How internal control can help reduce fraud risk in SME’s

In January Patisserie Valerie crashed into administration following an investigation into alleged long-term fraud in its accounts. With their accountant saying audits ‘do not look for fraud’, this is a good time to reflect on the strength of internal control in your business and whether your systems would deter, prevent or detect a fraud.

What are Internal controls?
Internal controls are a set of policies and procedures put in place to ensure accounting systems are reliable, fraud risk is minimised and business assets are safeguarded. Without accurate accounting records, managers cannot make fully informed financial decisions and the business can be exposed to fraud. It is a sobering thought that accountants KPMG found that 60% of fraud is committed because a business had weak internal controls.

It can often be the case that in a fast moving business, the policies and procedures are relegated down the list of issues to address because frankly there are more important things to do! However, I would argue that SME’s need to take internal control more seriously, because their losses are less easy to absorb than in a larger business. Furthermore, they are unlikely to have an internal audit function and may not have the benefit of an annual external audit to assess controls.

Accepting SME’s have limited resources, this guide points to the key controls that businesses need to make sure are in place. These can be split into 7 categories:

1. Physical security of assets
2. Standardised procedures
3. Segregation of duties
4. Approval limits/Delegation of authority
5. Double entry bookkeeping
6. Checks and balances
7. Human Resource controls

Physical security of assets
This not only includes CCTV, safes, locks and entry passes, but also data backups. Regular physical audits should be carried out on cash, stock, materials, equipment and tools to check the business actually has these assets and they are recorded correctly in the accounts. Password access to different parts of an accounting system can safeguard information and access logs can keep a record of who accessed what and when.

Standardised procedures
Standardising procedures hugely reduces the risk of control breakdown. Procedures should be designed with control in mind and any divergence from the standard means control is weakened. Procedures should be audited at least annually to check that it is still best practice and is still operating correctly. They should work very much like quality standards.

Segregation of duties
Segregation of duties involves splitting responsibility between staff so no one person carries out all elements of a transaction. For example, no one person should be able to order and pay for goods or add a fictitious employee to the payroll and then pay them. For small businesses with only one or two accounting employees, control can be achieved by adding manager approval.

Approval limits/Delegation of authority
A requirement for specific managers to authorise certain types or values of transactions can add a layer of control to ensure transactions are seen and approved. Putting a delegation of authority in place gives limits to this authority. For example, an individual can generate purchase orders of up to £500 but requires a manager’s signature up to £5,000 and owner for anything higher.

Double entry bookkeeping
Using a double-entry accounting system adds reliability by ensuring that the books are always balanced. Most systems such as Sage, Xero or SAP will not allow you to post one sided entries, but using a package such as Excel gives poor control. Running a trial balance regularly confirms the system balances and this should be used to prepare MI at least monthly. Actuals should be compared to forecast and authorised by a manager at least monthly.

Checks and balances
Regular accounting reconciliations can ensure that balances in your accounting system match up with balances in accounts held by other entities, such as banks, group companies, HMRC, suppliers and customers. These checks should be carried out at least monthly and in the case of bank reconciliations as frequent as daily. Reconciliations should be checked and authorised by a manager.

Human Resource controls
Having the right staff is critical to control and checks should be made accordingly. Examples include qualifications verification, references and criminal record checks on new recruits. During periodic assessment and appraisals, staff should be assessed for competence and training needs. Staff should be obliged to take holidays and businesses should have a whistleblowing procedure.

Final take away
Remember that the owner’s overall attitude to the importance of internal controls creates the control culture for that business. Setting the right tone ensures that control is taken seriously by employees.

Internal control is a complex area and I have tried to summarise the main areas in this article. If you feel your internal control could be improved then why not get in touch where we can carry out a full review and provide practical recommendations relevant to your business.

Kevin Thomas is a Chartered Accountant and is the owner of Finance Interim Ltd

Add a Comment

Your email address will not be published. Required fields are marked *