A Checklist for Your Small Business Internal Controls
This article is part of a larger series on Bookkeeping.
Internal controls are important for all businesses, regardless of nature, size, and type. When I was at the university, we created an accounting manual for a local small business in the area. The main challenge that we encountered was creating a sound internal control system for a small business with three administrative employees who handle multiple job posts.
With that, let me share my experience and learnings with this internal controls checklist for small business application:
Small Business Internal Controls You’ll Learn in This Article
- Properly segregate duties.
- Ensure owner oversight.
- Create documentations.
- Perform independent reconciliations.
- Define levels of authorizations.
- Establish standard operating procedures.
- Be strict in cash transactions.
- Review logical security.
- Review physical security.
- Assess business continuity.
1. Properly Segregate Duties
Segregation of duties (SoD) is a direct deterrent to fraud and a mechanism that spots errors along the process. There’s no fixed rule on what job roles should be segregated. In designing internal controls, you just have to remember the acronym ARC (authorization, recording, and custody). These three functions are incompatible duties and shouldn’t rest in one person.
2. Ensure Owner Oversight
The major challenge in a small business environment is the lack of a workforce to handle jobs that should be separated. Sometimes, the cost of following proper SoD outweighs the benefits due to the lack of a business need for so many administrative employees. Owner participation and oversight can be a compensating measure if it’s impossible or uneconomical to separate incompatible duties. Participation in daily operations is an added layer of protection in case some employees take advantage of a weak internal control system.
3. Create Documentations
Documents serve as evidence of transactions. Business source documents must contain certain attributes to make them reliable and contribute to good internal controls. They must have the signature of the person who processed and approved the document, which must bear special notes or stamps like Paid, Approved, Denied, or Closed to show the status of the document within the workflow.
To keep the integrity of source documents, consider prenumbering them so that employees won’t be tempted to falsify documents to their own advantage. Documentation is crucial in the accounting process as it helps your employees keep track of everything. But with small business accounting software, you shift to paperless transactions.
4. Perform Independent Reconciliations
Another important internal control feature is independent reconciliations, meaning that the person reconciling the accounts must not have custody or access to these accounts. For example, the person performing bank reconciliations must not have access to the bank account.
Instead, the person performing account reconciliations must reconcile accounts based on reports provided to them by the person with custody over the accounts, such as forwarding bank statements to the person who will reconcile bank accounts. Hence, you can assign your bookkeeper to perform bank reconciliations—as long as they don’t have access to your bank account or the authority to sign checks.
5. Define Levels of Authorizations
Proper authorization ensures that all transactions within the business are valid and legitimate. As good internal control practice, only the small business owner should have the ability to authorize any type of transaction. Even the most trusted employees must not have the same level of authority as the small business owner since putting too much trust can be an opportunity for fraud as explained in the fraud triangle.
However, the business owner may delegate certain authorization roles to managers and carefully consider the tasks to delegate. For example, managers can approve expense reimbursements that are below $500 or have the authority to approve sales contracts below $5,000.
6. Establish Standard Operating Procedures
Even in a small business, you need to establish a standard operating procedure (SOP). An SOP is a set of steps for routine transactions, and a transaction is routine if it needs to be performed several times a week. These may be recording customer payments, accepting customer orders, ordering goods from suppliers, and paying employee salaries.
SOPs are a form of internal control because it streamlines the routine process to prevent errors and mistakes. In forensic accounting and auditing, accountants start with SOPs to understand how the business operates since forensic accountants and auditors are external parties who aren’t aware of all business policies.
7. Be Strict in Cash Transactions
In a small business, extra emphasis must be placed on cash receipts, disbursements, and deposits. Controls must be in place to ensure that receipts are issued to cash-paying customers and that different employees collect the cash, record the cash, and deposit the cash. If this SoD isn’t possible, you as a business owner must get involved. Another business practice is setting a threshold for cash transactions. For instance, cash transactions above $1,000 must go through owner approval, while cash transactions below $50 can be charged to petty cash.
To reduce the risk of theft, one of the most important cash management tips is to deposit all cash received daily in the bank as keeping too much cash in the business is risky. In line with this, strive to pay cashless for every expense transaction where possible. Cashless payments are safer since our goal is to reduce the existence of physical cash in the business. As such, encourage customers to also pay cashless through e-wallets, debit payments, and credit card swipes, and don’t discourage them from paying with a credit card by charging them an extra fee.
8. Review Logical Security
Logical security is otherwise known as application access controls. They refer to login credentials to information systems used in the business like accounting software, expense tracking software, invoicing software, and many more. The appropriate level of management must have access to specific apps and software. It doesn’t mean that every person regardless of their position or role must have access to every app used in the business.
For example, only accounting employees must have access to your business’s QuickBooks Online account. More so, employees in the sales team shouldn’t be included in the QuickBooks Online subscription. If your business happens to create a customized system like what we did here in Fit Small Business, you should give each employee a role with specific limitations on what they can do.
9. Review Physical Security
Physical security is an internal control as well. It refers to the methods you use to secure business assets if your business has an office or physical shop. Physical security includes installing closed caption TV (CCTV) cameras, creating fencing around the perimeter, and limiting access to specific areas. You can limit employee access by handing out access badges or key fobs. Padlocks and typical door locks are still viable if there’s no business need for high-tech security mechanisms.
In crucial areas like cash vaults or offices where you keep trade secrets, the best physical security is to limit access to one employee only and the business owner. If you have extra budget, hire security guards from agencies to guard business premises outside business hours.
10. Assess Business Continuity
Some small businesses use sophisticated technology and equipment that help them provide unique products and services to customers. Good internal control dictates that there must be at least a business continuity or recovery plan in case of unforeseen events and disasters. This plan must outline the necessary steps the business must do to continue performing its critical tasks.
In contrast, business continuity may also cover sudden resignations, replacements, termination, or death of key business personnel. With a key position left vacant, the business must establish a series of steps to continue operating even with the absence of key personnel. There must be appropriate documentation as well so that the person who will take over the position can continue all ongoing operations within the department.
Components of Good Internal Control
In establishing good small business internal controls, many businesses follow the framework of the Committee of Sponsoring Organizations (COSO). In the COSO framework, a good internal control system has five components, and you remember them easily using the acronym CRIME:
- Control activities: These are manual and automated tools that help prevent or detect the risk of misstatements due to fraud or error. The list of controls above are examples of control activities. However, unique control activities may exist in every department, like accounting controls for the accounting department or production controls for the production department.
- Risk assessment: This involves analysis of risks posed by internal and external factors affecting the business. These risks may pertain to operations like the risk of employee fraud, product returns due to defective production or economic and political risks, such as increasing interest rates, new legislation, and higher tax rates, that the business can’t control.
- Information and communication: The business must also have an effective information and communication system. It involves communicating information to employees to help them in their responsibilities. The business should communicate to the employees the importance of following controls to ensure smooth operation.
- Monitoring: This refers to ongoing evaluations of existing controls and the application of controls. Monitoring controls help your business find ways to improve it if there are sudden changes. Moreover, it enables you to detect employees who aren’t following control procedures.
- Control environment: It’s the set of standards internal controls are based on. The control environment is the attitude of the business owner and management toward adherence to internal controls or the tone at the top. Your business’s control environment is a result of your philosophy and operating style. In other words, it’s a reflection of your ethical values. Hence, business owners who intentionally misstate tax returns can encourage employees to do fraudulent acts but for their own advantage.
Good internal controls can help your business operate efficiently and effectively. It also reduces the risk of fraud or error within the system. By following our checklist of essential small business internal controls, you can lay the foundation for your small business’ internal control system.