New Year's Resolutions for Businesses: Internal Controls

Internal Controls to Prevent Fraud

Creating (and often breaking!) New Year’s resolutions are age-old traditions for many individuals but what about creating New Year’s resolutions for your company?  One resolution each company should have, but not break, at the top of their list this year is a thorough review of their accounting internal controls, including a formal fraud risk assessment.

Fraudulent Activity Continues to Increase During Pandemic

With the added impact of COVID-19 on businesses, strong internal controls are even more important than ever to protect you and your business.  Recently, the Association of Certified Fraud Examiners (ACFE) surveyed members and found that 79% of survey participants observed an increase in fraud since November 2020 while 90% believe fraud will increase over the next 12 months.  The graph below reflects the changes in observed fraud and the expectation of fraud over recent months with the prediction steadily increasing since May 2020.

Source: Fraud in the Wake of COVID-19: Benchmarking Report – December 2020 Edition, Association of Certified Fraud Examiners

Fraud Lasts Periods of Time

According to the Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse published by the ACFE, a typical fraud lasts approximately 14 months before detection and causes a loss of $8,300 per month.  Business owners, specifically small business owners, should ask themselves if they have the financial cushion to withstand this amount of loss each month.  If not, are your company’s accounting internal controls up to par to prevent fraud from occurring?

Source: Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, Association of Certified Fraud Examiners

Lack of Controls Lends to Fraud

The ACFE reported that one out of three frauds stemmed from a lack of internal controls and that “the presence of anti-fraud controls is associated with lower fraud losses and quicker detection.”  Some anti-fraud controls that have proven to detect fraud quickly include the use of a hotline, anti-fraud policy, fraud training for employees, and fraud training for managers/executives.

A hotline where employees, customers, vendors, and other users can anonymously provide a tip led to the detection of 43 percent of fraud cases studied.  Of those detected by tip, approximately half of the whistleblowers were the company’s own employees.

Source: Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, Association of Certified Fraud Examiners

Basic Internal Controls to Consider

While anti-fraud controls within a company can help detect the occurrence of fraud quicker, a company should not overlook having solid internal controls as a preventative measure as well.  Implementing internal controls does not have to be a burdensome expense or a daunting task.  The following are some basic accounting internal controls that businesses of all sizes can reasonably implement.

  • Segregation of Duties
    Segregation of duties is one of the most important accounting internal controls a company can implement.  While a company may have a loyal and trustworthy employee who would never steal from them, having the company’s accounting functions distributed among multiple employees will ensure that one employee is not able to both enter a journal entry and approve the same entry.  Nor should one employee have access to the company’s vendor master file to create a new vendor and access to pay vendors.  Maintaining the distinctions between the authorization of disbursements, the record-keeping of accounts, and the oversight and review process for potential errors are critical functions of a business process provides.  Segregating duties is a key risk management tool to combat fraud; however, this internal control will not fully prevent fraud if two or more individuals collude to defraud a company.
  • Accounts Payable
    Within the accounts payable function, a company should consider how invoices and bills are being reviewed, approved, and ultimately paid.  Many smaller businesses are turning to services like to manage their accounts payable function.  With this type of service, management can implement segregation of duties by having one employee receiving and uploading invoices into the system upon receipt, while another employee reviews and approves those outstanding invoices.  The system then routes the outstanding accounts payable to a final approval process by upper-level management who issues the payment through the system upon their review.  Even if a company does not use a service like, management should segregate duties within the accounts payable function to ensure multiple levels of authorization and approval.
  • Company Credit Cards
    If a business utilizes company credit cards for its owners, executives, and/or employees, management should monitor transactions by each cardholder, require receipts, and/or approval prior to the transaction.  Management or the company’s external accountant should complete a monthly review of the credit card statements for each cardholder to ensure appropriate use of the company’s credit cards.
  • Expense reimbursements
    Expense reimbursements to employees are ripe for fraud; therefore, management should implement certain controls to safeguard against potential fraud schemes.  While the ACFE reports that an expense reimbursement fraud scheme typically has a median loss per month of $1,400 and lasts approximately 24 months, this fraud scheme tends to grow over time as the perpetrator gains confidence in not being caught.  In addition, the company’s potential risk for fraud grows exponentially as their staff headcount increases.To control this fraud risk, expense reports should undergo multiple levels of approval, and much like payroll, all expense reimbursements should be reviewed regularly by either management or the external accountant and compared to its general ledger accounts as well as the payroll register, to avoid data manipulation.  The review of expense reports should always include a detailed review of the receipt to ensure duplicate receipts for the employee or receipts previously paid are not included.
  • Payroll
    A company’s payroll is another operation that is ripe for fraudulent activities, especially in smaller companies.  According to the ACFE’s Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, payroll fraud is two times more likely to occur in small businesses compared to large organizations.  If a company chooses to outsource their payroll function to a specialized payroll service provider, the company essentially transfers much of the risk to the service provider, however, not all.
    Typically, small businesses have at least one employee gather payroll data from staff and enter it for processing each payroll cycle.  However, management or an external accountant should review each cycle’s payroll register, directly from the payroll system, comparing it to the company’s bank statements for that period.  Additionally, management should limit the employees with access to the payroll system and further limit what areas within the system each user is permitted to view and edit.
  • Accounts Receivable
    Access to customers’ accounts receivable accounts and records, as well as customer collections, should be carefully scrutinized.  Furthermore, if a company regularly receives large customer checks in the mail, management may choose two or more people to review and sort the daily incoming mail, and a third person prepares the bank deposit.
  • Information Systems
    Most companies utilize information systems, such as QuickBooks or SAP, to record their financial, customer, and vendor data.  Management should review the employees’ access rights to these information systems, as well as each user’s rights and permissions within the system, to limit incompatible duties as much as possible.  The users’ rights to view, edit, and modify data within the information system should be compatible with their role within the company and should not grant them full permission to access funds while allowed to record and authorize a transaction.

Other Matters

Management should be aware of other matters within the company that warrant consideration when it comes to internal controls, such as access to signature stamps, the bank reconciliation process, management of the vendor master file, and new or inactive employee records.  Some small businesses likely own signature stamps for their owners, which could be used to sign physical checks.

These stamps should always be physically secured in a safe and locked drawer only accessible by the owners.  In addition, the company’s bank statements should be reviewed and reconciled by an independent party, such as the owners and/or external accountant.  In order to provide a tighter control environment, the monthly bank statements could be emailed or mailed directly to that independent party for reconciliation.

Access to the vendor master file and new or inactive employee records should be limited with strategic users selected. For instance, a vendor list should be created and periodically reviewed by both the facilities manager within the company and the external accountant or owner.  Prior to the addition of new vendors, two members from either management, the facilities manager, or the external accountant should perform a concurrent review, approval, and documentation of the new vendor.  This control process ensures that fake vendors are not created through which an employee could embezzle funds.

Contact Us

In general, internal controls should be customized for each business, based upon its size, processes, and industry.  If your company would like an assessment of existing accounting internal controls, including recommendations for improvement, or are aware or concerned about an existing fraud, please contact Natalie Lewis at  Natalie is a principal in Windham Brannon’s Forensic and Litigation Services practice and is experienced in preventing, detecting, and investigating fraud.

More information about the latest business insights on COVID-19Click Here