Not all businesses are required to adhere to an internal control framework, but organizations of all types can certainly benefit from implementing better controls. Every significant process within your organization has the potential for things to go wrong, meaning there is risk just about everywhere. Making and documenting a plan to mitigate those risks — a.k.a. controls — will make your company stronger. 

3 Reasons Why You Should Implement Risk Management Practices

1. Just because you haven’t identified errors doesn’t mean they haven’t occurred. Without strong controls in place, you really have no way of knowing if errors are happening or an act of fraud has been or is currently being committed. Controls can help prevent or detect unintentional, yet critical, errors as well as fraud.
2. Risk management practices create necessary accountability. Documenting processes and assigning tasks and controls to specific people creates accountability. When everyone involved in a process agrees documentation is accurate, they are essentially saying they will follow these steps each time.
3. You may not be ready for the next level. Particularly if your company anticipates significant change or growth, you need to make sure the business is operating effectively. Assessing your company’s processes can identify key areas for improvement before issues escalate.

How a Risk Assessment Works

Using a five-step plan for process improvement will set your company on the right track. It doesn’t matter if you want to review a typical accounting process, such as accounts receivable, or if your concern is an operations process documenting activity on a factory floor. Every process can use these five steps. 

1. Document, document, document. Document your processes using flowcharts, then assign tasks to each person within each “swim lane.” All individuals involved must review and approve the documentation when complete. 
2. Identify weaknesses. Take a fresh look at each process to determine the areas of concern, or where you see potential risks.
3. Improve or create controls. Determine if there are controls in place to mitigate those risks. If controls are in place, look for areas of improvement. For risks without a mitigating control, you and your team will need to determine what the best mitigation strategy will be.
4. Create a remediation plan. Make specific plans for the new or improved controls, including who performs the control, and the specific tasks and timing for remediation to be successful. 
5. Test your controls (regularly). Determine if your new and improved controls are operating effectively. Start by testing one sample of each control to assess its effectiveness. If the control is not operating effectively, repeat Step 4. Once the control appears to be operating effectively, make a plan to test additional samples of that control on a regular basis.

How to Make Assessing Internal Controls Manageable

While the risk assessment process can seem daunting when you look across your entire organization, what’s important to remember is that you do not have to implement internal controls for all aspects of the business at once. Since you may not be required to have certain controls in place, you can focus on manageable sections that make sense for your business, your time and your most pressing needs.

Start with your biggest problem area (what keeps you up at night?). If it’s the sales process, then prioritize that before moving onto your next issue. Assessing internal controls is about problem solving. All businesses have issues, and therefore risks, even if it may not seem like it on the surface. It will take a well-documented process to identify those risks so you can see the overall picture. Then the controls you and your team put in place become the solutions to help mitigate those risks. Tightening up your internal controls in your most important areas of the business will help you gain efficiencies and help prevent errors or fraud, which can be costly. Remember, not identifying the issues doesn’t mean your company doesn’t have concerns; it means you aren’t prepared to prevent or detect them.   

Once your controls are operating effectively and efficiently in the most impactful areas of the company, your company will be stronger. Deal with potential problems before they become actual problems. Avoiding disruptions will allow your company to operate more smoothly and allow customers, vendors and stakeholders to have greater confidence in your company. 

Contact Steve Guarini at sguarini@cohencpa.com or a member of your service team to discuss this topic further.

Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.