Fred Norman, Head of Audit at Harold Sharp, shares actionable strategies and best practices to help businesses strengthen their internal control processes. This article was first published by theBusinessDesk.com on 12 December 2024.
Managing risk is a key challenge for businesses of all sizes. A crucial element in addressing this challenge is the establishment and strengthening of internal controls.
In the context of auditing, internal controls refer to the processes, policies and procedures put in place by a business to ensure both the operational and financial functions are running effectively. It can be difficult to balance the need for efficient processes with the need for oversight and reliable data, especially for smaller businesses.
However, there are a few key steps that organisations can take to strengthen their control environment and begin embedding controls in their operations.
Conduct a risk assessment
While you may be used to formally documenting operational risk assessments, it is worth expanding this to cover all functions of the business. For example, assess risks related to financial fraud and cybersecurity threats.
Your risk assessment should be scaled to the size and complexity of the business, even a short list of relevant risks can help identify where controls are weak or missing. Not every risk you identify will need a response.
There may be areas where risk acceptance is appropriate, but having a documented risk assessment is still a valuable part of corporate governance.
Implement relevant controls
Once you have identified any gaps in your risk assessment, there are a number of controls you might need to implement. The key to this exercise is to ensure that the controls remain proportional to the risk of the business and are well understood by your staff.
1. Segregation of duties
One of the most effective ways to prevent fraud and errors is through the segregation of duties. This involves dividing responsibilities so that no single individual has control over all aspects of a transaction. Many software packages allow this to be enforced by the system, eg by not allowing someone to raise and approve the same purchase invoice.
Segregation of duties is a key defence against internal fraud. If you don’t have many employees, rotating responsibilities or performing a sample review of transactions can be used in place of a permanent system. For example, you may have the manager of one team review a sample of transactions performed by a different team. You may already have third party oversight of these processes through your external auditor so ensure that any findings are factored into the control in subsequent periods.
2. Implement clear policies and procedures
Having formal, documented policies ensures consistency in how processes are performed. These documents should outline the correct processes for handling financial transactions as well as clear reporting requirements for when a process has failed.
Many businesses implement formal approval thresholds for certain transactions which, similar to segregation of duties, may be system enforced. Regularly updating and reviewing these policies is key to ensuring they remain relevant and effective.
3. Reconciliations and stock counts
Most businesses already perform regular reconciliations as part of their financial processes (this includes reconciliation of the inventory as part of the yearly stock count), however these do not always form effective internal controls. If the reconciliation does not include a process for investigation and resolution of differences, then it provides limited value.
Ideally, key reconciliations should be reviewed by senior members of staff (especially the year-end ones) and any action points followed up and evidenced.
4. Automation
Automation enhances internal control by reducing human error, increasing efficiency and improving accuracy. By automating repetitive tasks such as data entry, invoicing and payroll processing, you can minimise the risk of mistakes and fraudulent activities that often arise from manual intervention. Automation also ensures consistency and systems can often be configured to report errors or failures, making it easier to track and monitor activities in real-time.
Monitoring of controls
Continuous monitoring and periodic reviews are essential to ensure that your internal controls remain effective.
Implementation of a retrospective review as part of the yearly reporting cycle helps identify weaknesses in implemented controls and tests adherence to established policies. These could be performed by management or a third party, such as external auditors.
It is crucial that root cause analysis is performed where issues have been identified and changes made to processes in response. It’s also important to document control procedures and the rationale behind changes. Having clear records of who made decisions, when changes were implemented, and what controls are in place can provide accountability and transparency.
Fostering a culture of accountability
Implementing internal controls is an ongoing process that requires evaluation, improvement and adaptation as your business and the risks change. A robust system of internal controls not only protects your company’s assets but also fosters a culture of accountability. A system of proportionate internal controls can provide a strong foundation for reducing fraud, improving financial accuracy and ensuring operational efficiency.
As your business grows, you may need to build on these fundamental controls with more sophisticated systems, but even these initial steps will help protect your company from some of the most common risks and provide greater comfort over your management accounts.
At Harold Sharp, our Audit Team has extensive experience of collaborating with OMBs throughout the audit process and going beyond compliance to utilise the audit as a tool to better your business.
To find out how we can support you, contact Fred Norman or call 0161 905 1616.