Risk Management: Operational Controls for Your BusinessBondBeebe
Mark A. Buckberg, CPA, CFE, CFF, Principal
There are various definitions for what constitutes operational controls, but it really comes down to one common theme: the power of management over daily activities. In your business, operational controls regulate the day-to-day activities via the formulation of policies and execution of procedures. To put it in plain English, it is what you do and how you do it.
The Basics of Operational Controls
As management, you know best the ultimate goals for your business and you are responsible for setting a course to accomplish them. This includes not only developing the corporate policies and procedures intended to accomplish your goals, but also enforcing, and in some cases, modifying these policies and procedures.
- The policies of the organization serve as a protocol to guide decisions and achieve outcomes.
- The procedures are the step-by-step instructions to implement the policies.
- Internal controls help you enforce these policies and procedures.
Strong operational controls are correlated to lower fraud risks; certain policies and procedures must be in place to reduce the likelihood of fraud.
The Foundation for Strong Operational Controls
Where do strong operational controls begin? At the top. The control environment, otherwise known as the “tone at the top,” permeates all levels of your company. Unethical management is a signal to all employees that unethical behavior is tolerated.
The single biggest fraud deterrent is monitoring. It’s simple! If staff knows management is on the lookout for fraud, they are less likely to try it. Regularly monitor your financial data to look for any unusual patterns or transactions, and make sure your employees are aware of your internal controls.
Regularly Reviewing Controls
Your company should regularly analyze the controls in place to support accurate financial reporting, adherence to applicable laws, and to mitigate the risk of fraud. What is the best way to determine if your organizational controls are effective? They need to be tested on a regular basis, the frequency of which will vary from business to business. There are two parts to this testing: fraud risk assessments, which gather information about the processes, procedures and internal controls; and control testing, which determines if the policies, procedures and internal controls are operating as intended.
Many companies have an internal audit department charged with these tasks; others have independent forensic accountants perform this testing. Regardless, the most important thing is that a review is done. Don’t ever assume that your operational controls are effective, or simply “set it and forget it.” If you become complacent, you may become the victim of fraud.
Strong operational controls are an essential part of your company’s risk management and fraud prevention efforts. Work with your accountant to develop policies and internal controls that will help you maintain compliance and protect your business from fraud.