This Insights was contributed by Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), an associate at Adam Shay CPA, PLLC.
Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Now this part of the article is going to get a little technical, but if you bear with me, there is a real-world example that follows.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.
COSO defines internal controls with more of an emphasis on management. COSO states that, “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
COSO defines four components that make up its framework and emphasize the measures, the direction and quality of information, and communication that flows between the components:
- Control Environment is the tone at the top.
- Risk Assessment is an ongoing evaluation by management as an organization changes and becomes more complex.
- Control Activities are the actions supported by policies to address known risks.
- Monitoring is a process that assesses the quality of the system's performance over time.
What does this mean and more importantly, how do I use internal controls as a tool for running my business as it grows in revenue and complexity?
First, some basic tenets of internal controls need to be established. Fundamentally, internal controls are designed to mitigate risk in five basic areas of a business:
- Strategic risk can prevent an organization from accomplishing its objectives or goals.
- Financial risk can result in a negative financial impact to the organization (fraud, waste and abuse).
- Regulatory/Compliance risk can expose the organization to fines and penalties from a regulatory agency due to non-compliance with laws and regulations.
- Reputational risk can expose the organization to negative publicity.
- Operational risk can prevent the organization from operating in the most effective and efficient manner or be disruptive to other operations.
The following conditions that increase these risks outline a basic framework for implementing effective controls:
- Lack of segregation of duties
- Too much trust
- Approval of documents without review
- Lack of verification of transactions after they have been entered in the system
- Lack of reconciliations
- No follow-up when things appear “questionable” or “not reasonable”
- Lack of control over cash
- Lack of control over purchasing
- Lack of knowledge of policies and procedures
Once you have defined the organization’s risk profile, then you can implement the control activities to specifically address those risks. There are different control activities in your internal control toolbox:
- Directive - Corporate policy, spending limits, IT configurations
- Preventive - Training, permissions, passwords, oversight procedures
- Detective - Reconciliations, review of payroll reports
- Corrective - Changing IT access when roles change
- Recovery - Creating and maintaining system backups
There are also automated controls used in an IT system which is beyond the scope of this article.
Let's try a real world example.
The weekend: Father's Day. As is our custom, I was positioned behind my Char-Griller Super Pro 29-inch Barrel Charcoal Grill complete with side fire box offset smoker. I may have had a local craft beer, wrapped up in a Cucalorus 21 Freaker. This day was good.
My son, Luciano, age 1, had just lain down for a nap while my wife, Michele, and 3-year-old daughter, Violet, are at the picnic table setting up for an intense game of Candy Land. Violet asked me if I was going to play with her and mommy. I responded affirmatively, but stated that I would need some help since I was cooking dinner. Violet quickly volunteered to help. Michele, without solicitation, weighs in, “I will watch her.”
My daughter Violet is a determined child. She hasn't been with the organization a long time. My experience has been that without close supervision, she really can't be trusted. Michele, on the other hand, is my partner in all of this. She got in on the ground floor and has been equally responsible for building this great enterprise, our family. That being said, after 15 years of board game shenanigans (Read: my wife cheats at Yahtzee), my confidence in her as it relates to this matter may be misplaced.
Candy Land is a simple racing game that requires no reading and minimal counting skills. There is no strategy involved; players are never required to make choices, just follow directions. You pick a card. It contains a color or a shape, and you move your game piece to the corresponding space on the game's board. It is basically double entry accounting; a CPA’s dream come true.
As I was seasoning the grill, I was charged with placing a system of checks and balances to safeguard my chances of reaching King Candy at the Candy Castle. I needed desperately to establish some internal controls.
My first step was to establish a directive control. I read the directions to the game aloud so that we all understood the rules.
Second, I needed a good preventive control. I gave Violet the responsibility of selecting my card, but I put Michele in charge of moving my game piece around the board. This should be an adequate segregation of duties providing me a limited degree of assurance that I will receive my turn and have my piece moved fairly.
But what about collusion? A package of fruit snacks would put Violet at odds with her ethics.
The answer: a strong detective control. I asked that each player retain the cards from each round of play and keep their respective stacks in front of them. This control allowed me to determine if I was given an equal number of turns. It also allowed me to double check if I was given adequate credit in the form of moves around the game board as well as the capability of determining the other players’ accuracy.
Fortunately, there was no need for any corrective controls.
Unfortunately, there were no recovery controls ... so when Luciano woke up and Michele went inside to get him, the game and all the pieces were pushed aside and replaced with Play-Doh.
I hope that this article gave you a better understanding of how internal controls work to protect your business and that you enjoyed a fun application of the COSO framework.
Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), is an associate at Adam Shay CPA, PLLC. He focuses on forensic accounting, fraud prevention and detection, and tax controversy resolution. He is also an AICPA CFF Champion. The purpose of the CFF Champion program is to inform the professional community about the vital role of forensic accounting professionals, the knowledge required to become a CFF, and the benefits of the CFF credential. For more information, visit http://www.wilmingtontaxesandaccounting.com/ or email him at [email protected]. Pasquantonio can also be reached by phone at (910) 256-3456.
Adam Shay, CPA (N.C. License Number 35961), MBA, is managing partner of Adam Shay CPA, PLLC. He focuses on minimizing taxes and improving the financial results of entrepreneurs, and is actively involved in supporting the Wilmington entrepreneurial and startup community. For more information, visit http://www.wilmingtontaxesandaccounting.com/ or email him at [email protected]. He can also be reached by phone at (910) 256-3456.