In Pursuit of Profit
Read our expert article below or sign up to get articles sent to your inbox.
Most business owners are familiar with the concept of internal financial controls, but there is often confusion around who needs them. We hear this every day in the conversations we have with the leadership teams of small to mid-sized business.
There is widely held a misconception that only publicly traded companies need to worry about internal controls. Private companies often assume that because they do not need to file their financial reports with an external entity or report them to shareholders that they do not need to implement the same types of controls that larger, public organizations do. The confusion here stems from the that many people view internal controls as a piece of the regulatory puzzle, when in reality internal controls are “The policies and procedures used to ensure accuracy and reliability across accounting reports.”
Use our guide on internal controls for private companies to find out more about why internal controls are so important, how to implement them at your company, when a risk assessment can help, and how to maintain your controls once they are in place:
The Importance of Internal Controls
For the last 30 years the Committee of Sponsoring Organizations (COSO) has served as the most thorough internal controls resource for companies of all types. The most recent set of COSO guidelines, which were updated in 2013, cover the broader control environment, risk assessments, the control activities themselves, information and communication related to controls, and ongoing monitoring activities. And while private companies are not required to follow COSO standards, their guidelines serve as a comprehensive roadmap for establishing and maintaining internal financial controls.
Unfortunately, because formal internal controls are not required of private companies, their business owners sometimes mistakenly believe that they are a waste of precious time and resources because they will be so laborious to implement or that using them will slow down business operations. As such, they may be incorrectly viewed as incongruous with overall business goals. However, these assumptions could not be further from the truth. Private companies can greatly benefit from following COSO recommendations on internal controls to ensure that financial and operational information is accurate and reliable.
At the heart of it, the goal of any internal controls system is to increase the likelihood that the financial information you are receiving is going to serve as a firm foundation for strategic decision-making. However, controls offer a whole host of other business benefits as well, such as:
Now that you understand why internal controls are so important, let’s take a look at how to get internal controls in place.
Conducting a Risk Assessment
Whether you already have a system of controls in place, or you are looking to establish controls for the first time, a risk assessment is a critical activity for identifying areas of vulnerability for your company to shape your controls. A risk assessment should answer the questions:
When assessing risks, do not assume that all risk comes in the form of an external malicious threat (for example, a hacker stealing your customers’ personal information). Often times, the biggest risks that a company faces are actually weakness or gaps internal processes that open the company up to an internal threat (for example, a lackadaisical reimbursement request process).
Once risks are identified, prioritize them by threat level to focus your resources on the most pressing risks first. Pay particular attention to areas where the company has run into problems before, such as reconciliation errors, late reporting, or incorrect inventory counts. Then, determine what your specific company needs to do to remedy that specific risk instead of taking a more generalized approach.
Implementing Internal Controls
Once you know what kind of risks you need to mitigate, you can begin designing and implementing internal controls around these areas.
Many private companies function with informal controls, a legacy of their earlier days as a startup with few employees. However, formalizing these controls is vital regardless of company size or growth stage.
Internal controls can be preventative (deterring fraud and mistakes) or detective (identifying problems once they have occurred). They can also be manually conducted or automated. A company’s controls system can include any number of financial or operational measures, but the most commonly used financial controls are:
Put in place the controls your company needs today with an eye on the future. Remember the old saying, “Good today is not good enough tomorrow.” Internal controls should not be static – they should grow and evolve with the business to stay relevant.
Maintaining Internal Controls
Once internal controls have been established, it is crucial to determine how you will maintain them moving forward so that they will continue to provide value as the company grows. The best way to ensure that internal controls are remain effective over time is to proactively decide who will monitor them, how monitoring will occur, and what the protocols will be if controls fail. When it comes to critical internal control practices our team explains,
Implementing the proper accounting controls is meaningless unless employees are equipped to act when they notice a problem or detect suspicious activity. Formal policies must be created to educate employees on how to respond when issues arise. All employees should know who they can tell when there is suspicion of error or malicious intent and what kind of response to expect. Furthermore, their anonymity needs to be protected after doing so.
The ideal monitoring plan is one that is both flexible and scalable, however, many organizations lack the personnel needed to accomplish this successfully. For this reason, many small to mid-sized companies choose to outsource their accounting functions, including their financial controls monitoring, to a third-party firm. Hiring a financial specialist will ensure that your controls remain relevant over time because they will be updated as business needs, market demands, and governmental regulations change.
Controls auditing should be part of any ongoing internal controls strategy. Whether you bring in an outside accounting firm to perform a formal financial assessment, or conduct your own audit internally, occasionally reviewing how your controls are performing closes the loop on your internal controls system.
Look for areas where controls are failing to operate in the way they were intended to perform or where they are missing entirely. (Remember, just because you have established a control on paper does not necessarily mean that your employees are following it in practice.) Furthermore, ensure that preventative controls are doing their job to eliminate heavy reliance on detective controls because it is always best to avoid issues to begin with than it is to fix them after there is a problem.
But in your focus on the processes do not forget about the people, because they are equally important in maintaining effective controls. Verify that you have the correct people in place to manage your internal controls – not necessarily more people, just the right people.
If you need an experienced financial services firm to establish internal controls for your company, look no further. We can work virtually or on-site to implement or improve your internal financial controls. Contact us today to find out more!