Developing Internal Controls: Understanding ARC

By QuickBooks Canada Team

4 min read

Establishing internal controls is a way to make sure everything is operating correctly at your small business. These controls prevent errors from happening or can detect errors when they are made. One set of internal controls you can use is based around who performs specific tasks within your business. A company should assign certain tasks in a specific way to make sure employees can double-check the work done by others. By separating certain responsibilities across multiple individuals, you are likely to make errors or experience fraud.

Segregation of Duties

Segregating duties can minimize the damage one person can do. Without these controls, a single employee can perform a string of tasks without anyone controlling their work. For example, imagine a situation where an employee can authorize vendor payments, post journal vouchers, and write cheques to pay vendors. In this case, this person could create a fake vendor, authorize the payment, make the accounting entry, and write the cheque – which they can cash in their own bank account. If other employees were involved in this process, you would be able to prevent this fraudulent activity. You should consider using internal controls to separate three job functions: authorization, recording, and custody, often abbreviated as ARC.

Authorization of Activities

Authorization is the approval to make something happen within your company. The person making the approval should be closely tied to the activity. The person approving an invoice should be the person whose budget will be hit. This person should know what is legitimate business activity and what is fake. If an invoice for supplies is prepared for approval, the person authorizing the payment should know the vendor, remember placing the order, and be aware of the total charge. You should record all authorizations by saving emails, obtaining physical signatures, and holding onto documents that show something was approved.

Recording of Activities

The person who records changes may not know the background of the change, but they should have special knowledge about how to record for it. For example, you approve the issuance of a lock box key to a new employee. A separate employee should manage the lock box roster to record any changes. You must make sure the record log is not accessible by everyone. Only a few people – sometimes only one person – should have access. A great example of this is within an accounting system. Not everyone in your company should be set up with access to enter journal entries; only finance individuals should have the ability to edit these records.

Custody Over Tangible and Intangible Goods

The custodian of goods should be the person safeguarding items associated with the change. Your company should protect your cheque stock so fraudulent cheques aren’t written and protect your lock box to protect against theft. By having a custodian, your physical assets are harder to access, which can minimize your risk of these items being misused. One item to consider when establishing your custodian is temporary absences. If your custodian goes on vacation, your business will still need access to the items being protected. In this case, you should remember to reassign the custodian’s duties temporarily so your company can continue running smoothly.

Examples of Separation of Duties

The impact of segregating duties can been seen across your company. If one of your employees authorizes an invoice for payment, your employee recording the invoice can look for coding errors, dollar amount differences, and suspicious vendor information. If a voucher is recorded in your accounting system, your custodian in charge of the cheque stock can’t write a cheque until they have proof of authorization. If your custodian attempts to use the cheques without going through the correct process, other employees will see the fraudulent activity. In all of these cases, one of your employees can prevent an error or fraud occurring due to the activity of another employee.

Not Enough Employees

Some small businesses face challenges finding enough employees to separate job functions. At least three employees are required for ARC functions to be separated. However, you can still separate the duties between only two employees if you use additional controls. If one of your employees authorizes a change, another can record the change and secure the associated items. In addition, you should periodically change the responsibilities and have the two employees switch duties. If you don’t have enough employees to separate these duties, you can always use compensating controls. These controls still make sure your company is still operating the way it should. One such control is to force employees to take time off, as their time away from the office can alert you of suspicious activity. It’s not bad business practice if the authorization, recording, and custodian functions are performed by the same employee. However, having all three functions separated will result in cleaner, safer business operations.

References & Resources

Information may be abridged and therefore incomplete. This document/information does not constitute, and should not be considered a substitute for, legal or financial advice. Each financial situation is different, the advice provided is intended to be general. Please contact your financial or legal advisors for information specific to your situation.

Related Articles

Internal Accounting Controls to Help Foil Phishing

Phishing and other cyber crimes can pose a risk to any business…

Read more

Helping New Non-Profits Establish Smart Financial Control Procedures

Good accountants can help new non-profits guard against fraud or financial wrongdoing…

Read more

The Importance of Ethics, Accountability and Transparency in Nonprofits

Your Canadian nonprofit organization depends on donor funding, which makes ethics, accountability…

Read more