10 Common Internal Control Deficiencies Found in Small Businesses

The following 10 common internal control deficiencies found in small businesses can cause the loss or damage of assets, loss of resources, and a decline in revenue. These deficiencies can easily be rectified by slightly changing or modifying existing processes or introducing basic internal controls:

1. Inadequate documentation / records
Documentation provides evidence of the underlying transactions. It is the input to establishing proper financial records. Financial documents should be pre-numbered to ensure all transactions are recorded and accounted for. This will help to prevent recording of the same transaction twice, as there should not be any duplicate numbers in your system. With proper numbering of documentation, tracing documents that relate to follow up queries/claims and questions from customers or owners of prior transactions will be easy. Proper documentation would most probably provide satisfactory answers to most, if not all, financial transaction related questions. Furthermore, adequate documentation will ease the process of compiling financial records and completing tax returns.

2. Key business cycles not properly defined
Managers and owners don’t see the need to create written policies and procedures or just even basic flowcharts defining the key business processes, as some small business processes appear to be uncomplicated. However, this is probably one of the most unused control tools where the most value can be added with little effort. An effective procedure can align business objectives and help establish best practice operating procedures. As businesses have different focus areas, different cycles will be important to your business but for most businesses the following processes will be critical. Sales and Accounts Receivable, Cash Management, Banking Procedures, Purchases, and Accounts Payable. For a business selling goods, inventory controls will be an important cycle. Documenting key controls in each of these cycles will provide transparency and consistency. Specific roles and responsibilities in each of these cycles can easily be assigned to specific individuals. When improvements and changes are made to your processes, employees can quickly be informed, trained, and brought up to speed.

Lack of control with authorization of transactions
Authorization of purchases should occur before the commitment of resources. Depending on the size of the business, levels of authority can be introduced to better eliminate the risk of inappropriate spending. For example, with orders above a certain dollar value, say $1,000, more than one quotation should be obtained which could ultimately reduce your overall expenditure. Authorizing of transactions before placing orders provides the owners/managers the opportunity to evaluate different purchasing options, and make sure items or services obtained will support the business objectives.

4. No oversight and review  
Small business owners many times get so involved in the day to day operations of the business that they tend to neglect performing basic review procedures. Business owners should take some time and interest in the financial records. This is an important aspect of fraud prevention. Not a lot of time is required to review monthly revenues, expenditure reports, inventory reports, budget vs. actual amounts, and variance reports. Having a more hands on approach will give the owner invaluable feedback on how the business is performing and where any potential problem areas or poor performance areas may exist. Review of the financial records is a critical component and input for better decision making. The frequency of the review of financial data depends on the volume of transactions and type of business, however, the review of financial data should generally be conducted on a monthly basis.

Dated or ineffective information systems
Small businesses run on lean resources and very little time is often spent evaluating information systems. Investing time in this area could add a lot of efficiencies in the long run.  List the systems in your business and the key performance measures you need from each. Working systematically though these will help you stay competitive and efficient. Many user-friendly software systems are out there which could shorten processing and operating cycles – and are not that expensive to operate.

6. Lack of physical & logical security  
Lack of physical security of business assets and resources could result in the loss or damage to assets and resources. Access to equipment, petty cash, and check stock should be restricted to appropriate individuals and stored or locked in an appropriate secure location. Computer equipment and networks should be password protected and computer passwords should be changed regularly. Having firewalls and protective devices or software on computer systems is an important component to help prevent security breaches.  Protection of personal information and banking information are becoming increasingly important with the increase in risk of identity/credit card theft. Personal and employee data should be encrypted and stored in secure folders.

7. No formal ethical policies and procedures
This control may not seem to be crucial for the success of a business, but without clear guidelines on the use of the business assets and expectations, in terms of integrity and ethics from employees, businesses can expose themselves to inefficiencies and misappropriation of assets.  A code of ethics is an open disclosure of the way an organization operates.  A well written and thoughtful ethics policy can serve as a communication vehicle that reflects important values and goals of the business.  It can provide guidelines of how employees should deal with potential misbehavior and/or misappropriation of assets and can provide alignment with regard to company values and commitments.

8. Job roles and responsibilities not clearly defined
Employees are your most important assets and as a small business you are very reliant on your employees.  They are representatives with customers, suppliers, and competitors. For this valuable resource to be effective in your business you will need to provide clear direction and define appropriate roles and responsibilities for each employee.  Job roles and responsibilities should be clear and preferably be in writing.  This will ease the process of separating duties discussed in the next section.  New employees will quickly be able to reference back to their responsibilities and understand their roles better.

9. Lack of separation of duties
Small businesses are susceptible to fraud by their own employees as they may have a few employees with multiple roles. Each employee should have specific job responsibilities, preferably in writing to ensure there is no confusion in assigned job roles and responsibilities.  Generally, assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of related assets such as cash and credit cards provides for more effective internal control and less opportunities for misappropriation of assets.

10. Inadequate disaster recovery, backups and business continuity plans   
The importance of backups and business continuity are many times under-emphasized.  Systems can be designed so that back-ups are performed automatically and on a regular basis.  Backups should be made based on transaction volume and stored off-site.  To re-create data can be painful, time consuming, or not practical at all.  Business Continuity plans outline how recovery will be accomplished in case of a disaster.  Long term power outages or disruptions, offices not available for long periods of time, and loss of staff on a large scale are not that uncommon and can happen. Planning ahead for disasters before they strike is important to the survival of your business.  A disaster recovery plan typically consists of an emergency plan, disaster recovery plan, and a continuity plan.

Changing your approach towards internal controls in your business in these 10 key areas, can make your business grow! Implementing control tools in these areas can be accomplished in a fairly easy manner and in a short amount of time. Consult your local accountant or auditor for advice with some of the technical financial processes and controls. Changing your focus in these 10 areas, will add a lot of value to your business over the long run!