Are You Using Internal Controls to Manage Risk?

Close to 75% of small businesses don’t have a plan in place to protect their business from operational disruptions—either planned or unplanned – or employee actions and mistakes. You may have business continuity insurance, but that’s only designed to help after the fact. It doesn’t remove the risk or prevent it from happening. Internal controls do that.

Internal controls are a subset of business systems and processes specifically designed to help protect your company from careless, costly, or uninformed decisions or actions that your employees might take. When you run a business, you need your team to have the authority to get tasks done without running everything past you. Internal controls give you the confidence and ability to empower your employees and optimize productivity.

These policies, procedures, and technical safeguards protect a company’s assets by preventing errors and inappropriate actions. Controls do have limits on what they can accomplish; so it’s crucial to have ongoing reviews and monitoring of your systems. Of course, the policies and procedures must be enforced or they will not work, but not having a system of controls is a mistake.

There are three types of internal control: Preventative, Detective, and Corrective Here’s a brief description of each:

Preventative Internal Controls

Preventative internal controls, as the name implies, are put in place to prevent an adverse event from occurring. Think of these like a system of checks and balances. These are the best kind of controls because they reduce the need to detect mistakes after the fact. Automated preventative controls are even better because they remove the need for human intervention and streamline auditing.

Examples of preventative internal controls are training programs, drug testing, order review and accounts payable/receivable processes that prevent the undesirable events from occurring.

Detective Internal Controls

Detective internal controls are put in place to help you detect an error or problem after it has occurred. Ideally, these controls will help you discover an issue before it becomes a significant problem. Think of these like a fire alarm system that alerts you to the smoke that precedes the fire.

Some examples of detective controls are internal audits, reconciliations, financial reporting, financial statements, and physical inventories.

Corrective Internal Controls

Corrective internal controls are implemented after a problem is discovered. They are intended to limit the negative impacts, and they could include disciplinary action, report filing, software updates, and new policies. They are usually put into place after a root cause investigation.

Corrective internal controls are specific to the typical risks of your company, as established by comprehensive risk assessments or detective controls, such as audits.

While no one can plan for every possible cause of disruption to your business or prevent it from happening, internal controls can help to reduce the risks and mitigate the associated financial damage that can happen to your business. If you do not already have a system of controls in place, we’d be happy to have discuss it with you.