Whether your business supports in-person payments using a cash drawer and a numbered receipt, or operates through e-commerce using electronic payments and digital documentation, these function as internal controls. Cash controls are internal systems used to prevent unapproved payments, theft, and fraud. These systems include procedures at predefined steps to create segmentation of duties and introduce checks in the process to identify and correct errors. Cash controls also include tracking systems to support account reconciliation and audits.
Internal controls and segregation of duties
Perhaps a payment is made by a customer at a local coffee shop who hands over currency and coins to a cashier or a money order is paid by a business to a contractor at the completion of a project. In either case, when cash payments are made to or from a business, there is a risk for error.
One of the key ways to establish internal control of cash receipts is by designating employees responsible for different steps in the process to create separation of duties and control over the cash handling. For example: the person who receives cash payments from customers and fills out a transaction receipt is not the same person who compiles all of the cash transactions into a deposit at the end of a business day.
Creating documentation at the time of transaction is also important to this process. Transaction receipts printed on cash register tape include identifying information and may include the name of the cashier involved, as well as a unique and numerical transaction number.
Additional ways to increase internal control are: Making cash deposits with regular frequency, keeping any cash on hand in a secure location like a safe or lock box, and including supervisor involvement for any non-standard payments like refunds, returns, or voided transactions.
Many businesses give their employees access to company cash through the use of company credit cards or petty cash funds. Similar to cash receipts, one of the best ways to control cash disbursements is to separate the responsibility of each step in the process. For these kinds of transactions, the control is an approval process that must be adhered to before a disbursement is made.
For smaller purchases, this may be a limit on a company card with pre-approved categories of items that employees are allowed to purchase. A manager reviews these purchases regularly to ensure company guidelines are being followed. For larger purchases, purchase requisition paperwork is completed and provided to supervisors for approval before reimbursement.
Additional controls of cash disbursements include: three-way document matching for vendor payments, vendor validation and account accuracy review, having new employees sign expense agreements—clearly stated guidelines—during the on-boarding process.
Bank deposits, bank reconciliations, and safeguarding cash
Employees who have ever worked from a cash drawer at a retail location will be familiar with the process of counting in and out a drawer at the beginning and end of shift. This is a process that establishes a baseline value that the drawer should have and what it must be returned to at the end of a shift; the sum difference when one employee counts out the drawer should equal the electronic record of sales from the day in addition to credit card receipts.
These cash amounts are then compiled by a supervisor and secured in a safe or lockbox until a deposit is made. Making regular deposits ensures there is never a large amount of cash on hand. It is also important to reconcile the bank statement with the amounts in the general ledger. To help maintain separation of duties, the person reconciling the bank account and making journal entries would be different from both the cashier and the supervisor. Further, access to the secured elements in the process would be limited, and the business would typically have employee bonding insurance.
COSO frameworks for cash controlling best practices
What is COSO?
Business fraud is no joke and took center stage in the late 90s when major corporations were found to be operating fraudulently, causing billions in losses. In 2002, the Sarbanes-Oxley Act (SOX) was passed requiring publicly traded companies to undergo an annual audit to remain in compliance with financial records.
To help businesses counteract fraud and establish best practice frameworks for prevention, the Committee of Sponsoring Organizations (COSO) was established. The commission is made up of the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]).
What are the COSO frameworks for internal control and ERM?
COSO provides a framework that businesses can follow to establish, evaluate, and improve internal controls and enterprise risk management (ERM). This framework was developed in addition to a series of published reports for internal control—originally published in 1992 with updates in 2013 and 2020—and ERM—originally published in 2004 and updated in 2017. COSO also provides numerous thought leadership articles to further breadth of understanding on topics such as: board of directors roles, improving performance, and gaining strategic advantage through ERM. Discover these COSO reports and articles here.
Visually, the COSO framework is a model presented as a colorful, segmented cube that overlays objectives, components, and organizational structures. For all 3 internal control objectives there are 5 applicable components that can be implemented throughout 4 organizational structures.
What are the 3 internal control COSO objectives?
- Operations. This objective looks at the way that the internal controls are implemented within a company. Are the controls being utilized by employees? Are they effective and realistic?
- Reporting. This objective looks at the reports that are being provided by a company. Are they consistent, reliable, and accurate?
- Compliance. This objective looks at legality of a business operation. Are state and local regulations being adhered to?
What are the 5 internal control COSO components?
Though summarized here, each of the 5 components listed can be further broken down into a total of 17 principles.
- Control environment. The board of directors define the approach to internal controls as well as the ethical values and goals of the company. These are then translated by management through processes and policies to employees. Companies also actively work to employ individuals who will implement, uphold, and be accountable, helping the company maintain their ethics and promote their goals.
- Risk assessment. Risk likelihood to company objectives are identified including both internal and external possibilities. Management considers how the implementation of any change to internal or external operations may negatively impact the company specifically as it relates to internal control.
- Control activities. All levels within a company include control activities, either to prevent and correct any risks in the internal controls, through processes both manual and automatic. Segregations of duties in internal controls is one of the best ways to establish risk prevention at all levels.
- Information & communication. Communication and transparency are bedrock to maintaining internal control. Management utilizes reliable and accurate information as it relates to control processes and procedures. This information is communicated internally and externally as necessary to acknowledge risk assessment and mitigation.
- Monitoring activities. The company willfully engages in internal and external monitoring at regular or predictable frequency to determine if risks in the control environment are effectively being prevented or corrected. Audits and independent CPA reconciliations are examples of monitoring activities.
What are the 4 COSO internal control organizational structures?
Company structure is demonstrated on the COSO cube framework to illustrate that internal controls should exist at all levels for fraud prevention. Controls at base levels are more detailed while controls at a higher level have a more broad, overall impact to a business.
- Entity level. Executive level of the business including the board of directors. An example of entity-level control would be a company code of conduct which impacts all levels of structure.
- Division. Divisions in a company can also be described as different departments: accounting, operations, sales, etc. Division level controls are specific to each department. For example, a procurement request form submitted by a member of the sales team wouldn’t be sent to the warehouse manager for approval.
- Operating Unit. An operating unit further breaks down a department into teams. At this level of structure, the goals are very specific, relating to just one element in overall business, like a marketing team responsible for the success of a specific product.
- Function. At the base of organizational structure are the individual employees. Internal controls at this level will be task specific. A cashier who fills out a form while counting their drawer in and out supports the control of cash receipts.
How Routable makes cash controls easier
- Vendor onboarding for data accuracy. Knowing for certain that your business has the information it needs to file taxes, pay for services, and connect with vendors reduces risks of overpayment, fraud, and communication gaps.
- Obtaining automated authorized approvals. Customize stakeholder approval chains and ensure that expenditures are in line with company goals and guidelines.
- Checking for duplicate payments by payers. AP automation provides accurate and real-time documentation for vendor payments simplifying checks and balances to prevent duplicate payments.
- Generating electronic remittance advice (ERA) with paid invoice numbers. Simplify accounting records with effective ERA, building confidence and transparency with vendors.
- Automatically reconcile payments in real-time. Two-way syncing with Routable guarantees that balance sheet and bank statements reconcile in real-time.
Having the right internal controls in place helps to prevent wire transfer and billing schemes, payroll and inventory theft, and even larceny. Understanding the importance of internal controls for cash receipts as well as the principles provided by the COSO framework, your business will have the advantage it needs to remain compliant with SEC and operate in confidence, securing the trust and support of stakeholders and investors.