The right internal controls prevent fraud and loss: the larger the organization, the more formal the requirement for internal controls; the smaller the organization, the more resources-constrained it is. Yet, some simple procedures can be applied for writing internal controls that can be utilized for all levels of business.

• Author: Johnston, Randolph P.
• Position: Compliance

Developing and monitoring proper internal controls is a practice that seems to have been neglected during the recent economic tough times. Proper internal controls apply to manual and automated procedures. Concerns about unnecessary loss and loosening controls put businesses of all sizes at risk. The amount of risk and potential loss is left to the chief financial officer's judgment However, the costs of loss are frequently underestimated.

What risks exist in your organization? Could technology losses through smartphones, tablets or computers be expensive, or expose unnecessary customer data or trade secrets? Would lack of encryption trigger reporting in a loss or theft? Is there sufficient protection for electronic access to bank accounts?

In addition, are these accounts protected from outside intruders and illegal or unauthorized transfers, and are sufficient internal controls in ail appropriate places in the organization?

The larger the organization, the more formal the requirement for internal controls; the smaller the organization, the more resources-constrained it is. Yet some simple procedures can be applied for writing internal controls that can be utilized for all levels of business.

Compliance Requirements

Businesses of all sizes face a variety of statutory requirements relating to internal controls. Various federal and state regulatory bodies have imposed a number of statutory requirements throughout the years. With the wave of high-profile corporate financial reporting scandals in recent years, these statutory requirements have increased and become significantly more visible in the public eye.

The most significant of these statutory requirements are those imposed by the Sarbanes-Oxley Act. Signed into law by President George W. Bush on July 30, 2002, the law dramatically changed the financial reporting landscape for publicly held companies and their auditors.

As related to internal controls, Sections 302 and 404 of the act require publicly held companies to establish and maintain internal controls over the financial reporting process. Further, companies must assess and report on the effectiveness of these controls in annual reports.

To many small business owners and managers, internal controls are simply those policies and procedures that are put in place to prevent theft and fraud. While safeguarding of assets is clearly one desirable outcome of an effective internal control structure, it is certainly not the only reason a business--regardless of size--should design, implement and monitor a system of internal controls. In fact, most generally accepted definitions of internal controls reflect the fact that safeguarding assets is but one objective of an effective internal control structure.

Statement on Auditing Standards (SAS) No. 78 states that internal control is a process--affected by an entity's board of directors, management and other personnel--designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. SAS 78 continues by defining five interrelated components of internal control.

First, there is a control environment that sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Next, the risk assessment is the entity's identification and analysis of relevant risks to achievement of...