Today’s article builds up from last week’s where we talked about the 6 set of internal controls that can be adopted by a small business to enhance its operations. In this article, we shall therefore try to understand what internal controls mean in general terms and how they can be applied in a small business environment. Wikipedia defines internal controls as the process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies. Now that we’ve got the meaning, let’s break it down further into 5 components for ease of understanding and application.
Control environment – this refers to the culture, the practice, the tone and the attitude of the business owner towards internal controls. Your employees observe and learn a lot from you and you should therefore lead from the front. Set the tone of how you want things done, provide guidelines and constantly communicate your values and expectations.
It is so critical that you get this right regardless of whether you have 1, 2 or 50 employees as this component forms the stepping stone for all the others. For example, you might have designed a very robust set of internal controls but if you don’t instill the culture of making sure that they are implemented as designed, then you are running a futile race.
Risk assessment – in very simple terms, this refers to the process of evaluating both the internal and external factors that could result into the crystallization of risk for your business. There can be many sources of risk which include but not limited to processes, people, systems, laws and regulations. A good indicator of risk is ‘Change’. Anytime a change happens in your business, a new source of risk is introduced. This should be assessed to determine the level of risk exposure and proactively mitigate it. For example, a new staff, a new system, a new product line, service line etc introduces new exposures to risk.
Control activities– once you have identified your sources of risk in step 2 above, then you are ready to put in place activities or procedures that will safeguard your business from crystallization of the identified risks. For example; for new staff, the control activity will include performing background checks before bringing them on board. You want to make sure that they have a good track record and that they are of good integrity. For a new product line, the methods of operation might be different from the existing products e.g. production, distribution etc and if that is the case, this will come with new risks that need to be assessed, evaluated and appropriate mitigations and processes put in place. Other control activities will include all of the principles mentioned in the previous article.
Information and communication – this component is very closely related to the first one on control environment. What this basically means is that you introduce and avail communication channels for disseminating information relating to your control culture and control activities to all staff within your business. Sometimes you will find that the owner of a small business has all these ideologies and controls in his head but the same has not been communicated or cascaded down to the staff. Your staff may therefore be blundering not because they want to, but because you have not clearly communicated and trained them on the key internal control objectives and the procedures, means and ways to achieve them.
Communication can be informal but try as much as possible to have your procedures documented somewhere. If your business is very small, you do not need to have a complicated policy and procedures document. A 2 page or 3 page document should do. Additionally, make it a habit to constantly communicate your values and objectives on a regular basis e.g. during weekly meetings, onboarding of new staff etc.
Monitoring – even in a small business, monitoring should be done on a continuous basis and this can take many forms. If your business is very small, you can handle this by yourself. However, if it is slightly bigger, you can hire an independent internal auditor who can come at agreed intervals say every 3 months or 6 months to supplement what you are already doing as the business owner. Their key mandate will be to give you assurance on the effectiveness of the controls in safeguarding your assets, ensuring financial reliability and business efficiency. If you are much bigger or your business involves complex or big volumes, then you can consider hiring a full time auditor if your finances allow it. Decide on your best option but make sure that someone is keeping watch.