408-550-4325 support@sandismith.com

Every business organization owns assets that need to be protected from threats. If these assets are not protected, business owners may face losses and an interruption in business operations. One way to be proactive in reducing organizational risk is to implement strong internal controls.

The concept of internal control is a foundational principle for accountants. Implementing internal control takes strategy and commitment from the top to the bottom of the organization. In this report, we’ll share a handful of tactical ideas to give you a taste of how internal control can be implemented in your business.

Here’s a partial list of ideas to implement in your business that will not only strengthen internal control but also reduce your risk of business loss.

Employee

  1. Run background checks on all job candidates before hiring.
  2. For employees who will be handling money directly, secure bonding.
  3. Acquire workers compensation for each employee.
  4. Periodically audit workers compensation addresses (especially if employees work at home) to keep your policy updated.
  5. For all systems, user access permissions should be on a need-to-know basis.
  6. Design and implement an employee termination checklist to disable access to all company systems, building access, and assets.
  7. Require use of strong passwords by all employees for all systems.
  8. All user activity should be logged.

Physical Assets

  1. Physical access to buildings should be limited and controlled by card entry.
  2. Card entry inventory should be maintained and only cards for authorized personnel should be activated.
  3. Inventory should be taken physically once a year and books adjusted accordingly.

Banking

  1. Control access to all business bank accounts.
  2. Review and update on an annual basis the signature card on file for each account at the bank.
  3. Control access to check stock for each bank account.
  4. Review monthly any missing checks by running the missing check number report.
  5. Reconcile each bank account on a monthly basis by comparing book balance to bank balance.
  6. Control access to all business credit cards.
  7. Reconcile each credit card statement on a monthly basis by inventorying and verifying receipts and approvals.
  8. Control access to all business merchant accounts.
  9. Reconcile each merchant account on a monthly basis.
  10. Control access to all business payment accounts, such as PayPal and Venmo.
  11. Reconcile each bank account on a monthly basis by comparing book balance to bank balance.
  12. Update all banking, credit card, merchant, and payment account passwords on a frequent basis.
  13. Lock up all cash on hand.
  14. When cash exceeds a certain amount, move it to a safe location that is not accessible by employees.
  15. If a petty cash account is maintained, keep it locked up and reconcile it periodically.

Customers

  1. Create a validation process for new customers, especially if credit is granted, through a credit check, BBB review, or DUNS or SAMS database registration.
  2. Review customer data for duplicates and keep customer databases clean.
  3. Customer orders/invoices should be checked for proper authorization before fulfillment.
  4. Customers should be sent order confirmations, status, and delivery communications.
  5. Customer contracts should be reviewed and renewed on a periodic basis.
  6. Order fulfillment should be validated against order and adjustments handled properly through billing and communications.
  7. Customer payment processing should be matched against order and discrepancies handled timely.
  8. Customer service inquiries and responses should be monitored periodically.
  9. Customer return policies should be written and posted visibly. Employees should be trained to follow return policies.

Inventory

  1. Physical inventory locations should be secured during off hours.
  2. All inventory for sale should be tagged appropriately for price.
  3. Expensive inventory items should be tagged with a theft warning system.
  4. Physical inventory additions and reductions should be tracked and verified.
  5. A physical inventory count should be taken at least once a year and reconciled with the books.
  6. Customer return requests should be processed accurately and timely.
  7. Damaged and expired inventory should be handled appropriately.

Accounts Receivable

  1. Accounts receivable balance should total outstanding customer invoices.
  2. Procedures to collect aging invoices should be implemented.
  3. Procedures to manage credit card updates, expiring credit cards, and failed credit card charges should be put in place.
  4. A process to respond to and resolve credit card disputes should be put in place.
  5. Days Sales Outstanding metric should be monitored periodically.
  6. A process for recording write-offs should be put in place.
  7. Procedures to turn uncollectible accounts over to a collection agency should be implemented.

Pricing

  1. Pricing of products and services should be set by company policy and reviewed periodically.
  2. Product and service information should be recorded in the point-of-sale system, shopping cart or price sheet and updated when appropriate.
  3. Physical inventory items should be marked with the correct price on the official price record.
  4. Price discounts and coupons should be marked, distributed and updated accordingly.

Vendors

  1. Create a setup process for new vendors, including sending them a W-9 and any exemption certificates that you qualify for.
  2. Review vendor data for duplicates and keep the accounting system clean.
  3. Purchase orders should be approved before sending to the vendor.
  4. Receipt of items should be accompanied by a packing slip and verified by an operations employee.
  5. Inventory should be adjusted accordingly for receipt of inventory items.
  6. Vendor bills should be matched to purchase order and shipping document before being approved for payment.
  7. Vendor contracts should be reviewed and renewed or cancelled on a periodic basis.
  8. Invoice discounts should be taken when available.
  9. Invoice payment processing approvals should be automated and discrepancies handled appropriately.
  10. Procedures should be set up for exceptions, such as damaged goods, pricing discrepancies, drop ship, returns, and others.

Accounts Payable

  1. Accounts payable balance should total unpaid vendor bills and should be reconciled monthly.
  2. Procedures to resolve and clear old bills should be implemented.
  3. Procedures to manage credit card payments should be put in place.

Marketing

  1. Company trademarks should be recorded, renewed, and protected.
  2. Marketing assets such as domain names should be recorded in the company name and the account secured by two company officers.

IT

  1. A hardware inventory should be maintained.
  2. Software license inventory should be maintained and licenses purchased when needed.
  3. All digital assets should be owned by the company and recorded in the company name with officer access.
  4. Email addresses should be allocated and controlled by IT staff.
  5. Cloud or server access should be controlled and limited on a need-to-know basis.
  6. Controls, such as antivirus software, passwords, and firewalls should be in place to protect digital data from outside threats.
  7. Backups should be taken daily of all digital data, including local employee hard drives.

Legal

  1. All corporate documents should be maintained and secured physically and digitally.
  2. All customer, vendor, employee, and partnership contracts should be review by legal and assessed for risk.
  3. If company offers warranties or guarantees, these should be created and published accordingly.
  4. All applicable business laws should be followed, including taxation, privacy, CAN-Spam, HR employment, and others.
  5. Employee posters should be visibly displayed.
  6. Emergency contacts for all employees should be recorded.
  7. Privacy policy should be written, posted, and distributed as required by law. Employees should be trained to follow privacy requirements.
  8. Employees should attend sexual harassment and diversity training sessions as required by law.
  9. Company should create and maintain a terms of use, disclaimer, and cookies policy for their website and follow GDPR rules if applicable.

General

  1. All applicable business licenses should be applied for, acquired, and renewed on time.
  2. The company should maintain a disaster recovery plan.
  3. Acquire and maintain the proper insurance policies, including building and physical protection, liability, malpractice, D&O, cybersecurity, auto, and others as needed.
  4. Create and maintain an emergency communication plan.

While this list is far from complete, you can still use it as a preliminary checklist to gain ideas on how you can better protect your company against risks.

If you’d like to know more about how internal control can reduce your business risk, please feel free to reach out any time.