EXAMINING INTERNAL CONTROLS FOR SMALL BUSINESSES
By Aimee Hollenhorst, CPA

Internal controls are the processes and procedures that help prevent and detect financial reporting errors and fraud. Every company, regardless of size, can benefit from a properly designed set of procedures and controls. Here are ten controls to help prevent accounting errors and financial fraud that can be easily implemented by a business owner or a nonprofit's executive director, even where optimal separation of functions is not feasible given an organization's small staff.

1. All bank statements should be received, opened, and reviewed by a key officer or administrative assistant outside of the accounting function. This person should not be involved in the underlying accounting and should be knowledgeable about the company's business so that they would be able to identify improper activity shown on bank statements. The bank statements would then be returned to accounting for reconciliation.
2. Every payroll change, including pay rate changes and bonuses, should be documented. Documentation provides a trail that changes were authorized by proper individuals. Documentation can be as simple as a printed email. Also, payroll reports (e.g., queries for payments or W-2s to duplicate social security numbers, gross pay over a certain dollar amount, new employee, or other changes) should be reviewed on a regular basis.
3. Debit cards should be used sparingly and debit transactions should be recorded as soon as possible. Forgetting to record debit card transactions commonly leads to overdrawn accounts. Also, access and use of corporate cards should be limited to those employees who truly need them. Finally, companies should adopt and monitor policies prohibiting personal use of company credit cards.
4. An appropriately knowledgeable person should be tasked with the review and approval of expenditures and vendor invoices. This will help identify inaccurate or invalid charges. Project managers should review direct project charges, office managers should review office supply charges, the human resources manager should review employment ad charges, etc.
5. Positive Pay is a bank service whereby the company informs the bank of the checks written and the amounts of those checks. The bank will then honor only those checks communicated in advance by the company. Positive Pay can reduce the chance of check fraud by outside parties and the company's liability for such fraud.
6. Persons who have access to the corporate signature stamp, or who can initiate electronic payments, have the same basic authority over cash as the signatories on a bank account. Companies should, therefore, restrict the use of the check stamp in the same fashion as they restrict corporate signing authority. Companies should also consider requiring the bank to obtain a second, separate corporate approval before processing non-routine ACH and other electronic transfers.
7. Journal entries are used to enter information into an accounting system and by-pass system modules, such as accounts payable and accounts receivable. Journal entries can be used efficiently to record activity such as depreciation and amortization, but they can contain errors and be used to conceal fraud in financial records. Management should obtain a list of regular, recurring journal entries and compare it against system reports of actual journal entries recorded in the general ledger. Any unusual entries should be reviewed in greater detail as they could contain errors or worse.
8. Account reconciliations are the primary tool to detect errors in account balances. If reconciliations are done properly, on a regular basis, mistakes will be detected and can be corrected on a timely basis. The nature of the account will help determine the frequency in which it should be reconciled.
9. Errors and fraud take place most often where one person has complete control or access over a transaction cycle; i.e., can authorize, initiate, and record a transaction. To address a "lack of segregation of duties," assign one part of the cycle to a second person. A "second set of eyes" will reduce the risk that errors go undetected and reduce or remove the opportunity to commit fraud.
10. The owner, president, or executive director is the person running the organization. Who better understands the business and associated numbers? There are specific benchmarks, ratios, or other measures that are critical to managing the organization. It is the role of the accountant to provide management meaningful information with which to make business decisions. The top executive should get the needed information in a useful format on a timely basis. He/she should ask questions about the numbers and corroborate the answers until satisfied. If the answer does not make sense, the numbers may be wrong or reflect something wrong. Review of financial reports by the top person provides a top-down level of internal control.

Accounting errors and financial fraud can occur in any organization, and internal controls can help prevent and detect them. Effective controls, such as those described above, can be easily implemented, even in small organizations where segregation of functions is not optimal. Every company, regardless of size, can benefit from a properly designed set of procedures and controls.

Ms. Hollenhorst may be reached directly at ahollenhorst@rubino.com or 301.564.3636. For more information about R&M, please visit www.rubino.com or call 301.564.3636.