News

Internal Controls 101: A Guide for Small Businesses

By Haley Lyons and Kaitlyn Coburn

For small businesses, implementing properly designed internal controls with limited resources can be challenging. According to a 2014 report by the Association of Certified Fraud Examiners (ACFE), businesses with fewer than 100 employees accounted for the highest percentage of fraud instances – nearly 29%. Understanding internal controls, and how to best implement them to create a strong internal control environment, is an integral step in protecting a company’s assets and deterring against fraudulent activity. The information provided below is a starting place for small businesses to look critically at their business practices and examine whether or not their internal controls and procedures adequately minimize risk.

Internal controls is defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations, and policies. It is the responsibility of management to establish and maintain an adequate internal control structure, assess the effectiveness of the internal control structure, and to define the framework to evaluate the effectiveness of the company’s controls.

In order to help management fulfill its responsibilities, a framework such as COSO’s Internal Control – Integrated Framework (the Framework) can be beneficial to follow. The framework enables management to effectively and efficiently develop a system of internal control that can adapt to changing business and operating environments, mitigates risks, and supports sound decision making and governance. Within the framework, five components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) work together to achieve the company’s operations, reporting, and compliance objectives. Within each of these five components are principles that represent the fundamental concepts associated with each component.

As small businesses generally have limited resources to focus on internal controls, it is important to weigh the cost versus benefit of each control the company is putting into place. Below are types of internal control that are beneficial for all small businesses to have in place.

  • Segregation of duties
  • Authorization/Approval
  • Accountability/Reconciliation
  • Physical Controls/Safeguarding of assets
  • Performance/Management review

Although effective internal controls are designed to prevent and detect fraud as well as provide reasonable assurance of achieving the company’s objectives, limitations do exist. According to the Framework limitations may result from the following:

  • Reality that human judgement in decision making can be faulty and subject to bias
  • Breakdowns that can occur because of human failures such as simple errors
  • Ability of management to override controls
  • Ability of management, other personnel, and/or third parties to circumvent controls through collusion
  • External events beyond the organization’s control

These limitations preclude management oversight from having absolute assurance of the achievement of the entities objectives. As such, management should be aware of these limitations when selecting, developing, and deploying control that minimize to the most practical extent, these limitations.

The assurance professionals at Kernutt Stokes are well versed in this subject area and have experience assisting businesses in their internal control, risk assessment, and internal audit needs. Below are a few of the many services provided by the Kernutt Stokes team:

  • Internal audit
  • Fraud risk analysis
  • Internal control assessment
  • Risk management consulting

To learn more about Kernutt Stokes assurance services, contact Haley Lyons at 541.687.1170.