Internal controls are the processes that a company has in place to prevent and detect both errors and fraud. Internal controls are thought of most often in accounting, but they can protect from data breach, inventory or cash theft, and operations errors.
Every company should have some form of internal controls. The controls will vary depending on the nature of the company and the risks of its business processes. The US Mint has very intricate controls that prevent employees from stealing materials, finished product (coins), and equipment. For example the US Mint counts coins produced and searches employees as they exit the production facility. A small landscape business may also have controls to determine that equipment has not been stolen or lost. In this case, each piece of equipment may have a place, and an owner or manager may do a daily or weekly review of the items.
There are two broad types of internal controls: preventative and detective. The names say it all. Preventative controls attempt to prevent fraud and errors before they happen. Detective controls review information to determine if any fraud or errors have occurred.
Preventive Controls
Preventive controls are proactive. They are aimed at discouraging errors and irregularities. Some examples include
- Segregation of Duties: Assigning duties like bill entering and bill paying to two separate employees or departments.
- Approvals, Authorizations and Verifications: A supervisor’s approval of a purchase, authorization of a new vendor, or verification that an expense is categorized correctly.
- Security of Assets: Both preventive and detective in nature, these controls restrict access to assets like equipment, inventories, securities and cash.
Detective Controls
Whereas preventive controls are designed to discourage errors and irregularities, detective controls are designed to find them after they have occurred. Examples include the following:
- Reconciliations: Bank account and credit card reconciliations are one of the best ways to detect errors. By reconciling accounting data to an outside source, both missed transactions and data entry errors are identified. A bank reconciliation also allows a new set of eyes to review the financial info for any irregular transactions.
- Physical inventories: These are used for entities that carry items for sale, equipment, or cash on hand. The physical count is matched to what financial records show should be on hand.
- Audits: An audit is a comprehensive look at the operation of a business. Most often audits are performed by external parties, but companies can perform full or partial audits internally to double check financial data and business processes.
Often controls are set up in response to an issue. Every business should consider implementing a mix of preventive and detective controls before major issues arise.
