Best Practices to Improve your Internal Control Environment

Internal controls are a critical component to reliable financial reporting and regulatory compliance, and are designed to mitigate risk, protect assets, and ensure the accuracy of records. A strong and steady internal control environment allows businesses to make better decisions based on reliable data and financial information. As businesses grow, evolve, and change, it is important to consider their effect on the internal control environment. Below are some examples of solutions to improve your internal control environment:

• User access reviews – Employees’ roles and responsibilities can change over time that can lead to access rights that are no longer necessary or appropriate for their current position. Conducting a thorough review of employee access to systems critical to the accounting function (banking, payroll, general ledger, etc.) can prevent misappropriation of assets and alleviate potential risk concerns.
  
  
• Month-end close checklist – There are multiple tasks and individuals involved in month-end close process that can sometimes create confusion or a duplication of efforts. Creating a checklist to verify that processes and controls such as account reconciliations, review of manual journal entries, and financial statement preparation are completed at month end can provide clarity on the status of each task, reduce confusion due to turnover, and a detailed trail of documentation. Additionally, the checklist should include both preparer and reviewer signoff, along with the dates completed.
  
  
• Service provider reviews – Most organizations outsource certain functions such as payroll processing, health insurance claims processing, or retirement plan processing services. Understanding what service providers are used and how they use your data is important to help manage risk and verify that that data you give them is safe and processed accurately. Most service providers will receive a SOC-1 report, which is a report on the service provider’s internal controls and processes. The SOC-1 report should be reviewed annually to determine the impact to your organization. For example, the annual review should consider the listing of controls included within the SOC 1 report that are recommended to be implemented by your organization to ensure that the service provider can meet your expectations (these are commonly referred to as complimentary user entity controls).
  
  
• Banking processes and controls – Have you looked into what processes and controls might be available at your financial institution? Leveraging your financial institution’s controls can have a major impact on decreasing risks within your organization. Some options include access to the online banking portal, multifactor authorization for wire transfers, and accounts payable automation. Each of these will help protect the organization from unauthorized activity (internal or external) as a complement to other controls of the organization, such as a three-way match and review of disbursements.
  
  
• Don’t forget to document – If it’s not documented, it didn’t happen! A reminder to add your signature to reconciliations, schedules, or other critical documents after preparing (or reviewing). This can be accomplished with a physical signature or use of electronic signatures.

These are just a few examples to help strengthen your internal control environment. No matter the organization size or industry, internal controls are a crucial component to a healthy organization that is well positioned to manage and respond to risk.