Some concepts and ideas from the big corporate world translate pretty well into the small business environment, others not so much.
One of the frameworks that does apply pretty well with a few tweaks, and one which small businesses can definitely benefit from applying, concerns "internal controls".
What do we mean by "internal controls"? Put simply, they are a set of tools and techniques operated within a business that, applied correctly, help you to achieve desired outcomes and avoid problems, whilst safeguarding the company's assets. Internal controls, then, are fundamental to good corporate governance and the management of risk.
The Institute of Internal Auditors has published quite a good paper on the subject of Control which can be downloaded here. The paper refers to the COSO model which concerns itself with three main objectives: effective and efficient operations; reliable financial reporting; and compliance with laws and regulations.
All well and good, but how does any of this help the smaller business? Lets see...
In the context of the smaller business, the most common control activities can be distilled down into the following categories:
- segregation of duties - dividing up duties between different members of staff in order to reduce the likelihood of fraud or error;
- organisational controls - establishing clear lines of responsibility and accountability within the organisation;
- authorisation - having clear authority levels in place, enforced through manual or automated procedures;
- personnel - having the right people in the right roles, and effectively recruiting, developing and monitoring staff performance;
- supervision - exercising appropriate day to day supervision and oversight of staff and operations;
- physical - securing the physical protection and control over access to the company's assets and resources;
- accounting - using accounting & arithmetical techniques to verify the validity and accuracy of transactions and balances recorded in the financial records; and
- management - exercising robust management and governance of the organisation in pursuit of the company's overall objectives.
As the fundamental purpose of a system of internal control is to help the organisation achieve its goals and avoid (or reduce the impact of) problems, it follows that the organisations's goals, its activities and the associated risks all have to be identified and evaluated on an ongoing basis; the internal controls cannot be designed in isolation.
Often a process-based view is adopted, in order to give some structure to the evaluation (on one level all organisations can be viewed simply as a collection of processes operated by people and/ or technology in pursuit of certain outcomes). So when it comes to designing an effective system of internal controls, the sequence of thinking goes like this:
- what are the goals of the company, department, region etc?
- what are the processes that happen in support of those goals?
- in relation to each step in each process, what are the things that could go wrong (risks)?
- what would be the impact (financial or otherwise) of each risk?
- can the likelihood and/ or impact of the risk be reduced cost-effectively to an acceptable level through internal control techniques?
- if not, what alternative strategies can be applied to manage the risk (avoidance, transferance etc)
Preventive control techniques are often more desirable as they act to stop something undesirable happening, whereas detective controls serve only to warn management about events that have already occurred. However the cost of control must also be borne in mind when designing control systems.
These principals apply just as much to very small businesses as it does to big multinationals. Your small business:
- undertakes a variety of activities (processes) in pursuit of certain objectives;
- is exposed to the risk of things going wrong, and consequent impacts;
- is in a position to critically evaluate the likelihood and impact of those risks;
- has limited resources with which to control those risks, and must therefore carefully decide which risks to control (and how), and which risks to avoid or transfer.
Therefore applying some of the techniques outlined in this article can assist the small business owner to pursue their objectives whilst understanding, and managing, the associated risks.
It is also important to appreciate that there are limitations to any internal control system; because humans can and do fail, management can override controls, people can collude to circumvent systems, and external events can blow things off course, we can only really concern ourselves with practical control, rather than dealing in absolutes.
In future articles we will dive into aspects of this topic in a bit more detail.
Contact us to discuss your internal control requirements in depth.