Follow Adam Linkedin Twitter Facebook
Email Adam Email
Other
Jul 15, 2016

Internal Control – How Sweet It Is

Sponsored Content provided by Adam Shay - Managing Partner, Adam Shay CPA, PLLC

This Insights was contributed by Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), an associate at Adam Shay CPA, PLLC.
 
Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
 
Now this part of the article is going to get a little technical, but if you bear with me, there is a real-world example that follows.
 
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 
 
COSO defines internal controls with more of an emphasis on management. COSO states that, “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
 
COSO defines four components that make up its framework and emphasize the measures, the direction and quality of information, and communication that flows between the components:

  • Control Environment is the tone at the top.
  • Risk Assessment is an ongoing evaluation by management as an organization changes and becomes more complex.
  • Control Activities are the actions supported by policies to address known risks.
  • Monitoring is a process that assesses the quality of the system's performance over time.
What does this mean and more importantly, how do I use internal controls as a tool for running my business as it grows in revenue and complexity?
 
First, some basic tenets of internal controls need to be established. Fundamentally, internal controls are designed to mitigate risk in five basic areas of a business:
  • Strategic risk can prevent an organization from accomplishing its objectives or goals.
  • Financial risk can result in a negative financial impact to the organization (fraud, waste and abuse).
  • Regulatory/Compliance risk can expose the organization to fines and penalties from a regulatory agency due to non-compliance with laws and regulations.
  • Reputational risk can expose the organization to negative publicity.
  • Operational risk can prevent the organization from operating in the most effective and efficient manner or be disruptive to other operations.
The following conditions that increase these risks outline a basic framework for implementing effective controls:
  • Lack of segregation of duties
  • Too much trust
    - Approval of documents without review
    - Lack of verification of transactions after they have been entered in the system
    - Lack of reconciliations
  • No follow-up when things appear “questionable” or “not reasonable”
  • Lack of control over cash
  • Lack of control over purchasing
  • Lack of knowledge of policies and procedures
Once you have defined the organization’s risk profile, then you can implement the control activities to specifically address those risks. There are different control activities in your internal control toolbox:
  • Directive - Corporate policy, spending limits, IT configurations
  • Preventive - Training, permissions, passwords, oversight procedures
  • Detective - Reconciliations, review of payroll reports
  • Corrective - Changing IT access when roles change
  • Recovery - Creating and maintaining system backups
There are also automated controls used in an IT system which is beyond the scope of this article.
 
Let's try a real world example. 
 
The weekend: Father's Day. As is our custom, I was positioned behind my Char-Griller Super Pro 29-inch Barrel Charcoal Grill complete with side fire box offset smoker. I may have had a local craft beer, wrapped up in a Cucalorus 21 Freaker. This day was good.
 
My son, Luciano, age 1, had just lain down for a nap while my wife, Michele, and 3-year-old daughter, Violet, are at the picnic table setting up for an intense game of Candy Land. Violet asked me if I was going to play with her and mommy. I responded affirmatively, but stated that I would need some help since I was cooking dinner. Violet quickly volunteered to help. Michele, without solicitation, weighs in, “I will watch her.”
 
My daughter Violet is a determined child. She hasn't been with the organization a long time. My experience has been that without close supervision, she really can't be trusted. Michele, on the other hand, is my partner in all of this. She got in on the ground floor and has been equally responsible for building this great enterprise, our family. That being said, after 15 years of board game shenanigans (Read: my wife cheats at Yahtzee), my confidence in her as it relates to this matter may be misplaced.
 
Candy Land is a simple racing game that requires no reading and minimal counting skills. There is no strategy involved; players are never required to make choices, just follow directions.  You pick a card. It contains a color or a shape, and you move your game piece to the corresponding space on the game's board. It is basically double entry accounting; a CPA’s dream come true.
 
As I was seasoning the grill, I was charged with placing a system of checks and balances to safeguard my chances of reaching King Candy at the Candy Castle. I needed desperately to establish some internal controls.
 
My first step was to establish a directive control. I read the directions to the game aloud so that we all understood the rules.
 
Second, I needed a good preventive control. I gave Violet the responsibility of selecting my card, but I put Michele in charge of moving my game piece around the board. This should be an adequate segregation of duties providing me a limited degree of assurance that I will receive my turn and have my piece moved fairly.
 
But what about collusion? A package of fruit snacks would put Violet at odds with her ethics.
 
The answer: a strong detective control. I asked that each player retain the cards from each round of play and keep their respective stacks in front of them. This control allowed me to determine if I was given an equal number of turns. It also allowed me to double check if I was given adequate credit in the form of moves around the game board as well as the capability of determining the other players’ accuracy.
 
Fortunately, there was no need for any corrective controls.
 
Unfortunately, there were no recovery controls ... so when Luciano woke up and Michele went inside to get him, the game and all the pieces were pushed aside and replaced with Play-Doh.
 
I hope that this article gave you a better understanding of how internal controls work to protect your business and that you enjoyed a fun application of the COSO framework.
 
Richard Pasquantonio, CPA/CFF, CFE, CDFA (N.C. License Number 33577), is an associate at Adam Shay CPA, PLLC. He focuses on forensic accounting, fraud prevention and detection, and tax controversy resolution. He is also an AICPA CFF Champion. The purpose of the CFF Champion program is to inform the professional community about the vital role of forensic accounting professionals, the knowledge required to become a CFF, and the benefits of the CFF credential. For more information, visit http://www.wilmingtontaxesandaccounting.com/ or email him at [email protected]. Pasquantonio can also be reached by phone at (910) 256-3456.
 
Adam Shay, CPA (N.C. License Number 35961), MBA, is managing partner of Adam Shay CPA, PLLC. He focuses on minimizing taxes and improving the financial results of entrepreneurs, and is actively involved in supporting the Wilmington entrepreneurial and startup community. For more information, visit http://www.wilmingtontaxesandaccounting.com/ or email him at [email protected]. He can also be reached by phone at (910) 256-3456.
 

Other Posts from Adam Shay

Adam shay blk 52015121549
Ico insights

INSIGHTS

SPONSORS' CONTENT
20170717 101554 1 72117112436

Make A Wise Investment In Your Child’s Future

Steve Adams - School of Learning Arts
Aaeaaqaaaaaaaaidaaaajdhiztrkodm0lte2yjetngrkmy1hotrmltawmdvlmwqyztmymw

New Year, New Entrepreneur: Three Opportunities for the Business-Minded in 2018

Diane Durance - UNCW Center for Innovation and Entrepreneurship
Adamshay 300x300

Leadership Lessons From The Battleship

Adam Shay - Adam Shay CPA, PLLC

Trending News

Business Community Remembers Beth Quinn, Co-founder Of She Rocks

Christina Haley O'Neal - Jan 17, 2018

Piano Bar And Lounge To Fill Aubriana's Downtown Spot

Cece Nunn - Jan 17, 2018

Made Mole Brewing Coming To Oleander Drive This Spring

Jessica Maurer - Jan 17, 2018

Six New Tenants Lease Space At Waterford Business Center

Cece Nunn - Jan 17, 2018

San Juan Cafe To Close

Jessica Maurer - Jan 17, 2018

In The Current Issue

MyBeeHyve Focuses On MLMs

Various network marketing companies – such as Avon, Thirty-One, Rodan + Fields and Mary Kay – attract a number of would-be entrepreneurs, es...


Two Local Firms Rank On Entrepreneur’s 360 List

Two companies with local ties made it on the Entrepreneur 360 list of the “Best Entrepreneurial Companies in America” for 2017....


MADE: Making Inroads In A Medical Market

MADE in the Cape Fear: spotlighting goods manufactured in Southeastern North Carolina. Leland-based Lucid Innovative Technologies makes medi...

Book On Business

The 2017 WilmingtonBiz: Book on Business is an annual publication showcasing the Wilmington region as a center of business.

Order Your Copy Today!


Galleries

Videos

WilmingtonBiz Expo - Keynote Lunch with John Gizdic, CEO, New Hanover Regional Medical Center
Wilmington's Most Intriguing People of 2017
2017 Health Care Heroes