When is the last time you reviewed your internal controls?

Written by Jessica M. Dorsett, CPA

If you are anything like me, you are just as tired as I am hearing the term, “new normal”.  I personally reject the idea that this is our new permanent reality, but I’m not in denial that we must live with this challenging environment a little longer (I hope not too much longer).  Nonetheless, businesses have had to pivot and make significant changes to operations, including many policies and procedures that were originally established to provide internal controls.

Small businesses often fall victim to fraud and scams because the lack of resources become the excuse to neglect internal controls necessary to safeguard assets.  We work exclusively with closely held businesses, and understand the environment and limitations faced by business owners and management of these companies.  As a result, over the years, we’ve seen clients lose far too much in both dollars and time.

If you haven’t reviewed your Company’s internal controls in the last 2 years, I highly recommend you take some time to consider where your greatest risks and exposures exist.  This article will pose questions to help you navigate areas within your company.  Later in the article, I will provide some simple, yet highly effective policies you can implement to greatly strengthen your controls and mitigate risk of error and fraud.  It is impossible to eliminate these risks, but it is possible to greatly reduce the risks.


Questions to Consider:

  1. Is there one person doing it all? This is a big problem.  A key component to effective internal controls is segregation of duties.  While this is often challenging and cost prohibitive in smaller offices, it’s not impossible.  If you have an office manager who handles all accounting, from invoicing clients, collecting payment, recording expenses, writing checks, and managing the QuickBooks file, that manager could very easily perpetrate fraud.
  2. I trust her like my own sister”: Do you rely on trust alone, rather than “trust and verify”? I’ll never forget a comment an instructor once made regarding this issue.  He recalled how his sister always stole his things growing up.  It was good perspective. Trust is important, but it is not a control.
  3. Do you know how to read your financial statements? Many people are intimidated by accounting and financial statements, and therefore neglect the reporting.  Often, owners review the Income Statement (Profit & Loss), but never see the Balance Sheet (or worse, don’t know what the Balance Sheet is).  As accountants, we place more emphasis on the Balance Sheet over the Income Statement when determining the accuracy of the reporting.  If you never review the Balance Sheet, or review it but don’t understand how to read it, then there is a high risk of either inaccurate reporting, or fraud.  Schedule an appointment with your CPA for an hour, and ask him/her to show you how to read your financial statements and understand them.  Don’t let your pride get in the way.  We understand, and we want to help.
  4. Did you make changes to accounting procedures as a result of COVID? Maybe your controls were strong, with good separation of duties, timely reporting, and transparency. Then the shutdown happened in March and management scrambled to figure out how to get everyone working remote, limit contact and minimize impact on the business.   As a result, certain positions were eliminated, accounting functions were consolidated, and reporting fell behind.  You are so focused on pivoting the business, that accounting matters take the back seat.  If you haven’t come back to the accounting by now to re-evaluate and re-design, now is the time.
  5. Do you use credit cards? Many Companies have begun paying Company obligations by credit card. The owners like it because they get a lot of miles and the payables person loves it because it is much faster than writing checks. Many years ago, one of our clients was defrauded of over $1million by a bookkeeper who simply obtained credit cards from all the same credit card vendors as the Company used and paid her personal bills along with the Company’s bills. The owner received and signed the checks to the credit card vendors but failed to review the credit card statements. Had he reviewed them, he would have realized that every month he was signing checks that paid both the Company’s credit card statement and the bookkeeper’s personal credit card statement.

Recommended Procedures to Implement:  These recommendations are practical and fairly simple, yet highly effective.  If these are not a part of your regular routine, I encourage you to consider immediate implementation of as many of these recommendations as possible.

  1. Are you still using checks?
    1. Consider going to e-check options. Checks are an easy target for both internal and external fraud.  Many banks provide bill-pay options at little, or no cost.  Additionally, some banks allow for the setup of multiple users with different permission levels, such as bill entry, approvals and authorization.  Not all banks offer this, but it’s a great tool if available.  com provides the same level of controls, with the added benefit of documentation retention for invoices and expenses.
      1. Please note, this does not include the use of a debit card. In fact, I discourage clients from using debit cards due to the lack of controls and high risk of loss.  Use a credit card if needed.  Proper controls over credit cards include requiring accountability, such as receipt retention and review/approval of the monthly statement by a superior.
    2. If you prefer to continue to use checks, then I strongly recommend you request the cancelled checks (or check copies) be provided with the paper statements each month (there may be a small bank fee for this to be added but well worth it). The unopened bank statement should go to someone other than the bookkeeper (such as the CFO or owner), who should open the statement and review all activity including the checks.  Review checks for authentic signatures, valid payees and amounts.  This is one of the simplest, yet most effective procedures you can implement to mitigate the risk of payables fraud.
      1. Side note – I personally don’t think double signature policies provide much value anymore. Most banks don’t review checks with any level of valuable attention.  I’ve seen checks clear with no signature at all!  If you keep the double signature policy, just note that it’s really an internal policy which would be monitored with proper bank statement reviews as noted.
      2. 2nd side note – in our “paper-less” world, many are utilizing the online bank portals for e-statements. I think it requires more diligence to make sure the responsible party both retrieves the statement directly (not the bookkeeper) AND reviews all check copies from the online banking.  In my opinion, this probably takes more time than it’s worth, making the cost of the paper statement and check copies well worth it.
  2. Insist on timely bank reconciliations for ALL bank accounts and review them. You should not see a lot of unreconciled transactions, particularly items over a month old.  You also shouldn’t see journal entries in the bank reconciliation.  Bank reconciliations should be performed monthly, on a timely basis.
  3. Payroll has always been a common place for fraud, yet many owners have an incorrect perception, that because they use an outside payroll company, fraud can’t happen. This is 100% untrue.  Payroll companies only process, they do not manage or provide controls.  They rarely even catch client mistakes.  If payroll is called in by someone other than the owner, then make sure there are proper controls in place. Consider the following:
    1. Employee set up and changes – should be someone other than the payroll clerk, or at the very least, owners or top management person should review and approve all employees added.
    2. Someone other than the payroll clerk should hand out live checks.
    3. Someone other than the payroll clerk should review the payroll register. Make sure all employees are real and payroll amounts are accurate.
  4. I’ve already said this, but it’s worth repeating. Review the entire set of financial statements on a monthly basis.  When bookkeepers either don’t know what they are doing, don’t know how to fix a mistake, or are sloppy in covering up their tracks, there are a few obvious places these “issues” end up in QuickBooks (I reference QuickBooks as it is the most commonly used accounting software by small businesses):
      1. Opening Balance Equity
      2. Unreconciled differences
      3. Unclassified asset

        There should never be a balance in these accounts.  Ever!
        Less obvious places included (but not limited to):

      4. Office expense/supplies (the classic “plug” account)
      5. Cost of Goods Sold
      6. Miscellaneous
      7. Other expenses
  1. Understand the risks with using QuickBooks. Don’t get me wrong, QuickBooks has made accounting fairly simple for the non-accountant.  Most of our clients use it, and I still recommend it due to the ease of use and the price point.  With that come some risks.  Many “bookkeepers” are QuickBooks users, not accountants.  If you are using a bookkeeper that does not have an accounting background, then depending on the complexity of your business, you run the risk of errors occurring.  These errors range from easy fixes to complete disasters.  The control that is necessary to overcome this weakness is a careful review by the owner or a person completely out of the accounting process. We can help you develop checklists for this type of review.
  2. Limited ability to separate duties? Consider the following possibilities (reasonableness depends on the size of your business):
    1. Separate the person responsible for invoicing from the person responsible for recording receipts and deposits.
    2. One person can enter payables and prepare the checks, but a separate person should review, sign AND mail (don’t give the signed checks back to the person preparing the checks).
    3. Consider hiring an outside person to do the monthly reconciliations and prepare the financial statements.
    4. Make department managers responsible for budgets, including creating department level budgets, managing the budget to actual and expense approvals (not check signing).
  3. Have a surprise “audit” performed. This may be especially useful if you have one person doing just about everything. This would entail engaging an outside firm to review/audit one random month of activity.

These are only a few considerations.  If you are concerned about your controls and don’t feel comfortable reviewing them yourself, consider engaging an outside firm for a special engagement.  Many accounting firms, including ours, have the ability to conduct interviews and review the accounting records to provide an assessment and recommendations.  Accounting related internal controls don’t have to be complicated, but as a business owner or manager, it should be important enough to spend some time and effort in ensuring it’s functioning properly.



100 E San Marcos Blvd. Ste. 100, San Marcos, CA 92069 | Phone (760)-599-9900 | Fax (760)-599-9911 | info@PolitoEppich.com

Skip to content