from other entities on the work. Make sure you document and maintain the other bids on the conflict if the father wins the bid and performs the work. #2) A director's spouse or a board member's family works, at any capacity, for the bank that currently holds the entities certificates of deposit and the CD's are set to mature in the near future. To resolve the conflict of interest and renew the CD's in the same bank, the entity should obtain other documented interest quotes from different banks to ensure the entity has benefited from the best available CD interest rates. Maintain documentation!

 

DEVELOPING INTERNAL CONTROL & FLOW CHARTS for SMALL ENTITIES

EMPLOYEE or MANAGEMENT PICKS UP & OPENS THE MAIL FROM THE MAILBOX, BUT NOT THE ACCOUNTANT.  EMPLOYEE/MGMT SHOULD REVIEW CORRESPONDECE/BILLS & INITIAL/COMMENT BEFORE HANDING IT TO THE ACCOUNTANT.

RECEIVING & PAYING BILLS

FLOW CHART -

(SEGREGATION OF DUTIES)

THE ACCOUNTANT SHOULD REVIEW THE MAIL, AFTER MGMT, THEN PREPARE THE PROPER BILLS FOR AUTHORIZATION OF PAYMENT. AUTHORIZATION INVOLVES  FILLING-OUT THE CHECK's DETAILS & SIGNING (first signature) THE CHECK.

MANAGEMENT RECEIVES ORIGINAL VENDOR DOCUMENTATION & THE ACCOUNTANT'S PREPARED SIGNED CHECK. MANAGEMENT REVIEWS/INITIALS DOC'S FOR ACCURACY & AUTHORIZATION TO PAY/MAIL (making the second signature on the check).

  • THE ACCOUNTANT/BOOKKEEPER SHOULD NEVER OPEN OR PICK UP THE MAIL.

  • MANAGEMENT SHOULD OPEN SENSITIVE OR UNKNOWN MAIL THE EMPLOYEE CAN'T

  • INITIAL EACH PAGE (& MAKE COMMENTS ON THE INVOICES IF NEEDED); THIS DOCUMENTS THEY HAVE BEEN REVIEWED BY MANAGEMENT.

  • THE ACCOUNTANT SHOULD FILL THE CHECK OUT IN ITS ENTIRETY. NOTING ON THE MEMO LINE: INVOICE #'s & WHAT THE PAYMENT IS GENERALLY FOR (IF NOT RELEVANT); SIGN THE CHECK'S FIRST SIGNATURE.

  • THERE SHOULD ALWAYS BE TWO SIGNATURES REQUIRED FOR CHECKS

  • NEVER SHOULD A CHECK BE SIGNED UNLESS DOCUMENTATION IS PRESENT (especially blank checks); NOTING SOME BILLS MAY NOT HAVE DOC'S (MOWING, CLEANING, ETC.). BUT THE SIGNEE SHOULD STILL CONFIRM THE SERVICES.

  • WHOEVER SIGNS THE CHECK LAST (MANAGEMENT) SHOULD CONTROL THE MAILING OF THE PAYMENT, SEALING THE CHECK & INVOICE IN THE ENVELOPE.

MANAGMENT or EMPLOYEE SEALS ENVELOPE & MAILS TO VENDOR. ORIGINAL DOC'S GIVEN BACK TO ACCOUNTANT. ACCCOUNTANT IS NOT TO MAIL PAYMENTS.

MANAGEMENT OR BOARD OPENS THE SEALED BANK STATEMENT, FIRST. REVIEWS TRANSACTIONS & IMAGES OF CANCELLED CHECKS. LOOKING FOR SKIPS IN CHECK #'s or UNUSUAL ITEMS. INITIALs ALL PAGES BEFORE GIVING IT TO THE ACCOUNTANT.

BANK/CREDIT CARD STATEMENTS

FLOW CHART -

OPENING & REVIEWING

(SEGREGATION OF DUTIES)

ACCOUNTANT REVIEWS BANK STATEMENT. PREPARES THE BANK RECONCILIATION and ADJUSTS THE ACCOUNTING SOFTWARE. INITIALs ALL STATEMENTS. PRINTS OUT THE MONTH's ACCOUNTING TRANSACTIONS FOR MANAGEMENT TO REVIEW.

MANAGEMENT REVIEWS THE BANK RECONCILIATION AND THE ACCCOUNTING SOFTWARE TRANSACTIONS FOR ACCURACY & CORRECT ACCOUNT CLASSIFICATIONS. INITIAL THESE DOCUMENTS.

In a lot of cases, a bank reconciliation generated by software will have errors. Example: Should there be an outstanding deposit that has not cleared in over two weeks? A deposit should clear in days!

  • ANY PERSON AUTHORIZED TO SIGN THE CHECKS, SHOULD NEVER OPEN THE STATEMENTS, FIRST.  THE ACCOUNTANT USUALLY HAS ACCESS TO ONLINE BANKING IF THEY NEED IT. BUT OPENING THE SEALED STATEMENTS FIRST, GIVES OWNER/BOARD AN INDEPENDENT CONFIRMATION ON TRANSACTIONS PROCESSED THROUGH THE BANK. SOMETIMES A BOARD MEMBER (TREASURER & NON-CHECK SIGNER) WILL NEEDED TO OPEN THE STATEMENTS FOR SMALL ENTITIES, ESPECIALLY WHEN THE DIRECTOR HAS PURCHASES USING A CREDIT CARD. THIS IS FOR PROPER HIERARCHY SUPERVISION ON PURCHASES.

  • THE MONTHLY STATEMENTS SHOULD BE REVIEWED IN EXTREME DETAIL! LOOKING FOR UNUSUAL TRANSACTIONS. LOOK FOR A BREAK IN CHECK SEQUENCES OR VOIDED CHECKS, NUMBER OF TIMES PAYROLL OCCURS ON EMPLOYEES, ETC. ALWAYS HAVE ALL RECEIPTS ON CREDIT CARDS READY FOR THE REVIEWER WHEN THEY OPEN THE STATEMENTS. IT IS ALWAYS BEST TO HAVE THE REVIEWER HAVE ALL INVOICES/DOCUMENTS THAT CLEARED THE BANK THAT MONTH ON-HAND WHEN REVIEWING. THESE INCLUDE EFT/OTHER CHARGES NOT PAID BY CHECKS ISSUED AND INCLUDE PAYROLL RUNS AND TAXES PAID.

  • INITIAL (& MAKE COMMENTS, IF NEEDED) THE STATEMENTS FOR PROOF IT WAS REVIEWED BY MANAGEMENT. DATE YOUR WORK IF NECESSARY.

  • THE BANK STATEMENTS SHOULD ALWAYS HAVE COPIES OF CANCELLED CHECK IMAGES (FRONT & BACK) MAILED WITH THE ORIGINAL STATEMENTS. PRINTING OR REVIEWING CANCELLED CHECKS ONLINE WILL NOT BE EFFICIENT. SOME BANKS CHARGE SMALL FEES FOR RETURN IMAGES. PAY THE FEES OR SWITCH BANKS.

  • MANAGEMENT SHOULD ALWAYS REVIEW THE BANK RECONCILIATIONS AND PRINTOUTS OF THE ENTITY'S DETAIL MONTHLY ACCOUNTING TRANSACTIONS TO MAKE SURE THE ACCOUNTANT WAS ACCURATE & RECORDED DISBURSEMENT AMOUNTS CORRECTLY INTO THEIR PROPER CLASSIFICATIONS.

  • IF THE ENTITY USES PAPERLESS INVOICING (NOT RECOMMENDED), MANAGEMENT SHOULD DOWNLOAD/PRINT THE FORMS, THEMSELVES, BEFORE PAYING.

GETTING ORGANIZED and OTHER ITEMS of CONSIDERATION in INTERNAL CONTROL

Most entities don't know where to start with their internal control and accounting system. My advice to management or directors is to simply purchase a Three-Ring Binder. The binder should include most of the items needed to manage the entity:

 

  • At the very front should be a checklist of important dates on the entity's meetings, filing requirements, events, etc. This checklist should include dates for required tax filings, insurance policy renewals, etc. that management can keep track. It's nearly impossible to keep these dates memorized! Additional advice, have your insurance policies on a calendar year end, starting January 1. Its easier to keep track. Worker's compensation audit amounts can easily be reconciled by using the IRS year-end filings (IRS Form W-3).

  • Included in this three-ring binder should be tabs for the entity's mission statement, by-laws, employee handbook, list of current board members, budget, rental agreements, contracts, and any other important documents (federal tax ID letter, state's sales tax exemption forms, etc.) that pertain to the entity. Include any documents that are time-sensitive and may need future updating.

Miscellaneous Internal Controls to Consider for Your Entity:

 

  • Use passwords for sensitive computer data and change the passwords regularly. Especially when there is a change in employment. Also make sure you regularly back up data.

  • Always have another employee check your work, including non-accounting transactions (letters, board presentations, etc.).

  • Always require two people to open or close a bank account (board treasurer if possible). Moreover, have a policy where no new deposit checks are allowed to start a new bank account. Have the new deposit check deposited into an existing account, then transferred (a paper trail) the amount to the new account. Not using this procedure may allow an account to never hit the entity's accounting system. Thus, having no record of such deposit. Always restrictively endorse all deposits.

  • Lock up sensitive documents at all times & until needed, especially employee documentation containing social security numbers.

  • Purchase security cameras that include recording/cloud storage functions. There are many inexpensive items on the market.

  • Always place the cash register near the entrance/exit doors of the building to help monitor outgoing inventory.

  • Use purchase orders (POs) when placing orders. Never have the person who orders the products, open the shipment.

  • Watch travel reimbursements or expenses. These can tend to have a high risk of potential personal use.

  • Develop an expense policy in which material purchases need management or board approval.

  • Keep track (list in the three-ring binder) on who has keys or passwords and to what.

  • Use a Trend Analysis to compare the current year's income and expense amounts with the prior 3-5 years. Sometimes this can identify potential errors in accounts and transactions. Example: comparing year-to-year utility charges can sometimes recognize potential problems with your heating or cooling system (higher than expect amounts). Most accounting software will do this function.

  • At the board meetings, members should be given a current year financial statement from the entity's software program along with a comparison to last year's totals. This allows the board to monitor if the accountant is up-to-date with the entity's transactions.

  • The past twelve month's bank & investment statements (placed in individual binders) should be available to ALL board members to review at the meetings. Reviewing the bank's cancelled check images, which displays who was paid and the amount, can tell a board member a lot about the monthly activities of an entity. This also gives the board the opportunity to see if management/director has been reviewing these statements (their initials & comments should be present on the statements). Also, check and make sure these (reconciled) statements match the current accounting software financial statement accounts.

bottom of page