Do You Have Proper Controls in Place?
There is a common misconception that small organizations cannot afford to have internal controls. This is simply not true. All organizations, no matter the size or mission need to have controls in place, and it is possible to tailor controls to address risks within an organization in a cost-effective manner.
Before implementing controls, it is important to understand what internal control is.
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Keep in mind that internal controls are a process, which is affected by people. People are able to manipulate processes. Also controls provide reasonable assurance, not absolute assurance.
COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of 5 organization that developed a framework and guidance to help organizations design and implement internal controls. The framework provides a means to apply internal control to any type of entity, not just large companies.
The COSO Framework consists of 81 points of focus that characterize 17 principles of internal control. The 17 principles of internal control align with 5 components of internal control which are:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
When developing internal controls for your organization, it is important to use these 5 components.
Control Environment
What is the tone at the top? Does management take controls seriously?
Start with your organization’s culture. Does your organization reflect a culture of leadership, transparency and accountability? Do leaders model the behavior that they expect to get from employees and volunteers? If not already done so, implement a written code of conduct and reinforce transparency with a whistleblower policy and conflict of interest policy.
Risk assessment
Has management identified risky areas and implemented controls?
To address risks within your organization, you have to know what they are. Risks are anything that could prevent you from achieving your mission. Conduct a risk assessment to identify risks specific to your organization. You will not be able to address every risk so you will need to prioritize which are most important. There is not one right way to do risk management, but you have to start somewhere and that is with a conversation. You also need to make sure you are involving the right people within your organization in that conversation.
Control Activities
Are there policies and procedures in place?
What controls are currently in place within the organization? Are there procedures in place to properly segregate duties between authorizing transactions, recording transactions, and maintaining custody of assets? If your organization has a small staff, utilize your board members to provide additional segregation and oversight.
Information and Communication
Are the technology, accounting, and communication systems and processes understood?
In order for controls to work, people need to know what the controls are and their role within the process. It is important to define roles and set responsibilities for management, employees, and volunteers. As part of building active communication into the organization’s culture, policies and procedures should be communicated and fully explained.
Monitoring
Are the policies and procedures working?
Once your organization has gone through the risk assessment process and implemented controls, you are not done. Internal control is an ongoing process that needs to be continuously evaluated to ensure it is working. Changes in the organization’s environment can affect risk so any time a change occurs (new programs, new people, changes in technology, new facilities, etc.) the internal control process needs to be revisited.
Contributed by: Carrie Minnich, MAcct, CPA | Partner | DWD CPAs & Advisors
Contact Us
"*" indicates required fields