Establishing internal controls is a way to make sure everything is operating correctly at your small business. These controls prevent errors from happening or can detect errors when they are made. One set of internal controls you can use is based around who performs specific tasks within your business. A company should assign certain tasks in a specific way to make sure employees can double-check the work done by others. By separating certain responsibilities across multiple individuals, you are likely to make errors or experience fraud.
Segregation of Duties
Segregating duties can minimize the damage one person can do. Without these controls, a single employee can perform a string of tasks without anyone controlling their work. For example, imagine a situation where an employee can authorize vendor payments, post journal vouchers, and write cheques to pay vendors. In this case, this person could create a fake vendor, authorize the payment, make the accounting entry, and write the cheque which they can cash in their own bank account. If other employees were involved in this process, you would be able to prevent this fraudulent activity. You should consider using internal controls to separate three job functions: authorization, recording, and custody, often abbreviated as ARC.
Authorization of Activities
Authorization is the approval to make something happen within your company. The person making the approval should be closely tied to the activity. The person approving an invoice should be the person whose budget will be hit. This person should know what is legitimate business activity and what is fake. If an invoice for supplies is prepared for approval, the person authorizing the payment should know the vendor, remember placing the order, and be aware of the total charge. You should record all authorizations by saving emails, obtaining physical signatures, and holding onto documents that show something was approved.
Recording of Activities
The person who records changes may not know the background of the change, but they should have special knowledge about how to record for it. For example, you approve the issuance of a lock box key to a new employee. A separate employee should manage the lock box roster to record any changes. You must make sure the record log is not accessible by everyone. Only a few people sometimes only one person should have access. A great example of this is within an accounting system. Not everyone in your company should be set up with access to enter journal entries; only finance individuals should have the ability to edit these records.
Custody Over Tangible and Intangible Goods
The custodian of goods should be the person safeguarding items associated with the change. Your company should protect your cheque stock so fraudulent cheques aren’t written and protect your lock box to protect against theft. By having a custodian, your physical assets are harder to access, which can minimize your risk of these items being misused. One item to consider when establishing your custodian is temporary absences. If your custodian goes on vacation, your business will still need access to the items being protected. In this case, you should remember to reassign the custodian’s duties temporarily so your company can continue running smoothly.
Examples of Separation of Duties
The impact of segregating duties can been seen across your company. If one of your employees authorizes an invoice for payment, your employee recording the invoice can look for coding errors, dollar amount differences, and suspicious vendor information. If a voucher is recorded in your accounting system, your custodian in charge of the cheque stock can’t write a cheque until they have proof of authorization. If your custodian attempts to use the cheques without going through the correct process, other employees will see the fraudulent activity. In all of these cases, one of your employees can prevent an error or fraud occurring due to the activity of another employee.
Not Enough Employees
Some small businesses face challenges finding enough employees to separate job functions. At least three employees are required for ARC functions to be separated. However, you can still separate the duties between only two employees if you use additional controls. If one of your employees authorizes a change, another can record the change and secure the associated items. In addition, you should periodically change the responsibilities and have the two employees switch duties. If you don’t have enough employees to separate these duties, you can always use compensating controls. These controls still make sure your company is still operating the way it should. One such control is to force employees to take time off, as their time away from the office can alert you of suspicious activity. It’s not bad business practice if the authorization, recording, and custodian functions are performed by the same employee. However, having all three functions separated will result in cleaner, safer business operations.