Accounting Best Practices: Internal Control

By Bruce Mayer, Peg Nolan, Steve Wolfe
159 March - April - 2012
a stack of dollar bills
PDF download of article
Download a pdf of the article

Summary: Our previous articles were on the balance sheet and the income statement. This article covers internal control. There will be a final article on cash management. Our vision for this series is to examine fundamental financial tools and best practices for co-ops that promote overall financial health and regular review and adjustment.

The accounting best practices in this article will differ from the previous two articles since the guidelines are more dependent on your specific co-op's operations. While the specific systems for good internal controls may vary, the areas of your co-op operation that require a good internal control system are the same and are discussed here. A qualified accountant or a risk management specialist can be an important resource for you in analyzing your internal control practices and needs.  

For background to the finance concepts discussed below, see the definitions sidebar at the bottom of this article.{C}

The basic concept of internal control from an accounting perspective is that no one person should have control over all aspects of a financial transaction.{C} This helps to ensure that errors or misappropriations will be prevented or detected quickly. This article provides examples and explanations to highlight primary areas where an internal control system is needed and should be in place at a retail food co-op.  

In general, you can prevent or detect errors and misappropriations more quickly and easily with internal controls that monitor variance from expected values. Strong internal control systems can also reduce the likelihood of someone attempting fraud and help to protect the assets—both people and cash—of your organization. If an internal control system is not well-built, anyone who uses it likely will become aware of its weak points over time and may take advantage of them.

Proper internal controls are written down and make it possible to investigate and do random verifications when questions arise. These well-documented systems can also be adjusted more easily as your organization grows and your needs change.

Front End

A longtime cashier is dismissed, the police are called, and an insurance claim is filed. Through an accidental discovery, the front-end manager found the cashier pocketing cash while reconciling the drawer at the end of a shift. The cashier was ringing up some small sales during the day and then canceling them with the "no sale" key. At the end of the day, the cashier would reconcile his drawer to the POS and pocket the extra cash. Sifting through past POS reports, it appeared that the cashier had likely taken more than $10,000 over the course of several years.

Unfortunately, like the other examples in this article, this actually happened. This particular example has happened at other co-ops, using different targets such as bottle deposits, refunds or store coupons rather than no sales.

What could have prevented the problem or detected it sooner? In the above example and many like it, establishing what is "usual" in all areas where cash is involved can highlight more quickly any inaccuracies at the register. Developing ring-statistic expectations and then summarizing, monitoring, and following up on variations from your expectations is a best practice. Cancelled sales, refunds, bottle deposits, coupons, and discounts all create opportunities for both inaccuracies and theft at the register.

Some of the key risks in the front end can be addressed with blind count and ring-statistic monitoring. A blind count in this example would mean that someone other than the cashier would reconcile her drawer.

Internal controls can carry a cost. Establishing and implementing an appropriate internal control involves conducting an assessment and a cost-benefit analysis to ensure both that it will work to prevent errors or misappropriations and that the costs of putting it in place are not greater than the benefits. For example, if it takes each cashier 20 minutes to reconcile his or her drawer and there are 10 drawers each day, but it takes one person 90 minutes to do all 10 drawers, our cost-benefit analysis suggests that it might be more effective operationally and a better internal control system to train and assign responsibility for reconciliation to one person. Remember: the goal is that no one person should have control over all aspects of a financial transaction, and that your internal control system satisfies your assessed needs balanced with a cost-benefit analysis.

Cash Disbursements

A general manager (GM) doesn't like gathering receipts to verify credit card charges. The finance manager (FM) reviews and initiates the payment of credit card bills, but there is no further review and approval process for the GM's credit card or reimbursements. The GM signs the credit card and reimbursement checks. The FM is not sure all of the expenses are legitimate but, without an approval process, the FM does not have the authority to insist on documentation of the business purpose or receipts that verify the purchases. The lack of a formal procedure leaves the FM in the awkward position of having to decide to keep quiet and wonder if there is fraud or to speak up and risk her/his job.

This situation could be addressed with a written procedure for documentation of all expenditures, by requiring receipts for reimbursements with verification of the receipt of the service or product, and by having a whistleblower policy to protect a staff member who brings forward a question. In addition, no one should sign a check to himself or herself. This example also illustrates that without internal control policies, someone who is acting in good faith, in this case the GM, may be suspected of wrongdoing because there is insufficient evidence required to establish and communicate legitimate business expenses.

There are numerous other disbursement controls that are recommended. The actions of any individual with access to your co-op's accounting software need to be either limited or reviewed, and an approval process is needed for all disbursements. For C.O.D. deliveries where approval prior to payment may not be possible, a regular timely review of the signed checks and invoices is needed. For other checks, the procedures should require prior approval of invoices and then review of these approved invoices when a check is signed. The person performing the bank reconciliation should not be a check signer, and ideally this person should also not have access to blank check stock or to the accounts payable portion of the accounting software. If this is not possible, an additional person should review the bank statement and the reconciliation, looking for unusual transactions, including unauthorized electronic transfers.

An additional point to emphasize here is that the steps in an internal control system need to be documented so that there is proof they were performed. An undocumented procedure does not establish the desired trail of accountability.  

Electronic cash disbursements: One finance manager was surprised in a routine online bank account review to see a $90,000+ check clear the bank account with an out-of-sequence number. After investigation, it turned out the check had originated overseas and was a perfect forgery, including the signature. Fortunately, the bank was able to nullify the transaction and refund the co-op's account.

The account security that could have prevented this is called positive pay. This requires a customer to transmit information to the bank on all checks written. Any check not transmitted to the bank will not be cleared by the bank. All co-ops should discuss electronic security features with their financial institutions. Controls such as dual authorization for any electronic funds transfers or payments may also be available.

Payroll Accuracy

The employee who initiates payroll makes a deal with another staff person to increase that person's wage, and they split the difference. How easily could this be prevented or detected in your system?

Very few systems have pay rates locked, so routine detection would require a detailed comparison of payroll to the underlying personnel file. If discovered, it would look like an innocent error.    

With a large payroll it may be impractical to trace every employee's pay rate to the personnel files for each payroll. But it is practical to test a random payroll in detail at least once or twice each year. This testing must be done by someone other than the people who initiate or review payroll on a regular basis. As a more general control, the person initiating a payroll should not also be the person verifying the resulting dollar amount of the payroll for reasonableness before it is recorded in the accounting software.      

Labor hours: Your time clock system should require department managers to review and approve the hours for their staff. Since department managers are responsible for meeting a labor budget, they have a good reason to review their department staff labor hours as well as pay rates before paychecks are written. (Note: department managers will also want to scan hours worked for any anomalies from the posted schedule. This review should occur weekly regardless of how often payroll is done.)

Payroll taxes: One important internal control to put in place is verification that payroll taxes are being paid. The IRS will hold board members personally liable for unpaid payroll taxes, making this an important risk to address. Many co-ops use an outside payroll provider. Legal precedent has established that if the payroll provider is not remitting the withholding amounts to the appropriate agencies, the employer is responsible for paying. For this reason, it is prudent to conduct a review of your payroll provider's controls and financial condition on at least an annual basis. It is also prudent to determine what monitoring can be done directly with the government agencies to determine that payments are timely.   

Shrink Prevention

Backdoor systems: A produce buyer set up a vendor file with a fake name and address. She passed along invoices from this vendor and received the payments at a home address. With a bank account set up in the name of this vendor she was easily able to cash the checks. Requiring verification of new vendors by someone outside of a department can prevent this.  

A system of backdoor controls can discourage vendors and staff from petty theft and detect any systematic problems. Having locked doors, cameras, designated staff for receiving, and a system for counting and logging all shipments can reduce shrink and incorrect invoicing.

All invoices should require written approval, a sign-off by the person receiving the goods and by the department manager, prior to being submitted for payment. As is true with department labor, department managers are responsible for their department gross margin, so they should approve invoices and verify that the goods were received before payments are made. A vendor leaving your store with the product that they sold you is a common form of theft.

Shoplifting: A co-op hired a loss-prevention service but was surprised when the service apprehended dozens of people, including longtime members, in the first week.

Shoplifting is common, so ensure that your staff is well-trained in procedures for preventing and handling shoplifting. Great customer service is a good deterrent to shoplifting.

Practices for safe access: On Sundays, it was hard to get someone to open the safe to get coins and singles change, so the practice was to make it look closed but leave it unlocked. That worked until one Sunday afternoon when someone slipped unnoticed into the back office and took the deposits from the previous three days.

Maintaining strict internal controls and documentation on who can access the safe and what is kept in it is important. It is a best practice to document who has access to your safe and to have written protocols in place that require signatures to gain access. Are daily bank deposits possible? Does each person have an individual combination that can be deleted when that person leaves?

Note: Written protocols should also be in place for door keys to the store and to secure areas such as those that house your finance and database computers, servers, and POS systems. All access points, such as passwords and keys, should have a schedule for how and when they are changed that is included in your written protocols.

Financial Reporting

Most headline frauds in public companies happen when top management colludes to manipulate sales and profits. This is often done by the chief financial officer or controller with journal entries that bypass the normal accounting department processes. Improper journal entries can also cover other frauds such as theft of receivables. Does your co-op have any controls over journal entries? Each journal entry should have a person identified as creating the entry and a person responsible for reviewing and approving it.

The controls over financial reporting should include a periodic reconciliation of each balance sheet account to the underlying documentation such as bank statements, inventory counts, and subsidiary ledgers. Passwords on the accounting software should limit staff access to the necessary areas for their job descriptions, reducing the possibility of unauthorized journal entries or other improper modifications.

A Backup System!

The accounting computer just crashed.

Is there a backup for your data? Will it work? Imagine that it didn't and the huge cost and stress that would ensue to re-create the records and keep the co-op running. Off-site data backup and regular testing must be in place. With the ability to create virtual servers and computers, it is possible to regularly test the restoration of backups. Your disaster plan should include a section on finance and record recovery.

Internal Auditing

So you've considered your risks, analyzed the costs and benefits and laid out a great internal control system. How do you monitor whether it is working? Internal audits tell you if internal controls are functioning as intended and may also help to identify areas where modifications are needed to respond to changes in your organization.

One internal audit function noted earlier is the verification, on a test basis, of payroll records compared to personnel records. Another example is tracing a sample of checks back to invoices and testing the invoices for authorization and mathematical accuracy. Having a written description of your internal control systems allows you to do unscheduled random checks as well as annual reviews. An external audit can give you feedback on your internal controls and also perform limited testing of their operation.  

Conclusion

The implementation of sufficient internal controls requires a careful analysis of your operation in all of the areas described here. Writing down your procedures and systems for internal control will allow you to review and change them as your organization grows. It will also make it easier to detect irregularities and investigate them. Your CPA firm should be able to review your internal control systems for you.

Remember, if you are unsure, seek someone with experience to discuss your co-op's particular implementation issues. Building good internal controls is critical to the smooth functioning of any co-op and the safe maintenance of your co-op's assets. It's time to start your assessment!

Internal Control Definitions 

The accounting profession uses a framework issued by a group called The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO definition of internal control is a process designed to offer reasonable assurance of meeting three ­objectives:

  • Effective and efficient operations
  • Reliable financial reporting
  • Compliance with appropriate laws and r­egulations

The COSO framework then outlines five components of a system of internal control:

Control environment: Is there a culture of internal controls and systems management that supports efficient operations and safe handling of assets, appropriate decision-making and maintenance, and the ability to document what should happen or what has happened?

Risk assessment: Have you assessed the key areas in your co-op? What systems are needed to maximize security and minimize risk? What is the cost-benefit of putting those systems in place?

Control activities: Have you written down the internal control systems that you will use?

Information and communication: Are the appropriate people within your organization engaged in the process of establishing, using, and maintaining your internal control systems?

Monitoring: How do you know that your systems are working? Do you review them regularly so that you can react dynamically and make modifications as your organization changes?