Post by Maria D’Alessandro, CPA, Vice President,Finance & Accounting, Hospitality Ventures Management Group
Appropriate controls are critical to running a successful business, but what is “appropriate?” Of course, if auditors had their way, every business would have more than enough controls to prevent any fraud or material misstatement to the financial statements.
But, we know from watching the news that fraud does happen in some businesses. Why? Because businesses exist to earn a profit and a key part of that profit equation is controlling costs. No doubt, every successful business must determine an appropriate balance between controls and efficiency. If we have too many controls, processes become cumbersome and expensive. Without enough controls, a business becomes vulnerable to fraud.
Let’s discuss the most typical type of control: segregation of duties. Simply put, this is a preventative control where a business has different people performing steps in a process, as we have set up at Hospitality Ventures Management Group (HVMG). Accounts Payable is a great example. One person should set up the vendor, and this person should not be able to enter an invoice. Likewise, the person entering the invoice should not be able to set up a vendor. A third person should be responsible for printing, reviewing and mailing the checks. Finally, an additional resource should be reconciling the bank accounts.
Why have four different people involved? Because having a single person responsible for all steps in the process is the most common way to perpetuate fraud. But, not every business can have four separate people involved in the process. Your business may be too small and simply can’t afford that many employees for its Accounts Payable department. Yet, you still need to balance efficiency with controls. How can you find the right balance? First, you need to assess your risk tolerance.
Risk tolerance is unique to each business. There is no right or wrong level of risk tolerance. And, risk tolerance will change as a business changes. For a business that is extremely risk adverse, it will want more preventative controls with a series of checks and balances within the processes that minimize the risk. These checks and balances require clearly defined policies and procedures, as well as roles and responsibilities. These preventative controls typically require having multiple people or departments involved with the process.
Regardless of your organization’s appetite for risk, there are a few basic preventative controls that every business should have in place. What is your most important asset? O.K., yes, it’s your employees. What is the second most important asset? I would argue that it is cash. Therefore, every business, regardless of size, should have basic preventative controls around safeguarding cash. The cash processes that should have clearly defined roles and preventative controls (including leveraged segregation of duties) are cash deposits, house banks, accounts receivable and accounts payable.
Also important are the detective controls. Detective controls will occur at the end of a process and will, if done correctly, identify any issues. A typical detective control is the bank account reconciliation.
For controls, think of a three-legged stool—you need to have the stool balanced with the right level of controls, based on an appropriate level of risk, while maintaining efficient processes. To ensure your stool is balanced, the hotel’s processes should be assessed and based on the organization’s risk appetite, the amount of staffing and the skill of the staff, a series of preventative and detective controls should be documented and implemented. This is the best way to minimize the risk of fraud and ensure accurate financial statements while still maintaining operational efficiency.