Internal Controls Only Work If They’re Enforced

Opportunity, incentive and rationale are what accountants and law enforcement consider the three corners of the fraud triangle. The only corner that managers can control to a great extent is opportunity and that’s where internal controls are vital.

Internal controls fail for three reasons. The first is human error and the second is when senior managers override those controls. The third element is collusion between staff members and there’s really no way to overcome nefarious staff.

Those controls can be implemented at any size organization. At the AICPA’s Governmental and Not-For-Profit Training Program in Las Vegas, Nev., this week, speakers Candi Avery, CPA, of Clark Nuber PS and Jennifer Mistretta, CPA, of Postlethwaite & Netterville, focused on use of internal controls at small organizations.

Internal controls help managers to safeguard assets, maintain quality in internal and external reporting, ensure effective and efficient operations, comply with laws and regulations and prevent and detect fraud or errors. Internal controls start at the top with senior managers setting the overall environment.

The next step is hiring and retaining good staff. That could mean budgeting more for salary and benefits than initially planned, explained Mistretta. When hiring staff, seek people who have technical competence and personal integrity, and who understand the job requirements. Consider including outside advisors in hiring decisions in positions of trust. Check references and perform background checks.

Limiting the potential entry points for fraud can head off trouble. There was one small client who has 10 checking accounts, said Mistretta. The organization used them to manage donor-advised funds. “It’s a bad idea. Use technology, not bank accounts” to keep the reporting straight, she said.

Always make sure two people are responsible for disbursements – one handling the data input and one writing the checks. You should also have pre-numbered checks, not pre-signed checks, and retain all voided checks. Avoid using signature stamps and incorporate a process for new vendor approval.

Managers should also consider implementing positive pay. That is an automated fraud detection tool offered by most banks. It is a service that matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the nonprofit.

A good resource for internal controls is the Committee of Sponsoring Organizations (COSO) Framework. The report was issued in 1992 and is still a foundation by an estimated 82 percent of organizations. However, controls are not one size fits all. There are elements that overlap, such as staffing and financial capability, risks and organizational characteristics, and board and user expectations.