June 6, 2018

Championship Matchup: Business Risks Versus Internal Controls

By Christine Walters, Director, Assurance Services

Championship Matchup: Business Risks Versus Internal Controls Internal Audit Co-Sourcing/Outsourcing

As you enjoy another thrilling Cleveland Cavaliers basketball game, do you think of internal controls? Is it just me? A few weeks ago, when the Cavs battled the Toronto Raptors in the NBA playoffs, Cavs guard Jordan Clarkson lost his contact lens during a play. If it couldn’t be found and cleaned, would he then have to miss the rest of the game? That would be a disappointment for the Cavs and their loyal fans because the team needs all their players to be healthy and ready to play. Thankfully, the Cavs’ trainers were prepared! They had a spare set of contact lenses for Jordan, so he was able to continue playing. The fact that the trainers asked themselves ahead of time “what can go wrong?” and had a solution ready is a great example of identifying a risk and implementing a control.

A company’s internal controls should not be limited to risks that directly impact financial statement line items such as improper revenue recognition or unsupported reconciliations. Consider other risks that would be detrimental to your business and what controls might be established to mitigate the risks

Business Risks

Internal Controls

The controller is the only person who knows how to perform the month-end close or other key business processes. 

Create detailed documentation so someone can easily perform those tasks if the controller leaves or is unexpectedly absent. Perform a trial run by someone other than your key employee to make sure the instructions are thorough enough, before they are needed. Create succession plans. 

Your company’s reputation may be at risk if there is a harassment or discrimination claim brought against it.

You have the proper tone at the top; this includes company policies for confidentially informing management of improper behavior, facilitating investigation of any issues, and procedures to ensure that the proper action is taken. You should also determine if there is an anonymous hotline, and if so, that it works and employees know how to access it.    

Natural disasters, fires, floods or states of emergency either destroy your office or prohibit employees from getting to the office.

Maintain off-site system backups and disaster recovery plans. Implement systems that allow personnel the ability to work remotely in situations where the office is inaccessible. 

Your company may be hacked and confidential data may be compromised.

Develop systems to prevent system hacks and perform attack and penetration testing to determine and fix weak points of entry. 

Your company has a high customer or supplier concentration. 

Develop contingency plans if you lose a key customer or supplier. 

 

Interview employees at all levels at least annually to create a risk assessment. Ask them what risks keep them up at night. A CFO and a factory supervisor have different risks they worry about, and all risks should be scored based on factors of likelihood and impact. Controls should be developed for risks with a higher likelihood and/or impact and those controls should be tested for effectiveness.

As he now has led his team to eight straight NBA Finals appearances, LeBron James clearly is a major asset to the Cleveland Cavaliers. However, there is a risk that if he enters free agency this summer, he decides to join another team. Is there a control that we can create to keep him in wine and gold until his retirement? I’m sure the Cavs management team is working on that now! Go Cavs!

Do you have questions about implementing internal controls in your organization? Contact Christine Walters, Director, Assurance Services.