This post has already been read 3403 times!
Businesses without basic internal controls and checks in place for monitoring activities and preventing overrides of basic authorization processes run the risk of losing money and sometimes their business itself.
What is an Internal Control?
Internal Controls are methods or procedures adopted in a business to:
- Safeguard its assets
- Ensure financial information is accurate and reliable
- Ensure compliance with all financial and operational requirements
- And generally assist in achieving the businesses’ objectives
You might think Internal Control procedures are only relevant for big companies and not for individual owner businesses or small businesses but that’s not true because the holistic definition of internal control is that it sets in place procedures to ensure and assure that the resources of the business are being used as intended. This includes the self-employed.
A sole proprietor doesn’t need extensive sets of internal controls like a bigger company, but he does require checks and balances for each business process to ensure that the important business systems are functioning properly.
What happens when Internal Checks & Processes are overridden by Management?
The title of this post has its origins in an after dinner drink that I was having with the CEO of a highly respected adventure travel group of companies in Nepal way back in the late 1990s.
I had been brought in as a consultant to find the leak in funds that was taking place in their business and which, despite their being highly profitable, their cash flow was in the red.
There were over 800 employees who were about to lose their jobs and the owner who had built the business from scratch was about to lose his legacy. Many of workers were 3rd generation employees and apart from some members of top management, the rest had never known working for another company.
This company was also into Tiger and Wildlife Conservation and supported the studies of village children near their Lodges in the forests. There was a lot at stake.
It all started when the owner fell sick and the running of the company was left to his trusted top management. He finally brought in an outside CEO to manage the company for him and help get the business back on track.
What was puzzling was that even though the CEO and his team had managed to ensure that the revenues were rising and the profits were great, there was a cash crunch. That’s when I was brought into the picture.
My scope was to find the leak and recommend how to fix it. The CEO apprised me that the top management had been around for at least 20 years and the owner trusted them. He warned me about resistance, which was of course natural. After all, who wants an outsider poking around?
I spoke to the CFO who didn’t like me because he thought I was going to steal his job. The Internal Auditor smiled a lot and told me he doubted how I would get the job done as I didn’t speak Nepalese and the workers at the Lodges didn’t speak any English or at the most broken tourist English. He openly voiced his view that the owner was wasting good money in bringing me on board and I was wasting my time. Their External Auditor refused to meet me. Period, Full Stop.
So off I went to the forests and the first thing I did at their main Lodge location was to start checking their Lodge systems and controls. There were none as such and the few that were there, despite the claims of the Internal Auditor, hadn’t been updated since God knows when. So, I started documenting the business systems and processes so that I could test the control checks.
Language wasn’t a problem because the owner’s son had recently moved in as Lodge Manager and was as keen to protect his family’s business as I was. He had known the workers since he was a baby. He refused to believe that any of them was embezzling the company or guilty of any wrong doing.
By demonstrating support for this strange Indian lady who was poking into the activities of the Lodge and making strange notes and pictures on her A3 size paper, right down to helping take frozen meats out of the freezers and counting the alcohol inventory the staff had no option but follow Baba’s (an affectionate word for a male child) lead.
It also turned out that the location of the Lodge was in a part of Nepal where the dialect was similar to Hindi so the staff and I spoke our languages and yet understood what the other person was saying. In fact, they even made suggestions on how to improve Lodge Management!
We didn’t come up with much evidence of embezzlement though my site visit did lead to the discovery of a secret store room filled with liquor which the barman said he kept stocked in case guests wanted a particular item and the bar didn’t have it. The fact that this secret room was worth thousands of US dollars of inventory; that was now showing up as expense without related income for use, hadn’t crossed his mind. After all he was an ace barman, not an accountant A few half-filled bottles were found which apparently housed the overs left in bottles which the staff enjoyed in private.
That was remedied by formalizing the secret store room, revising alcohol entitlements to the staff and setting an order for automated liquor measures. The Lodge Manager would sign off on the Alcohol Usage Reports and do spot checks.
By now the staff understood what I was doing and the night before I left, their senior most staff member came to me and told me that their fate of their jobs was in my hands. He hinted that the rot I was seeking wasn’t in the Lodges that I would visit but back at headquarters. An elderly man, he blessed me and told me the Lodge workers were counting on me to find and fix the problem for Sahib, Baba and them.
Back at HQ, the staff was wonderful and helped me with the documentation and flow charts. I still couldn’t find the leak.
That’s when the CEO and I over post dinner drinks were discussing the situation and the fact that it was collusion rather than 1 person. He asked me, if I were the culprit, how would I do it?
I answered that to catch thieves one would have to start thinking like one. So far the only weaknesses in the systems and processes were ones that could be fixed and all expenses were justified. The employees that I had interacted with believed in the core values and mission of their employer and were happy to have learned new methodology and processes.
I also mentioned that I needed to increase the scope of my work to one of the companies that handled the foreign exchange remittances and bookings in order to complete my business systems documentation and that I wanted to test it.
That was the only company that had been excluded from my scope because the CFO and Internal Auditor monitored it closely because that was where the revenue remittances came in.
Permission was granted.
The very next day, I unearthed millions of dollars of fraud!
It started with documenting the processes of the company and the authorizations required at each step of the process. Then I noticed that there were expenditures on travel which didn’t quite fit in. I was told that the hospitality pickups and drives to and from the airports and hotel were paid from this company and payments were approved by the CFO and Internal Auditor.
I selected my test sample and suddenly noticed that there were transport bills being paid for clients who had already left the country. The more I checked, the more fraudulent bills and payments were found. They had been approved by the CFO and Internal Auditor and overlooked by the External Auditor! The payment authorizer was also one of the payment signatories.
The leak was found and the owner and CEO were elated. The next step was, for my physical safety, to get me out of the country before breaking the news and dismissing the very people whom the owner had trusted when he fell sick. The story made the headlines of all major newspapers.
The company and employees were saved. I did return for another short stint to help restructure the Group and renegotiate the bank loans and other important tasks but that is another story.
The reason I shared this long story is to drive home the importance of having documented business systems and processes that are updated and tested regularly.
It is also important to have the right internal controls and checks in place. It’s important to educate staff about their roles and responsibilities and take out insurance on those employees who handle cash and bank. The importance of segregation of duties cannot be ignored.
Some relevant basic business controls & checks sole proprietors can implement
A small business or sole proprietorship needs some basic controls, checks and balances. Each business is unique but some relevant controls that come to mind are
- Maintaining proper accounting records, whether manual or using a software package that meets the statutory, legal and tax requirements of the country where the business is based.
- A separate bank account if possible for the business.
- Separation of business and personal use of resources so that there is a clear picture of operational efficiency. This is also important for legal and tax reporting purposes. For example, if you have a home office, for tax purposes, you would need to show how much of the utility bills relate to the business and to personal. If you use your vehicle for business and personal use, you would need to keep as accurate as possible a mileage log that documents the business use of vehicle for tax purposes.
- Maintain a calendar of tasks for each week and month such as invoicing customers, paying suppliers, paying utility bills, banking and bank reconciliations, sales meetings and other tasks.
- Regular backups of computerized information systems including websites, accounting books and any other system that is reliant on technology.
- Be aware of identity theft both for yourself as well as your customers by checking and changing passwords. For example, where you receive online payments, make sure that the system is secure. If you are using a plugin on your website, double check that they meet the privacy and security requirements.
- Review your business finance records at least once a month to identify any variances such as budget overspends or payments that have to be made and money to be reserved for it.
- Have your standard sales contracts vetted by a good lawyer to cover all bases.
- Read the fine print when signing documents for purchase and services.
- Maintain a log of all relevant changes in the legal and statutory requirements that affect the industry in which your business operates.
A strong internal control system for the self-employed business owner helps the owner to focus their efforts and precious time on activities that result in revenue and profits.
A simple example of an internal control
Sometimes it’s easier to explain how one would create an internal check or control with an example. So let’s look back at the freebie opt-in process using Mailchimp in my previous blog post.
Either you or Mailchimp would have set up checks where there is a danger of an action that would be against the right use of a step and a control would need to be established.
Here are the controls and checks that you would have performed, even if you didn’t realize that you were performing them.
- Creating a list in Mailchimp in compliance with CANSPAM regulations (Mailchimp would have guided you to comply even if you didn’t realize it)
- Thank you email asking for permission to send the information. Once the subscriber confirmed their consent, your fab freebie would be accompanied with the message that they will not be spammed and details of their records and button to unsubscribe.
- Testing to see if the process works once you have set it up.
In the diagram below, the first activity where there is a possibility of override is in entering the subscriber into your list without their seeing the fab freebie or subscribing. So we have a Red Donut to identify a possible weakness. The control here, shown as the Green Donut, is a landing page with an opt-in form where they enter their details and press the Call to Action Button.
Other controls that you would create would relate to CANSPAM Regulations and Mailchimp requirements such as
- Asking users to re-subscribe after 2 years, especially if they have been inactive
- Removing dead subscribers from your emailing lists
- Monitoring soft and hard bounces.
- Ensuring that subscribers haven’t been added manually unless you can demonstrate you have their consent.
The last point is quite important. I’ve seen it happen in real life simply because someone’s Marketing Manager didn’t understand CANSPAM or Permission Marketing and added her employer’s LinkedIn Connections to their Marketing Mailing List.
About a month ago, I received an email via Mailchimp from a company that was marketing its executive search services. Reading further down the email, I couldn’t see how I had been added though I knew the name of the company. I unsubscribed and marked it as SPAM.
I went on LinkedIn to investigate the company and details of the sender who had a degree or something in digital marketing. I discovered that the owner was a 1st level connection (no wonder it sounded familiar). I immediately wrote to him and requested that I be excluded from his mailing list.
An apology came with the reason that his over enthusiastic marketing team had made the mistake. I understand youthful exuberance but told him to counsel his young team about the finer nuances of Permission Marketing, CANSPAM and the risks of being blacklisted.
I suspect there are some internal checks that need to be polished there including an operations manual with the systems and processes.
Which internal controls and checks do you already have in place? Any you need to tweak or implement?
Need more help or want to consult me? Learn more about my Business Systems services here.
I got so lost in your story and started thinking what a great movie this would make.
But, getting back to the important part, have accountable systems in place no matter what the size or scale of your business is important. When you are starting out and running most things yourself, you may not think this matters until you grow and are making more money. This is great advice that everyone needs to pay attention to. Thanks for sharing.
I see what you mean, Joyce, especially if we include the Tigress eating a cheetal outside my Lodge Room too! Coming back to the topic, you are absolutely right. Scaling and leveraging our business is easier if we have systems, processes and checks in place. Even if we operate at a sole proprietor level, documentation is crucial for business continuity in the event that we are not able to attend to our business and have to delegate certain online customer service tasks like sales of ebooks, programs and ensuring the money is in the bank. It makes things easier for the other person whom we may have delegated or employed to do the task.
Fascinating story! Outside of working for myself, I’ve only worked for international corporations and from my experience there were PLENTY of internal controls. 🙂 Still, I think you’ve brought up an excellent point and it’s something even we solopreneurs need to be aware of. Thank you!
Thanks Marquita. Awareness is important, especially as the business grows and the 1 (wo)man show acquires a team as well as starts outsourcing tasks that were being performed earlier by the owner. At that point, hopefully they’ll find my post and have a checklist ready for immediate action. 🙂
Reading your account of how you saved that company was like reading a great mystery story, Vatsala. I was hooked. It also demonstrates your business acumen. I thought the Mailchimp example was a great way to illustrate how internal controls work.
Thanks Tamuria! Auditors and finance professionals are known to go into the deep end when explaining the intricacies of controls and checks and I wanted to share an example which would make the concept clear for the reader instead of making their eyes glaze over. 🙂
The best philosophy for life and business is to keep it simple and keep the eyes open!
Fabulous story of how things can go very wrong, when you don’t have the necessary controls in place! Vatsala to the rescue, in this case.
I remember when we discovered a ‘crack’ in keeping track of our Sunday employees when I was a partner in a video rental chain in the 80’s. For a few weeks there seemed to be hardly any revenue for rentals for Sundays. I started to think something must be wrong, especially when we were putting away the movie returns at the beginning of the week. As I looked through the ‘receipts’ from the day (all were manually written of course, it was the 80’s), I found a lot of ‘no charge’ receipts. When I asked the employee why there were so many no charges that day, he said people had come back with ‘defective’ videos that didn’t play on their machines and he gave them a replacement. He said they worked on ours though. Hmm. I set out to ask a few of the good customers who I knew about this and sure enough, found that they were paying cash and he was pocketing it! The customers had no idea this was happening, but of course we confronted the employee and he ultimately admitted it. Something so simple when you have a cash business. Thanks for sharing such a detailed list of ways to ensure we have all of our internal controls in place. As I now work on my own, I am in charge of everything and hopefully not too much is escaping me.
Thank God you got suspicious about the ‘no charge’ receipts and the lack of cash income on weekends, Beverley, otherwise the employee would have gotten bold and spread his skimming (the term used for such actions related to cash in business) to weekdays as well. A little foolish of the employee to do it with the Sunday business though and to make all the rentals a no charge. Had he done it properly, it would have taken longer for you to discover the embezzlement.
It happens a lot more than you would imagine. I received a text message from the gentleman who looks after my computer this morning advising clients not to tip the service personnel reporting for repair jobs and to report to him if the personnel demands additional money other to that agreed upon. I have a feeling someone has faced this problem and reported it to the owner. It’s never happened before and the question for the owner is, how long has this been going on or if it is a specific one-off incident?
Wow, Vatsala saves the day! What an incredible story and what a fun, colorful read, replete with shady characters, scenic locations and old men dropping hints about the source of the rot! OOOOO! Thank you for sharing this adventure, and, of course, your business acumen.
Edgar Alan Poe did say that truth is stranger than fiction, Reba. 🙂 When I look back across the rivers of Time, it feels like a dream, especially the night a Tigress killed a deer right in front of my Lodge Room. I might just include the whole story in my memoires. 🙂
Remarkable demonstration of how your skills saved a company. The skills many must learn in accounting programs but you brought a level of humanity, trust, overall smarts too. We are only 2, myself & my daughter but I recently asked my business credit card company why we had cards with 2 different account numbers. They explained to keep track who buys what. I never thought of controls this way.
Thanks Roslyn. I went on that assignment thinking it was just that, an assignment where I would do my work and get paid. Then when I started interacting with the Lodge Staff, I realized how much more was at stake and it became a crusade to find the leak. I still have the laughing Buddha statue the employees gave me as a farewell gift.
The credit card company is wise to have given you both separate numbers. In case of a credit card theft, it is easier to track down where the misuse might take place. I remember a friend had given his son a credit card while he was away at University for his needs. Imagine the son’s surprise when his father called him long distance to inquire why he had bought expensive Havana Cigars. It turned out it was for friends but the son didn’t know that the father was getting alerts and an itemized bill for the spending on the add-on card and really thought his father had super powers. 🙂