Operational Risk Management – Common Operational Risk Area 2 – Internal Controls

Our last column discussed Operational Risk Area 1 – Fraud/Theft, and we now move on to the next common operational risk area, Internal Controls.  Internal Controls are an important piece of preventing operational risks because with the proper internal controls in place, it is much harder for bad actors to take advantage of your organization and much easier to identify the bad actors.  So, what are Internal Controls, how do they protect your operations, and why should you have them in place?

What are Internal Controls?

Internal Controls are defined as systematic measures, e.g., reviews, checks and balances, methods and procedures instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.[1]  As you can tell, internal controls provide a wide range of coverage for preventing and detecting operational risks.  Of course, with most things operational not all of the items listed fit perfectly to all operational situations for a variety of reasons.

How Do Internal Controls Protect You?

Internal controls protect in many ways and come in different shapes and forms, such as lack of proper authorization, no separation of duties, lack of control over funds/property, lack of verification and accountability, lack of operational policies/procedures, and employee personal use of IT systems.  We will discuss two of these internal controls.  One of the first internal controls we will explore is “no separation of duties.”  Separation of duties is an important internal control because it requires that no one individual has total control of a specific operational function, such as a business credit card account.  Operations that allow employees, volunteers, or staff to have complete and total control of any one function make it easier for a risk event, such as fraud or theft to occur.  In the case of a business credit card, one individual who charges on the credit card, approves the expenditure, receives and reconciles the monthly statements, and pays the bill presents a huge operational risk for obvious reasons that will result in a financial loss for the company, nonprofit, medical, or dental practice.  The business credit card example above requires that the expenditure approver, monthly credit card statement reviewer and reconciler, and the credit card payer are all different individuals.

“Lack of controls over funds/property” is the second internal control we will discuss.  It doesn’t matter if you have cash, sales inventory, donor gifts/grants, controlled medicine or pharmaceutical samples, you should have in place a method of accounting for those items on a regular basis to ensure that they are accounted for in an appropriate manner.  Cash should be accounted for at the beginning and end of the day or at the change of cashiers. Also, cash drawers should not be shared if at all possible and if a cash drawer must be shared between individuals, that a cash count should be conducted by those sharing the cash drawer with a written record of the cash count. Property is also important to keep track of, whether you purchased it or it was a gift.  Regularly scheduled inventories are a good way to make sure you have accountability of your property.  You may supplement regular inventories with spot inventories at the end of the day or week, and/or have control sheets for items that are given by pharmaceutical representatives and then given out to patients.

Why Should You Have Internal Controls?

Proper internal controls keep operational risks at bay by protecting assets and resources.  Internal controls add accountability and operational structure to your business, nonprofit, medical or dental practice.  Operations pertaining to the aforementioned organizations are predominantly susceptible to fraud, theft, scams, work violations, and questionable liability claims. Ensuring that proper internal controls are in place and are vigorously followed provides a level of protection against operational risks mentioned above.  In addition, it provides peace of mind knowing that your operations are running efficiently and effectively. Establishing proper internal controls for your operations are not quick or easy but are very essential.  Large businesses and corporations understand the importance of proper internal controls to protect from various losses and have a large staff in place to deal with the daily risk threats.  You may not have the resources to deal with operational risks in the manner that larger corporations have but that does not mean you cannot get the similar protection.  Take the initiative and examine your operations to identify potential weak spots, research what you can do to strengthen those weak spots, and make sure that you address those weak spots.

Internal controls are an important piece of operational risk management to protect your business, nonprofit, medical, or dental practice.  You may have the best employees, volunteers, or staff in the world but remember the saying, “Trust but Verify.”

[1] definition of Internal Controls