Resources for CPAs
Magazine

Internal Control Considerations: A Primer for Businesses

By Jonas Kwong
Jan 16, 2025
Internal Control Considerations: A Primer for Businesses
Photo credit: ojogabonitoo/iStock/Getty Images

Most of us have an intuitive understanding of what internal controls are, even if we don’t label them as such, because we regularly perform a variety of actions to protect ourselves and others from adverse events. Moreover, when bad things do happen, we often look for the contributing factors that led up to these events so that we can prevent reoccurrences. Consider the following examples:

  1. A solo hiker uses a checklist to make sure she has packed all of her essentials and notified others of her planned route.
  2. The manager of an apartment building conducts an annual check of the in-suite smoke detectors to ensure that all alarms are working properly.
  3. A couple returns from a two-week vacation to find that their home has been burgled. In addition to touching base with neighbours and checking all doors and windows, they contact the providers of their home security system to figure out how and when the breach occurred.

Internal controls in business are similarly preventative and detective in nature. In its Internal Control—Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal controls as processes implemented by management to achieve operational, compliance, and reporting objectives.1 Recognizing that COSO’s definition is quite broad, this article discusses how internal controls can be relevant to organizations of any size, including small and medium-sized enterprises, and how these controls can be implemented.

Minimizing fraud risk

The following fictionalized scenarios depict commonly committed occupational fraud schemes and describe how simple controls could help lower or eliminate a company’s exposure.

Scenario #1 – No segregation of duties

A payroll administrator misappropriated more than US$1 million from her employer over a span of more than five years before getting caught. Her crime was especially egregious given that the median loss of sampled asset appropriation cases is only about US$150,000 per case, according to the Association of Certified Fraud Examiners.2

How did it happen? Given the scale of the loss, you might be surprised to learn that the perpetrator’s modus operandi boiled down to a simple abuse of trust. In addition to having custody over the employee master files, which enabled her to make changes to employees’ banking information, the perpetrator had access to the company’s online banking portal, which enabled her to create payment proposals.

In short, the company did not sufficiently segregate duties, and the perpetrator took advantage of this lack of oversight to change employee banking information and propose fraudulent payroll payments to herself. Afterwards, she updated and reverted the bank account details back to cover her tracks.

In this instance, the company’s management could have prevented this fraud by:

  • Restricting access to employee master files where all changes made must be reviewed and approved by another individual, such as the controller or the accounting manager. Although this would not eliminate the risk of fraudulent payroll payments, adding another individual into the process chain could deter would-be fraudsters by creating an additional barrier;
  • Requiring that all changes to employee banking information be substantiated by supporting documentation, such as a pre-authorized debit form and correspondence from the employee requesting the changes; and
  • If possible, segregating the payroll function into three parts, with one person overseeing the employee master files, another processing the payroll, and a third overseeing payment proposals.

ojogabonitoo/iStock/Getty Images

Scenario #2 – Unchecked authority

A high-ranking executive with a long and previously untarnished professional history was caught misappropriating company funds via falsified expense claims. When confronted, he admitted to having submitted expenses that were personal in nature and not incurred in the course of conducting business.

How did it happen? Although the company had a travel and entertainment policy and required that all expense claims be reviewed and approved by the submitter’s direct supervisor, the perpetrator in this case reported directly to the board of directors, which meant the specific review and approval requirement was waived. As a result, the executive was able to continue making fraudulent expense claims undetected until the accounts payable processor spotted a discrepancy between the credit card number referenced on the altered invoices and the company credit card number on file.

To prevent this from happening again, the company should consider enhancing their protocols with a few additional control measures, such as:

  • Requiring that expense reports submitted by high-ranking executives be subjected to external audit and review by a competent and independent accounting firm;
  • Requiring that expense reports and expenses be reviewed and approved by the organization’s board of directors or audit committee on a quarterly basis; and
  • Requiring that travel and entertainment expenses be booked through a company-approved travel agent and software portal, and managed by an administrator.

Scenario #3 – Greed and lack of detective control

A long-term retail store employee was caught stealing high-value stock items.

How did it happen? The perpetrator was responsible for closing up the store’s computer department twice a week, and slipped high-value tech items into his backpack on several occasions when other coworkers were busy helping customers. Familiar with the store’s closing procedures, the perpetrator knew he could waltz out of the store after closing without anyone searching his bag. Afterwards, he sold the stolen goods at a significant discount via third-party marketplaces online.

Many employers are reluctant to implement controls such as bag searches for fear of hurting staff morale or creating an atmosphere of distrust. However, if managed in a fair, respectful, and non-discriminatory way, detection and monitoring controls can be implemented effectively with minimal pushback and minimal damage to company culture. These controls could include:

  • Random spot checks and bag searches;
  • Regular cycle counts with an emphasis on higher-value stock items. Variances could then be investigated to determine root causes (by asking the right questions and of the right people, you can deter most fraudsters from putting their schemes into action); and
  • Cross-training so that employees can rotate and perform each others’ duties, if applicable.

Mitigating the risk of financial material misstatements

While managing fraud risk is one of the most important applications of internal controls, it is by no means the only benefit. For example, when an accountant prepares an adjusting journal entry as part of the month-end close and submits the journal voucher and the supporting documentation to the controller for review and posting, internal controls for financial reporting are involved.

In the context of internal controls for financial reporting, a sub-class of internal controls is designed to help management mitigate the risks of financial material misstatements. By having a set of robust internal controls for financial reporting, a company can improve the accuracy, timeliness, and usefulness of its internal and/or managerial reporting and enhance collaboration with external auditors. By using internal controls, a company can also potentially reduce compliance and audit fees.

Six ways to help your organization improve its control environment

It’s important to note that what works for one organization may not work for another. For instance, owners of a small company with only two employees and no plans to increase headcount may not find it necessary to invest in a best-in-class payroll system and segregate duties across the entire payroll process. At the same time, however, there are six general steps that organizations of any size can and should use to strengthen internal controls:

  1. Scope out business and IT processes and document these processes from cradle to grave;
  2. Identify where and how things could go wrong and document these risks;
  3. Design and implement controls to address the risks identified;
  4. Formalize control documentation and training procedures;
  5. Monitor control performance and test on a regular basis to ensure controls are operating effectively; and
  6. Periodically review documentation and processes to ensure that internal controls are up to date.

This last step is particularly important, as control environments aren’t static—they must evolve in keeping with both operations and risks. Applying the above six steps will put you well on your way to helping your organization proactively embed effective internal controls and processes in your day-to-day operations.

Jonas Kwong, CPA, is the manager of internal control & risk management at Arc’teryx Equipment. He partners with the management team to assess enterprise risks and design effective internal controls to improve operations.

This article was originally published in the January/February 2025 issue of CPABC in Focus.

Footnotes

1 COSO, Internal Control – Integrated Framework: Executive Summary, coso.org, 2013.

2 ACFE, Occupational Fraud 2024: Report to the Nations, acfe.com.

In Other News

How to combat loneliness
Resources for CPAs
How to combat loneliness

While the new year can be a time for focusing on new initiatives and starting fresh, some of us might experience it as a lonely or isolating time.

By Ann Gomez
Jan 7, 2025
Inflation update 2025 and what it means for employee benefits plans
Resources for CPAs
Inflation update 2025 and what it means for employee benefits plans

Recently, the word “inflation” has been front and center from a consumer perspective, and it continues to be a significant issue for employee benefits plans, averaging about 6% per year over the past 25 years.

By Dan Eisner
Dec 10, 2024
Appreciating the Fine “ART” of Effective Delegation
Resources for CPAs
Appreciating the Fine “ART” of Effective Delegation

Effective delegation can improve a leader’s abilities, strengthen team bonds, and enable others to develop new skills. Ineffective delegation, on the other hand, keeps leaders as busy as they were before and weakens team morale.

By Ron Monteiro and Clear Concept Inc.
Nov 26, 2024
The Retention Question
Resources for CPAs
The Retention Question

In the 2024 BC Check-Up: Work survey, 76% of respondents said attracting and retaining skilled labour was a major challenge to business success, and 76% ranked “competitive salary” as the most important consideration when deciding whether to stay at their current organization or seek employment elsewhere. 

By Michelle McRae
Nov 25, 2024