Effective checks and balances are the bedrock of any accounting and control system. Employees make mistakes, theft is a concern, and the perpetual question of managers seems to be, "The numbers look good--but are they right?" Strong internal controls--systematic procedures for verifying information, detecting errors, and ensuring proper authorization for all transactions--provide the needed level of confidence in the accuracy of financial systems.

Internal controls should also be efficient. At many companies, accuracy and control are achieved only by constantly recounting inventory, double-checking data entry, or having the owner or CEO personally approve almost every expenditure. These are signs that something is almost certainly wrong and resources are being wasted. Tight control does not mean constant oversight and redundant processing. Instead, control can be achieved with fairly simple, routine procedures, plus the discipline to enforce them.

The thrust of internal controls should be to ensure accuracy in everyday processing. Though theft and fraud are clearly of concern, the cost of errors in routine data collection and entry is insidious and usually far greater. Duplicate payments, billing errors, and lost paperwork are more common than dishonesty and routinely cost companies significant amounts of time, money, and goodwill.

Strong controls are also needed to ensure timely information. A system that fails to provide current balances, such as for stock on hand or cash in the bank, results, at best, in costly "workarounds"--employees developing personal files or procedures to override information in the system. At worst, these systems simply get ignored.

These problems apply to both manual and automated systems. While computers have altered the look of accounting systems and greatly expanded what can be accomplished, basic internal control procedures are little changed. In fact, strong manual controls are a prerequisite for an effective computerized system. The computer will only magnify weaknesses in manual controls, not compensate for them.

The core of any accounting system--manual or computerized--is strong controls. This chapter explains the role of controls and describes some basic procedures to implement and enforce controls. You can use the Internal Control Questionnaire for Cash Disbursements at the end of this chapter to check some of your basic procedures for cash disbursements.

You, like most people, probably apply basic controls to the handling of your personal checkbook. You start by keeping tight physical control over your checks, storing them in a safe place or carrying them securely in your pocket or purse. Even if a check were to fall into the wrong hands, certain procedures help prevent losses. The checks cannot be used at most stores without also presenting proper ID, and the bank will compare the signature to a card on file.

Checks are numbered so that, if each check written is recorded in the checkbook, you can quickly see from the register whether every number in a sequence is accounted for. Recording each check and deposit also enables you to keep a running balance of money left in the bank, so spending can be budgeted and overdrafts avoided. At the end of every month, reconciling the checkbook to the bank statement can detect any errors. When the statement is reconciled, you can be secure in knowing exactly how money was spent and the balance remaining in the account.

Of course, many people keep their checkbooks a bit less rigorously than this. Whether they fail to reconcile their statements, forget to record every check, or don't keep running totals of cash in the account, they pay a price. Some of these consequences are:

At the same time, some people make effective use of personal computer programs to pay bills and do budgeting. The use of a computer requires an up-front investment in buying software and forms and learning the programs, but these costs are offset by advantages that include:

The issues that face businesses are much the same and involve not only cash, but payables, receivables, inventory, and other subsystems. A combination of strong physical controls, clearly defined authorization levels, transaction logs, timely record keeping, and reconciliations work together to ensure control over assets and accurate information. Properly done, the transactions and procedures are routine and non-obtrusive. Conversely, lack of discipline and controls is costly in terms of lost information, duplication of effort, errors, and unprofessional appearance.

Businesses must deal with an additional problem--having more than one person entering information and controlling the movement of assets. Individuals and sole proprietors have no problem keeping their best interests at heart and ensuring accurate communication. But once a business includes even two people, the protection provided by internal controls becomes an even greater necessity.

A few basic underlying concepts and techniques are all you need to set up an internal control system.

The first concept is to maintain distinct separations of duties. Loss of an asset, whether from theft, unauthorized expenditure, or error requires both physical access to the asset--including authority to approve expenditures -- and a failure to detect or stop the loss. Writing a check does not appropriate funds; it must also be signed and is scrutinized during the reconciliation process. Inventory shortages in a warehouse or stockroom require removal by authorized personnel, but can be detected by comparing on-hand quantities to perpetual accounting records.

If you give a person access to an asset, and at the same time, control of the relevant record keeping, you are inviting trouble. However, simply splitting the duties, so that at least two different people control access to the asset and review of the transaction, can provide adequate control.

Some examples include:

Another simple example can be seen the next time you go to an entertainment event where tickets are sold--a movie, a cash bar, or a club. One person takes the money and hands out the tickets, and another person takes the tickets. The tickets collected provide an independent check on the number sold and, therefore, the cash that was collected. If just one person sold and collected tickets--or there were no tickets--that person would have sole control over both the money and any record keeping. Proper payment to the owner would depend entirely on the cashier's diligence and honesty.

The second concept you do not want to overlook is the role of physically restricting access to assets. To help safeguard your assets:

These types of controls are especially important for inventory, since parts and finished products may be easy to remove and detection of small losses is unlikely. In many companies, inventory is not subject to precise record keeping, or shrinkage is almost expected, so loss of a few items is shrugged off. In contrast, fixed assets may be so large, or easy to identify, that they are hard to remove without someone noticing. Cash can be reconciled to the penny, so loss from theft of cash or a check can be detected quickly.

The records of your company must also be physically controlled to maintain both confidentiality and prevent unauthorized changes. Lost records can also be damaging if needed to research a payment, tax, or legal dispute.

For computer records, not only should you restrict physical access to computers and terminals, but passwords should be used as well. Password restrictions can be fairly sophisticated because many software programs allow access to be defined by report, transaction, and even fields of data. Passwords should be changed regularly, kept confidential, and not be shared by users.

The third concept for establishing internal controls is maintaining timely reconciliations of general ledger account balances. When your ledger balances can be compared to an objective, independently determined balance, a reconciliation can and should be performed. Tying cash to a bank statement -- as for a personal checkbook--is the most common type of reconciliation. The bank statement provides an opportunity to verify that all checks and deposits have been recorded and for the right amount. These are errors that routine processing may not detect.

Other important reconciliations you should perform include:

Ledger account balances are interconnected, so reconciling one account may clear up problems in another. For example, if receivables records differ from a customer's because a payment was not recorded, the bank reconciliation will catch this error. The bank statement will show a deposit not reflected on the internal records, and the reconciliation will not balance until this discrepancy is resolved.

In practice, because so many transactions involve cash, the bank reconciliation is, perhaps, the best control for ensuring that all revenues and expenses have been booked properly. The bank statement can be an excellent tool for a controller or business owner who is not routinely involved in handling the checkbook to gain insight into how cash flows and how well the accounting is being controlled. Many top managers reserve this task for themselves.

Smaller business owners should also insist that bank statements be sent directly to their home to gain added physical control over these records.

An understanding of the concept of self-interest will help you make some correct choices. When a business or merchant makes an error in a customer's favor, like failing to bill for a purchase, the customer is likely to keep quiet and pocket the windfall. Of course, if the customer is billed twice, a credit will be demanded or the second bill ignored. Simply put, people can be expected to act in their own best interest. And this expectation is a powerful influence on the effectiveness of controls and should be considered in shaping any system.

If you have to choose between a procedure that prevents double-billing or one that ensures all shipments get billed, it is the latter that most tightly closes the control loop. Though neither type of error is desirable, the protection against double-billing is somewhat redundant since the customer is almost sure to notice. However, no such built-in safeguard exists for failing to bill.

The same logic applies to internal transactions. If a stockroom clerk is responsible for shortages, he or she will have an incentive to properly count incoming shipments or insist on having proper paperwork before releasing goods out of stock. Similarly, a salesperson, who is not reimbursed for expense reports having missing receipts, has a strong incentive to collect the documentation.

Finally, the concept of using control numbers and logs can be an important control issue. While an incorrect transaction may be quickly spotted, you may not notice a missing one. You also need a way of identifying transactions so they can quickly be researched or followed up on later. Using control numbers and logs--an extension of the concept of using check numbers and a checkbook -- will enable you to solve problems quickly.

Suppose you need a control against failing to bill a customer. In addition, once the bill has been issued, you need a record for tracing payments owed and made. A way to do this is to assign numbers to sales orders and shipments and record them either in a log book or on a computer.

When an invoice is issued, assign a number to it and cross-reference that with the order number. Orders not matched to invoices indicate items yet to be shipped--or items shipped and not billed. Similarly, for any invoices without a payment against them, create a list of open receivables.

This concept extends to a wide range of accounting documents. For example, many restaurants assign servers pre-numbered pads and account for all checks at the end of the night; for a physical inventory, tag numbers issued are carefully logged and must all be accounted for at the end of the count.

Assigning and accounting for the transaction numbers ensures that many items do not slip through the cracks and also provides a useful means of cross-referencing them.

Now that you have an understanding of the basic controls you should implement, you will need to fine tune your internal controls to fit your business and to keep control.

If you personally approve every expenditure, a high degree of control might exist, but little gets done. You will devote too much energy to minute details, while managers waste time interrupting their work for approvals and standing in line outside your office. At an early stage in any company's growth, authority to initiate or approve transactions must be passed down.

To do this, and maintain adequate control, give your line managers spending authority, but with specifically defined limits. At that designated dollar limit, transactions should require joint signatures or review at a higher level. For the checkbook, this might take the form of requiring two signatures above a certain figure.

Formal approvals are not just required for the spending of money. Many noncash transactions involve a commitment of resources. You may need formal approvals to provide a paper trail to establish accountability or to use as a systematic vehicle of communication in an organization. Situations where you should require formal authorizations include:

These authorizations should be obtained early in the processing cycle. For example, the time to do a credit check is before an order is processed, not after an invoice is cut. Dollar limits for approving transactions should apply even on noncash transactions--such as return authorizations.

Several problems may occur within your system that require preventive maintenance to keep the system running smoothly. The credibility of your system must be kept high. Once information is perceived as unreliable, people begin to work around systems.

Late information can have the same negative effect. Improper training can produce either discomfort with the system or a failure to understand the interdependency of each department and lead to a breakdown. Operators may adopt a technique that gets their job done, even though it forces adjustments downstream. Observe the following illustrations of these types of problems:

Enforcing controls may seem to slow work down and create temptation to take shortcuts. However, time lost on the front end is invariably recouped later. Creating exceptions leads to confusion and errors.

Doing things right usually saves time, even if procedures that ensure control seem cumbersome. Ironically, what seems like more work can often take less time to do. For example, when an invoice must be adjusted, should you void the original and issue a new invoice or should you just print an invoice for the difference?

While voiding and reissuing seems to add an extra step, these are very routine transactions. Issuing an adjustment may require stopping for an added calculation and perhaps attaching a note to the customer. Doing two routine steps is often faster than one special one. In addition, when the transaction is reviewed--perhaps when payment arrives--you can see the steps involved more clearly with the two-step procedure.

This last point leads to a vital internal control feature--the audit trail. Any accounting system must provide a way to easily trace transactions from the ledger or any summary back to supporting detail. Examples include:

A breakdown in the audit trail makes assigning accountability for transactions and doing reconciliations extremely difficult. A breakdown can also prove costly when disputes over payments with vendors or customers arise. A company may show a vendor invoice as paid, but not be able to identify the check number used--and therefore cannot provide a proof of payment. Similarly, a customer may claim to have paid an invoice and provide a canceled check--yet you show the invoice still open. If you cannot demonstrate where that check has been applied, perhaps to a different invoice, your customer's claim will stand.

A key factor to successful internal controls is to make the control measures you implement routine. For example:

A car dealership chain was having problems controlling cash down payments given to its sales managers. Rather than submitting them right away to the home office, the sales managers would wait until all paperwork for the sale was complete and submit the cash with it. At times, this meant the managers were carrying a large amount of cash. Occasionally, the company experienced a loss if the sales manager was fired. More frequently, the cash would get used as petty cash to pay miscellaneous expenses, making reconciliation of the paperwork for the sale and office expenses next to impossible.

A very simple check was devised, calling for accounting to randomly compare the sales managers' cash receipt books to cash turned in. This raised the ire of the sales managers who were singled out; they objected to being treated like thieves.

The solution? The company instituted two random checks per month of every sales manager's cash receipt book. This allowed a needed control to be implemented--without the overtones that came with singling people out.

The job of your controller is to ensure that these proper checks and balances exist. Not because the controller suspects people of being dishonest or incompetent, but because it is simply part of the job. Quite the opposite of being a burden, good checks and balances ensure accuracy and eliminate the need for constant policing and monitoring.

Controls must treat people with respect. An example is the monitoring of expense reports. If a manager with full responsibility for running a major department is missing a $20 receipt on an expense report, don't badger him or her over it. The information is not critical to your company and you have no reason to worry that the company is being ripped off--if there is, and that manager controls a large budget, you have a greater exposure than the $20.

If necessary, in order to gain employees' acceptance, consider blaming the need for controls on your outside auditor. CPAs are perceived as straight and narrow, so people are likely to accept their recommendations.

The computer has changed the way accounting is done and, therefore, impacted the structure of internal controls. Computers are not quite mysterious black boxes, but they do force a company to more tightly control the processing of financial information. In fact, an entire field of auditing is devoted just to the issues of the computer.

In addition to having the potential to repeat or magnify problems that exist with the manual systems they replace, computers introduce the ability to rapidly access entire files for viewing or altering data, even from a remote site. While, as with manual systems, you still have the threat of theft or fraud, the most dangerous risk is of accidental error. You have the risk of losing data to disk crashes or operator error.

Some basic controls should bring you peace of mind. As mentioned earlier, passwords should be used to tightly restrict access to data. Physical controls should be established, including locking up data disks, using key locks on PCS, and placing minicomputers in secured rooms. Loss of data from disk crashes and accidental erasure may occur, but daily backups can minimize any losses.

Daily backups also provide the best protection from routine processing errors. Mistakes, such as prematurely closing an accounting period or using the wrong transaction date on a string of entries, can often be corrected by restoring the previous day's data from a backup and starting over. Proper storage and handling of computers and using devices such as surge suppressors can prevent equipment failures.

Commercial accounting software can be relied on to process data accurately and reliably. Software that is developed or modified in-house is prone to bugs and should be tested thoroughly before changing over your entire system. Keep a backup of earlier software versions and data so changes can be reversed.

Despite these risks, the computer should actually enhance overall control. Software can be designed to include a wide range of checks and balances that otherwise would require tedious human review. Programs routinely check to see that entries are in balance, and issue and track invoice and other control numbers. They can test payables invoice numbers to avoid duplicate entries, alert order entry clerks when customers have exceeded credit limits, and flag inventory reorder points to avoid stockouts.

Computers assure that all transactions are processed consistently and calculations done accurately. Because they can store detail easily, they also provide better audit trails, plus rapid and flexible access to information. The physical handling of files is reduced, helping to prevent records from becoming lost or misfiled.

The biggest control risk in a computerized system, as discussed earlier in Chapter 16, is not the computer itself, but manual procedures and disciplines. The computer system will not solve problems due to poor manual controls. Those controls must be fixed before attempting to install a computerized system, or confusion and duplication of effort may grow out of hand.

To return to the example of the checkbook, the computer can open up a range of opportunities for more efficient record keeping, but only with the proper discipline. A person who fails to physically control checks, properly categorize expenses, or reconcile the bank statement will have problems using a manual or computerized checkbook.

A review of internal controls is a standard part of a CPA's audit. In addition, the extent of transaction testing done in an audit is related to how reliable the CPA feels your internal controls are. At the end of the audit, the CPA should issue a management letter that discusses weaknesses in internal controls with recommended corrections. You and your top managers--not just the controller, because the controller's work is being reviewed in the letter -- should carefully review these comments and either implement changes or justify current practices.

Examinations of internal controls are not to be confused with searching out fraud. As discussed in Chapter 2, typical audits are not designed, or intended, for detecting fraud. In fact, cleverly disguised fraud, particularly if top management is involved, is nearly impossible to detect in a routine audit.

If fraud is suspected, and has not been detected with basic controls as described in this chapter, you may want to call in a forensic accountant. These specialists, who generally work individually or in small accounting firms, dig deep into transactions. Where a routine audit may only send out confirmation letters to customers, a forensic accountant might examine all invoices and contracts, research the ownership of the outside firms, and search for signs of collusion.

Not all desirable internal control features will be cost-effective. Small companies with few clerical employees will find separation of duties harder to implement. Requiring multiple signatures on checks or purchase orders may delay and impede operations. In these cases, you must weigh the relative costs and benefits of controls in deciding what to implement.

Once in place, internal control procedures become routine, providing unobtrusive, but effective, protection against loss and errors. While you may experience initial resistance to adding procedures or paperwork, the up-front investment usually reduces work down the line--not to mention giving you added security that will let you sleep at night.

To help you evaluate your internal controls, ask your auditor or accountant for any literature or checklists he or she may have on the subject. In addition, you can use the Internal Control Questionnaire for Cash Disbursements on the following pages to check your internal control procedures for cash.

Putting into place everything that you have learned is not something you can do overnight. However, the next chapter can help you get started with a ten-step basic plan of attack.