“I trust my employees and they would never do anything like that.”
“I’m extremely busy and don’t have the time to review what my employees have done.”
“They have been an employee of mine for many years and things are straightforward here.”
“I would notice if someone was stealing from the company.”
These are all comments I have heard from business owners when discussing the importance of strong internal controls and policies to prevent and detect fraud and theft.
Inevitably, when reading about fraud being uncovered, you almost always hear:
“I trusted that person completely, and they were the last person I would suspect.”
The reality is that comfort and blind trust often create the very opportunity for fraud.
Fraud remains a significant threat to organizations of all sizes, costing businesses billions annually in financial losses and reputational damage. One of the most effective ways to prevent, detect, and mitigate fraud is through the implementation of strong internal controls. These controls form the backbone of a company’s risk management strategy and serve as critical safeguards against unethical behavior.
Step One: Assessing Risk
The first step in designing and implementing an effective control system is performing a risk assessment. Ask yourself: Where is my company most vulnerable to fraud or theft?
While the following is not an exhaustive list, the most common areas of theft within small to mid-sized businesses include:
- Cash receipts
- Cash disbursements
- Payroll
- Employee expense reimbursements
- Inventory
These are good starting points for evaluating your company’s vulnerabilities. Once you have identified potential areas of concern, you can then determine ways to mitigate those risks.
Preventive vs. Detective Controls
A control system is an essential part of building a strong foundation for your business. Control systems cultivate a culture of integrity through the usage of checks and balances in the business structure. When implementing a control system, it’s important to include both preventive and detective measures.
Preventive Controls
- Segregation of duties: Divide responsibilities so one employee does not control an entire process. For example, the employee who prepares vendor checks should not be the same person reconciling bank accounts. While this can be challenging in smaller businesses, it is a critical safeguard.
- Authorization and approval procedures: Require approval from management before certain transactions, such as vendor payments, are processed.
- IT access controls: Ensure employees have appropriate system access that is aligned with their roles.
- Physical safeguards: Protect assets such as inventory, supplies, and check stock through restricted access, locks, or camera surveillance.
Detective Controls
- Monthly reconciliations: Reconcile all key balance sheet accounts, especially bank balances, and investigate unusual transactions promptly.
- Monthly statement reviews: Review bank statements, canceled checks, credit card statements, and payroll registers. Consistent oversight helps spot irregularities quickly.
- Physical counts: Perform regular counts of inventory or supplies and reconcile results to expectations. Investigate any discrepancies.
Practical Implementation
The goal of internal controls is not to burden you or your employees with excessive work. Small changes can make a big difference. For example, having a manager who is not involved in day-to-day cash handling review monthly bank, credit card, and payroll reports may only take thirty minutes a month. Yet this simple step is invaluable. It not only strengthens fraud detection but also signals to employees that oversight is in place.
Fraud thrives when employees believe no one is watching. Strong internal controls demonstrate that management is reviewing transactions, thus reducing opportunities for misconduct.
Where to Start
If you are unsure where to begin assessing fraud risk in your business, contact your CPA. They can provide tailored recommendations to strengthen internal controls and help ensure you never find yourself saying: I never expected it to happen to me.
Tim Hern, CPA, is a partner at 1RDG, the financial center, which provides businesses with a full range of management, compliance, and advisory services. For more information, please visit 1RDG.com.