Importance of Effective Internal Controls

Pasted Graphic 6
Effective Internal controls are an important factor for any business that can go overlooked. Consider for example the importance of information tracking within the finance department. Without proper oversight and controls, it is possible that funds could be misappropriated, not recorded properly, or not recorded in the appropriate period. The benefits of Internal Controls are not limited to Finance, but also include Human Resources, as well as the information technology areas within the organisation.

The Information Technology area places importance on the significance of internal controls with regards to established frameworks established by best practices within the industry. Within the Human Resources function, not all employees should have access to complete confidential employee files, which includes salary, and other personal information, but based on roles and responsibilities. Access based on responsibility and the appropriate need for the task, and accurately tracked.

The importance of internal controls extends to all areas of an organisation and is vital not only from a financial perspective, but also includes compliance with regulatory requirements to protect the client, as well as employee information. It also is relevant as a competitor could access confidential organisational information that is strategically important for an organisation. The fundamentals of internal controls for each area similar, as a starting point internal controls within the finance area will be considered.


Several areas to consider as part of the broad approach to internal controls. These include the following.

1. Segregation of Duties
Separating the functions of authorisation, record keeping, and custody including those responsible for handling cash, cheque receipts, posting to the system, and periodic reconciliation should be separated. A review of invoice batches by another individual should be undertaken before the print out of the cheque batch or signing depending on the accounting system. The segregation of duties is not limited to only the finance area but extends to procedures within other departments related to the access to information, security, and compliance. As an example, access to information system should be reviewed and limited. An analysis of voided and deleted transactions can be beneficial in exposing irregularities. Access to the organisation's ERP (enterprise resource planning) system modules should be restricted based on job function as part of maintaining security over maintaining security over the assets.


2. Proper Authorization of Transactions and activities
Proper authorisation and procedures for routine events where policies and procedures are defined to support. For specific incidents, authorisation should be on need basis including temporary access required, logs and documentation. Defined accesses to systems based on roles and responsibility should be established and reviewed on a regular basis based on changes in employee status, or roles and responsibilities to ensure authorised activity.


3. Adequate Documentation and Records
Use of sequential pre-numbered cheques, invoices, and other relevant documents so that no items are unaccounted for or missing. Voided cheques and invoices tracked in the system. Documentation and procedures are defined and not ambiguous. As well it can include tracking of when electronic files that are confidential or required for organisational compliance as an example.

4. Physical Control Over Assets and Records
Are records physically secure documents to prevent unauthorised access? Are systems controls in place to ensure that unauthorised network access denied and logged? Backup and recovery procedures are established and used. A review of payroll statements for phantom employees, such as more than one employee assigned to a social insurance number, unauthorised pay increases, and expenses. An understanding of monthly, and quarterly variations between budgeted and actual should be understood and explained.

Are employees provided with keys or access cards? Depending on the size of the operations of the business core access, card access, or other methods may be used to ensure authorised access to the facilities of the company. Access cards should be for certain hours or certain areas of the operation based on employee role, as well as the period? If keys are used, who has access to these keys? Is the core changed when required to ensure that unauthorised entry does not occur?


5. Independent checks
Are procedures in place to detect and prevent the failure to follow procedures unintentionally such as checkpoints in proceedings, as well as the rotation of duties among staff in the department? Employees should be required to take a vacation as part of the controls procedures. Segregation of functions includes separating related activities such as those responsible for handling cash, or cheque receipts, posting to the system. The separation will assist in detecting unauthorised transaction, as well as unintentional errors by employees.


6. Are Employees Properly Trained
Employees should be adequately trained for the tasks that they are performing including knowledge of the role, policies, procedures, and the importance of maintaining and following practices that are in keeping with best practices. Without adequate training, access to relevant information required the inherent risk will increase as a result. Providing the training required, as well as monitoring the work of new employees to ensure they understand what is required of them.


7. Review by Internal and External Auditors
An external auditor is often the most common way to verify if the financial statement of an organisation represents fairly the organisation's financial position by accounting standards. A review by an external auditor can assist an organisation in validating their financial reporting. However, the additional use of internal auditors can help in ensuring that controls within the organisation are functioning as intended, such as procedures, policies, and assist in identifying potential risks to an organisation.



About the author:
Hanif Shamji, MBA, CPA, CGA is a Finance Business Partner / Sr. Financial Analyst with an information technology background, experienced in several industries.






download


blog comments powered by Disqus