In our last issue, we discussed the definition of internal controls over financial reporting (ICFR) and detailed the benefits of using balance sheet reconciliations; here, we describe management review internal controls (or supervisory review internal controls), as well as tips to improve their effectiveness. The goal in this internal controls series is to provide ideas to help you strengthen your internal controls processes with more efficient controls.
In many small businesses, a simple review (by management, an owner, or both) of journal entries, transactions, or reports is often the primary control to prevent financial reporting errors. Many times, cash or personnel limitations force restrictions on segregation of duties or the implementation/availability of automated IT controls. In the absence of sufficient other controls, management review may provide some assurance over the completeness and accuracy of financial information, efficiency of operations, compliance with regulations/laws, or safeguarding of assets.
Maximum strength gains for management review controls can be assisted by following these three internal controls guidelines below.
1. Choose the right trainer (and equipment). Any review (regardless of subject matter) should take place at an appropriate level. In other words, the reviewer should be able to meet the review objectives and/or detect data anomalies that may be indicative of errors or fraud. For instance, a warehouse manager is a better review of physical inventory counts than the president of the company. Conversely, a review of comparative annual financial statements is more appropriately reviewed by a controller, CFO, or CEO as opposed to a payroll manager.
2. Measurements matter. The data being analyzed and reviewed should be complete and accurate, which dramatically increases the value of the review.
3. Work toward a goal. The objective of the control should align with the risk and review area. The recommended top-down approach starts with the business objective, identifies the risk of meeting the objective, then implements a control (in this case management review) to mitigate the risk of the control meeting the objective and then operating and assessing the control.
While not an exhaustive list, the below chart provides some examples of appropriate areas and control review objectives.
|Areas||Control Review Objectives|
|Financial statements (internal or external)||Ensure amounts and disclosures reflect a complete and accurate review of business operations|
|Financial statements (internal or external)||Variance analysis comparing current balances to prior periods for reasonableness and accuracy|
|Administrative costs detail||Analysis of variances from actual costs to comparative periods or budgeted amounts|
|Report of sales by product type for period||Analysis comparing shipments for same period|
|Accounts payable detail||Ensure all invoices included|
|User access lists to IT systems||Ensure appropriateness given job descriptions and roles|
CRI recommends that every business owner—large and small—work to align business objectives, risks, and control objectives, as well as monitor the risks. We also advocate that companies try to maximize management reviews to strengthen their internal control environment. If you have any questions about internal controls (from risk assessment through internal controls testing), reach out to the professionals at CRI to request a personal training session to help you take, well, control of your business.