Internal controls are systems created to ensure procedures are being followed according to legal or other guidelines. Recently Auditor-General Mildred Chiri highlighted how many quasi-government organisations were at risk because of poor internal control systems. We’ve all surely heard something about cases such as the National Social Security Authority (NSSA) as well as Hwange and Ziscosteel which were all plagued by the results of poor internal controls.
It is often misunderstood that both external audit and internal are concerned with preventing or eliminating fraud. Not so, these areas of practice have to do with compliance to pre-established standards and procedures. Many times where procedures are flouted it is because there is fraudulent intent. Now your startup may not have 3 aeroplanes to account for because it is small. None the less that is yours and likely other investors mo eye on the line. In that regard, an internal control system that that is best practice may come in handy. Another great advantage of a strong internal control system is its ability to evidence historical information. This could come in useful if you are required to answer questions or provide evidence.
Segregation of duties
This is the number one method recommended for ensuring procedures are not flouted. By having duties handled by different people in an organisation you reduce the possibility of an error, intentional or not, going unnoticed. A simple example would be making sure that the person who invoices and the person who receives payment are two different people. That may well be enough to deter some practices that can prejudice the organisation of revenue by under-reporting.
Multiple hands are a natural extension of segregation of duties. It is also highly effective in preventing non-compliant behaviour and can be very useful in smaller organisations which do not necessarily have the large staff compliments required to completely segregate duties. Having a bank account that requires two signatories to authorise transactions is an example of this. Of course, we do not rely on banks so much in Zimbabwe, the same could be done with mobile money transactions where one can make transactions via the app while another organisation member has the line where the pin confirmation is entered. This way the one who makes payments can only make authorised payments as they will require approval. The idea here is having two people handle duties and watch over each other. It is not entirely foolproof but it is a good internal control measure. Another good example of this is having two different staff members do inventory counts.
Using third parties with stringent requirements is a common method used in internal control. It’s more common than you think. For example, when dealing with other organisations you may request a tax clearance certificate or a bank letter. These two documents can only be received if the organisation has satisfied ZIMRA or Bank requirements respectively. The banks have strict know your customer “KYC” policies while ZIMRA regularly keeps track of tax dealings of organisations so you don’t have to. So to a degree, you can rely on these documents as to the standing of the organisations you are dealing with. Ultimately easier than trying to verify all information by yourself.
These are essential but the pressures of entrepreneurship in smaller organisations may cloud our vision on them. Regular reconciliations to check if systems are working properly are important. The more regular the reconciliations the more likely we are to catch issues in the system if there are any. I’ve already mentioned counting inventory. At one point I was required to do 6 months of reconciliations for a business and it turned out income was massively underreported due to an invoicing inaccuracy that was in fact carried out intentionally. Had this been done sooner the problem may have been identified earlier. How often do you do reconciliations? It depends on a few business factors but any longer than a month may not be good especially if you have a high transaction volume.
The final tip may be the most important one. While having a robust internal control system is good it must not get in the way of doing the work. Having an internal control system that requires employees or members to do more work in recording compliance than in achieving the organisation’s goals is not the idea. Rationalise it down to minimum effort on the employees’ side while getting the most information out of it. By so doing you ensure that employees or members can do the work and it is not a hindrance to performance. This will mean the system runs smoothly within the goals of the organisation and can continue to run.
Internal control is a habit and is something that must be practised regularly. It is not something that can be instituted in a magic wand approach. With that in mind start as soon as possible and keep it going. The benefits in the long run, even for startups are well worth it.