Limitations of Internal Accounting Controls
Managers need to maintain management control over internal controls and need ways of finding fraud that's not detected by the internal controls of the business.
A good deal of business is done on the basis of trust. Internal controls can be looked at as a contradiction to this principle. On the other hand, in a game of poker among friends, no one takes offense at the custom of cutting the deck before dealing the cards. Most people see the need for internal controls by a business, at least up to a point.
Keeping internal controls under control
Many businesses, especially smaller companies, adopt the policy that some amount of fraud has to be absorbed as a cost of doing business and that instituting and enforcing an elaborate set of internal controls isn't worth the time or money.
This mindset reflects the fact that business by its very nature is a risky venture. Despite taking precautions, you can't protect against every risk a business faces. But on the other hand, a business invites trouble and becomes an attractive target if it doesn't have basic internal controls. Deciding how many different internal controls to put into effect is a tough call.
Internal controls aren't free. They take time and money to design, install, and use. Furthermore, some internal controls have serious side effects. Customers may resent certain internal controls, such as checking backpacks before entering a store, and take their business elsewhere. Employees may deeply resent entry and exit searches, which may contribute to low morale.
So even if your business can afford to implement every internal control you know of, remember that more isn't always better. Limiting the business to a select number of the most effective controls may provide a good balance of protection and customer and employee tolerance.
Finding fraud that slips through the net
Internal controls aren't 100 percent foolproof. A disturbing amount of fraud still slips through these preventive measures. In part, these breakdowns in internal controls are the outcome of taking a calculated risk. A business may decide that certain controls aren't worth the cost, which leaves the business vulnerable to certain types of fraud. Clever fraudsters can defeat even seemingly tight controls used by a business.
Internal controls should be designed to quickly detect a fraud if the first line of internal controls fails to prevent it. Of course, responding to this detection is like closing the barn door after the horse has escaped. Still, discovering what happened is critical in order to close the loophole.
In any case, how can you find out whether fraud is taking place? Well, the managers or owners of the business may not discover it. Fraud is discovered in many ways, including the following:
Internal reports to managers my raise red flags; for example, an unusually high inventory shrinkage for the period that has no obvious cause.
Performing account reconciliations on a regular basis — and investigating exceptions — often reveal signs of fraud.
An internal audit may find evidence of fraud.
Employees may blow the whistle to expose fraud.
Customers may give anonymous tips pointing out something wrong.
Customer complaints may lead to discovery of fraud.
A vendor may notify someone that it has been asked for a kickback or some other under-the-table payment for selling to the business.
In financial statement audits, the CPA tests internal controls of the business. The auditor may find serious weaknesses in the internal controls system of the business or detect instances of material fraud. In this situation, the CPA auditor is duty bound to communicate the findings to the company's audit committee (or to management, in the absence of an audit committee).
Large businesses have one tool of internal control that's not practical for smaller businesses — internal auditing. Most large businesses, and for that matter most large nonprofit organizations and governmental units, have internal auditing departments with broad powers to investigate any of the organization's operations and activities and report their findings to the highest levels in the organization.
Small businesses can't afford to hire a full-time internal auditor. On the other hand, even a relatively small business should consider hiring a CPA to do an assessment of its internal controls and make suggestions for improvement. In fact, hiring a CPA for this job may even be of more value than having an independent CPA audit the business's financial statements.