Everyone knows that you need to have internal financial controls in any organisation, but we often find that too little attention is paid to the design of good controls. A good control is one that is both efficient and effective.
First, you have to remind yourself that a control is simply a response to a risk. We do things because "that's how we have always done things", but we need to challenge ourselves and ask "why do we perform this activity and what risk does it respond to?" It might seem obvious that we have to undertake bank reconciliations in the finance department, but it is a control activity. It is managing the risk that our accounting records are inaccurate or incomplete. Similarly, we take references on new recruits to manage the risk that they have performed badly in previous jobs.
Some controls, like bank reconciliations, are strong because they are based on an external data source. It is also an efficient control because we gain assurance quickly that our records are complete and accurate. Another example of an efficient control is monitoring actual expenditure to budget. Managers might not realise they are part of the charity's control environment, but a regular comparison of actual expenditure to budget will help to identify errors as well as provide them with feedback. How many different reasons for variances can you come up with? They represent a number of different risks, such as errors in coding, missing invoices or unplanned expenditure. Reviewing and investigating variances will help to correct the data.
Some controls will focus on preventing an adverse event, such as spending the charity's resources inappropriately. Typically, authorisation is the chosen preventive control. But this will be an effective control only if the person authorising the expenditure is paying attention to the right things and has the time to do the checks properly. Simply signing off a pile of invoices without looking at them is not a control at all.
A detective control will inform you after the event that there is an error or failure in the systems. For example, a charity treasurer might periodically review expenses claims for the senior staff and other trustees. This does not prevent errors, but it will detect an error or malpractice that can then be addressed. Spot checks might be more efficient, however, because it takes considerable time and effort to check every expense receipt before putting it on the system, and potential errors are probably few and small in value. It is worth weighing the cost of operating a control against the risk it is managing.
All controls will be effective only if they are well matched to the risk they are trying to manage. For example, a finance person reviewing a staff expenses claim will not necessarily be able to tell whether the costs of travel are legitimate - the person's line manager will know whether the journeys seem reasonable. Good controls are efficient and effective.
Kate Sayer is a consultant at specialist auditors Sayer Vincent