Our second article in the series, “Rogue CFO,” covers some common sense processes that all too often are missing in smaller businesses – workable controls and verification.
Internal controls start with a corporate culture and an attitude – “we pay attention to what our employees are doing and we check and recheck. It’s nothing personal. It’s just the way we need to do business.” Written procedures are the most effective way to establish internal standards because they are not ad hoc or variable and don’t depend on who is involved at any particular time. They provide consistency to the firm’s policies and let the staff know that management is serious about fraud prevention as a way of doing business. “We set standards and we expect our employees to live up to them.”
This seems obvious but it is not uncommon to find a business that has an autonomous CFO. For a smaller company often the Chief Executive or the board is busy and they want to trust their executives and believe in good faith that the employee is trustworthy, so they can be left to work alone. But as Ronald Reagan said about his negotiations with the Soviets over nuclear weapons disarmament – “trust but verify.” No single person is in a position to handle money, make financial decisions, or any significant decision affecting the company without the oversight of other executives and ultimately by the board of directors. As a general matter of corporate law, the board of directors has the ultimate responsibility and authority to protect the corporation from negligence or fraud within the enterprise, so the board must diligently review and approve these policies.
What are some of the internal control principles used by companies that are serious about preventing internal fraud and waste?
• Controlled access to valuable assets. Today this especially means the company’s intellectual property. Safeguard and have guarded access to all proprietary software, trade secrets, and computer code. Copyright valuable software and other intellectual property. Trademark your brands. Password protect your computers, servers and storage systems. Change passwords often. Do not let employees leave your employment with proprietary corporate software.
• Two-Person Control of Financial Assets. This is like nuclear weapon systems in the military – two person control at all times. This means actually verifying accounting entries with a second set of eyes. For example, one office takes in the checks and cash, and another confirms the totals, yet another monitors the account balances, and supervisors have access to the account ledgers to monitor income, disbursements, and balances.
• Checks on all Accounting functions. This should be done by cross-checking among functional areas internally but also this should be done through a regular outside audit. At least once a year conduct an outside audit and have the auditor report the results in a confidential briefing to the board of directors in a closed-door session.
• Adequate Training for All Employees. Ensure all top-level personnel are fully trained and evaluated. Have performance reviews even of top executives. No one is beyond accountability.
• Accurate Records. This includes both accounting records that your auditor will review and legal governance records to ensure that the company and its board are properly authorizing transactions. For all significant corporate actions and decisions the board must know who authorized the decision and whether or not they have the authority to make the decision. As a preventive measure, senior executives should have written descriptions of the scope of their authority, for the company’s protection as well the protection of the executive.
• No-Notice Audits. Conduct random, unannounced audits. If these checks are conducted on a regular basis no one will be concerned that they are under suspicion because everyone understands that this is part of the company’s normal business process. It also creates a state of constant readiness to know that, at any time, a no-notice inspection could me conducted.
These are only a few examples of effective processes and procedures. Each company should have its own particular procedures that are best suited for its kind of business. The senior executives and the board must evaluate these control and supervisory procedures and establish a culture of trust but also one of verification.