Businesses without basic internal controls and checks in place for monitoring activities and preventing overrides of basic authorization processes run the risk of losing money and sometimes their business itself.
What is an Internal Control?
Internal Controls are methods or procedures adopted in a business to:
- Safeguard its assets
- Ensure financial information is accurate and reliable
- Ensure compliance with all financial and operational requirements
- And generally assist in achieving the businesses’ objectives
You might think Internal Control procedures are only relevant for big companies and not for individual owner businesses or small businesses but that’s not true because the holistic definition of internal control is that it sets in place procedures to ensure and assure that the resources of the business are being used as intended. This includes the self-employed.
A sole proprietor doesn’t need extensive sets of internal controls like a bigger company, but he does require checks and balances for each business process to ensure that the important business systems are functioning properly.
What happens when Internal Checks & Processes are overridden by Management?
The title of this post has its origins in an after dinner drink that I was having with the CEO of a highly respected adventure travel group of companies in Nepal way back in the late 1990s.
I had been brought in as a consultant to find the leak in funds that was taking place in their business and which, despite their being highly profitable, their cash flow was in the red.
There were over 800 employees who were about to lose their jobs and the owner who had built the business from scratch was about to lose his legacy. Many of workers were 3rd generation employees and apart from some members of top management, the rest had never known working for another company.
This company was also into Tiger and Wildlife Conservation and supported the studies of village children near their Lodges in the forests. There was a lot at stake.
It all started when the owner fell sick and the running of the company was left to his trusted top management. He finally brought in an outside CEO to manage the company for him and help get the business back on track.
What was puzzling was that even though the CEO and his team had managed to ensure that the revenues were rising and the profits were great, there was a cash crunch. That’s when I was brought into the picture.
My scope was to find the leak and recommend how to fix it. The CEO apprised me that the top management had been around for at least 20 years and the owner trusted them. He warned me about resistance, which was of course natural. After all, who wants an outsider poking around?
I spoke to the CFO who didn’t like me because he thought I was going to steal his job. The Internal Auditor smiled a lot and told me he doubted how I would get the job done as I didn’t speak Nepalese and the workers at the Lodges didn’t speak any English or at the most broken tourist English. He openly voiced his view that the owner was wasting good money in bringing me on board and I was wasting my time. Their External Auditor refused to meet me. Period, Full Stop.
So off I went to the forests and the first thing I did at their main Lodge location was to start checking their Lodge systems and controls. There were none as such and the few that were there, despite the claims of the Internal Auditor, hadn’t been updated since God knows when. So, I started documenting the business systems and processes so that I could test the control checks.
Language wasn’t a problem because the owner’s son had recently moved in as Lodge Manager and was as keen to protect his family’s business as I was. He had known the workers since he was a baby. He refused to believe that any of them was embezzling the company or guilty of any wrong doing.
By demonstrating support for this strange Indian lady who was poking into the activities of the Lodge and making strange notes and pictures on her A3 size paper, right down to helping take frozen meats out of the freezers and counting the alcohol inventory the staff had no option but follow Baba’s (an affectionate word for a male child) lead.
It also turned out that the location of the Lodge was in a part of Nepal where the dialect was similar to Hindi so the staff and I spoke our languages and yet understood what the other person was saying. In fact, they even made suggestions on how to improve Lodge Management!
We didn’t come up with much evidence of embezzlement though my site visit did lead to the discovery of a secret store room filled with liquor which the barman said he kept stocked in case guests wanted a particular item and the bar didn’t have it. The fact that this secret room was worth thousands of US dollars of inventory; that was now showing up as expense without related income for use, hadn’t crossed his mind. After all he was an ace barman, not an accountant A few half-filled bottles were found which apparently housed the overs left in bottles which the staff enjoyed in private.
That was remedied by formalizing the secret store room, revising alcohol entitlements to the staff and setting an order for automated liquor measures. The Lodge Manager would sign off on the Alcohol Usage Reports and do spot checks.
By now the staff understood what I was doing and the night before I left, their senior most staff member came to me and told me that their fate of their jobs was in my hands. He hinted that the rot I was seeking wasn’t in the Lodges that I would visit but back at headquarters. An elderly man, he blessed me and told me the Lodge workers were counting on me to find and fix the problem for Sahib, Baba and them.
Back at HQ, the staff was wonderful and helped me with the documentation and flow charts. I still couldn’t find the leak.
That’s when the CEO and I over post dinner drinks were discussing the situation and the fact that it was collusion rather than 1 person. He asked me, if I were the culprit, how would I do it?
I answered that to catch thieves one would have to start thinking like one. So far the only weaknesses in the systems and processes were ones that could be fixed and all expenses were justified. The employees that I had interacted with believed in the core values and mission of their employer and were happy to have learned new methodology and processes.
I also mentioned that I needed to increase the scope of my work to one of the companies that handled the foreign exchange remittances and bookings in order to complete my business systems documentation and that I wanted to test it.
That was the only company that had been excluded from my scope because the CFO and Internal Auditor monitored it closely because that was where the revenue remittances came in.
Permission was granted.
The very next day, I unearthed millions of dollars of fraud!
It started with documenting the processes of the company and the authorizations required at each step of the process. Then I noticed that there were expenditures on travel which didn’t quite fit in. I was told that the hospitality pickups and drives to and from the airports and hotel were paid from this company and payments were approved by the CFO and Internal Auditor.
I selected my test sample and suddenly noticed that there were transport bills being paid for clients who had already left the country. The more I checked, the more fraudulent bills and payments were found. They had been approved by the CFO and Internal Auditor and overlooked by the External Auditor! The payment authorizer was also one of the payment signatories.
The leak was found and the owner and CEO were elated. The next step was, for my physical safety, to get me out of the country before breaking the news and dismissing the very people whom the owner had trusted when he fell sick. The story made the headlines of all major newspapers.
The company and employees were saved. I did return for another short stint to help restructure the Group and renegotiate the bank loans and other important tasks but that is another story.
The reason I shared this long story is to drive home the importance of having documented business systems and processes that are updated and tested regularly.
It is also important to have the right internal controls and checks in place. It’s important to educate staff about their roles and responsibilities and take out insurance on those employees who handle cash and bank. The importance of segregation of duties cannot be ignored.
Some relevant basic business controls & checks sole proprietors can implement
A small business or sole proprietorship needs some basic controls, checks and balances. Each business is unique but some relevant controls that come to mind are
- Maintaining proper accounting records, whether manual or using a software package that meets the statutory, legal and tax requirements of the country where the business is based.
- A separate bank account if possible for the business.
- Separation of business and personal use of resources so that there is a clear picture of operational efficiency. This is also important for legal and tax reporting purposes. For example, if you have a home office, for tax purposes, you would need to show how much of the utility bills relate to the business and to personal. If you use your vehicle for business and personal use, you would need to keep as accurate as possible a mileage log that documents the business use of vehicle for tax purposes.
- Maintain a calendar of tasks for each week and month such as invoicing customers, paying suppliers, paying utility bills, banking and bank reconciliations, sales meetings and other tasks.
- Regular backups of computerized information systems including websites, accounting books and any other system that is reliant on technology.
- Be aware of identity theft both for yourself as well as your customers by checking and changing passwords. For example, where you receive online payments, make sure that the system is secure. If you are using a plugin on your website, double check that they meet the privacy and security requirements.
- Review your business finance records at least once a month to identify any variances such as budget overspends or payments that have to be made and money to be reserved for it.
- Have your standard sales contracts vetted by a good lawyer to cover all bases.
- Read the fine print when signing documents for purchase and services.
- Maintain a log of all relevant changes in the legal and statutory requirements that affect the industry in which your business operates.
A strong internal control system for the self-employed business owner helps the owner to focus their efforts and precious time on activities that result in revenue and profits.
A simple example of an internal control
Sometimes it’s easier to explain how one would create an internal check or control with an example. So let’s look back at the freebie opt-in process using Mailchimp in my previous blog post.
Either you or Mailchimp would have set up checks where there is a danger of an action that would be against the right use of a step and a control would need to be established.
Here are the controls and checks that you would have performed, even if you didn’t realize that you were performing them.
- Creating a list in Mailchimp in compliance with CANSPAM regulations (Mailchimp would have guided you to comply even if you didn’t realize it)
- Thank you email asking for permission to send the information. Once the subscriber confirmed their consent, your fab freebie would be accompanied with the message that they will not be spammed and details of their records and button to unsubscribe.
- Testing to see if the process works once you have set it up.
In the diagram below, the first activity where there is a possibility of override is in entering the subscriber into your list without their seeing the fab freebie or subscribing. So we have a Red Donut to identify a possible weakness. The control here, shown as the Green Donut, is a landing page with an opt-in form where they enter their details and press the Call to Action Button.
Other controls that you would create would relate to CANSPAM Regulations and Mailchimp requirements such as
- Asking users to re-subscribe after 2 years, especially if they have been inactive
- Removing dead subscribers from your emailing lists
- Monitoring soft and hard bounces.
- Ensuring that subscribers haven’t been added manually unless you can demonstrate you have their consent.
The last point is quite important. I’ve seen it happen in real life simply because someone’s Marketing Manager didn’t understand CANSPAM or Permission Marketing and added her employer’s LinkedIn Connections to their Marketing Mailing List.
About a month ago, I received an email via Mailchimp from a company that was marketing its executive search services. Reading further down the email, I couldn’t see how I had been added though I knew the name of the company. I unsubscribed and marked it as SPAM.
I went on LinkedIn to investigate the company and details of the sender who had a degree or something in digital marketing. I discovered that the owner was a 1st level connection (no wonder it sounded familiar). I immediately wrote to him and requested that I be excluded from his mailing list.
An apology came with the reason that his over enthusiastic marketing team had made the mistake. I understand youthful exuberance but told him to counsel his young team about the finer nuances of Permission Marketing, CANSPAM and the risks of being blacklisted.
I suspect there are some internal checks that need to be polished there including an operations manual with the systems and processes.
Which internal controls and checks do you already have in place? Any you need to tweak or implement?
Need more help or want to consult me? Learn more about my Business Systems services here.
Share with others!