Kate Sayer: Controls are essential, but you need to be proportionate

It's all about being efficient and effective and learning to manage risk, writes our columnist

Kate Sayer
Kate Sayer

Everyone knows that you need to have internal financial controls in any organisation, but we often find that too little attention is paid to the design of good controls. A good control is one that is both efficient and effective.

First, you have to remind yourself that a control is simply a response to a risk. We do things because "that's how we have always done things", but we need to challenge ourselves and ask "why do we perform this activity and what risk does it respond to?" It might seem obvious that we have to undertake bank reconciliations in the finance department, but it is a control activity. It is managing the risk that our accounting records are inaccurate or incomplete. Similarly, we take references on new recruits to manage the risk that they have performed badly in previous jobs.

Some controls, like bank reconciliations, are strong because they are based on an external data source. It is also an efficient control because we gain assurance quickly that our records are complete and accurate. Another example of an efficient control is monitoring actual expenditure to budget. Managers might not realise they are part of the charity's control environment, but a regular comparison of actual expenditure to budget will help to identify errors as well as provide them with feedback. How many different reasons for variances can you come up with? They represent a number of different risks, such as errors in coding, missing invoices or unplanned expenditure. Reviewing and investigating variances will help to correct the data.

Some controls will focus on preventing an adverse event, such as spending the charity's resources inappropriately. Typically, authorisation is the chosen preventive control. But this will be an effective control only if the person authorising the expenditure is paying attention to the right things and has the time to do the checks properly. Simply signing off a pile of invoices without looking at them is not a control at all.

A detective control will inform you after the event that there is an error or failure in the systems. For example, a charity treasurer might periodically review expenses claims for the senior staff and other trustees. This does not prevent errors, but it will detect an error or malpractice that can then be addressed. Spot checks might be more efficient, however, because it takes considerable time and effort to check every expense receipt before putting it on the system, and potential errors are probably few and small in value. It is worth weighing the cost of operating a control against the risk it is managing.

All controls will be effective only if they are well matched to the risk they are trying to manage. For example, a finance person reviewing a staff expenses claim will not necessarily be able to tell whether the costs of travel are legitimate - the person's line manager will know whether the journeys seem reasonable. Good controls are efficient and effective.

Kate Sayer is a consultant at specialist auditors Sayer Vincent

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
Follow us on:

Latest Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners


Expert hub

Insurance advice from Markel

How bad can cyber crime really get: cyber fraud #1

How bad can cyber crime really get: cyber fraud #1

Promotion from Markel

In the first of a series, we investigate the risks to charities from having flawed cyber security - and why we need to up our game...

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now