Internal Controls: A Quick-Start Guide
At BNN, we work with businesses in a variety of industries that range from start-ups with limited or no sales to mature entities with over $100 million in annual revenue. Whether the business is large or small, service-based or manufacturing, they all have at least one thing in common: internal controls.
Management designs internal controls to mitigate current financial or operational risks to their organization; however, the business environment is ever-changing. There will be turnover in management, new information systems, changes in production and sales volume and other events. These changes to the business will impact the current control environment. Evaluating and managing the degree of impact on the business environment is necessary to maintain an effective control environment.
For management to evaluate the impact of change, they need to understand the risk philosophy and risk appetite of their business. A risk philosophy is the understanding and managing of risks in view of the business’s strategic priorities and management’s commitment to ethical and responsible business behavior. The risk appetite focuses on setting the parameters for the risks the business will or will not accept, including a cost-benefit analysis. These parameters should be in line with the business’s strategic, financial and operating plan.
Management should classify the current risks that impact the business as financial or operational risks. Management should also consider ranking the severity of the risks as critical, high, moderate or low. A critical ranking describes a risk that impacts the business’s ability to continue as a going concern. As an example, an entity earns 100% of their revenue from a single federal grant. The risk of loss of this grant due to noncompliance would be critical. A high ranking describes a risk that significantly impacts the entity but individually is not as severe as a critical risk. However, the presence of multiple high risks could be considered a critical risk. A possible high risk ranking may be for production delays due to extended production line equipment failure. Moderate and low rankings are reserved for the remaining risks and will cover the majority of risks. The ranking of a similar risk from business to business will vary based on management’s risk philosophy and appetite.
After classifying and ranking the risks, management should identify and evaluate the current controls in place in relation to each risk and its severity rating. Management may find that their current control response may be too aggressive or too passive in relation to the severity rating and their risk appetite, and can adjust the response accordingly.
Having set the business’s foundation with the philosophy, risk appetite, and control environment, management has a sufficient understanding of the environment to evaluate the impact of changes in the business and can be proactive in modifying the controls if necessary. Additionally, management can better educate the employees on the business’s risk environment. The benefit to management of an employee base that understands the business’s risks, appetite and philosophy will be a culture of risk awareness and mitigation that leads to a more efficient and profitable business.
If you have questions, please contact your BNN advisor at 1.800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.