Client Library


Are Your Internal Controls Good Enough?

Given the current state of the economy, you must have guessed that fraud is on the up tick. With employee layoffs on the rise, your company is more vulnerable to internal payment fraud because employees know where the weaknesses are in your organization’s processes.

And, whether the staff is disgruntled because of a job termination or just pressed for money, all companies are at an increased risk.

Internal controls have always played a strong role in preventing fraud but it is only recently that they have begun to get the attention and respect they deserve.

Take this diagnostic test and find out.

The Diagnostic

This is a good time to review your internal controls related to payments.

Take this 20-question diagnostic challenge and see if you can identify the potential land mines that can open your organization up to internal payment fraud.

Do you require all employees who have anything to do with the payment process to take at least five consecutive days of vacation? ____ Yes ____ No

Do you prohibit the ability to both approve invoices and enter invoice data? ____ Yes ____ No

Do you prevent one or more of your managers/executives from having access to all phases of the payment process, even though it might make training and managing more difficult? ____ Yes ____ No

Do you have a strong policy prohibiting the return of checks to requisitioners? ____ Yes ____ No

Are all changes made to the master vendor file periodically checked, no less frequently than once a month, but ideally every week? ____ Yes ____ No

Do you periodically (at least once a year) deactivate inactive accounts in your master vendor file? ____ Yes ____ No

Do you have an anonymous tip hotline? ____ Yes ____ No

Do you periodically check that your processors are not writing their passwords down where anyone can see them? ____ Yes ____ No

If you have a petty cash box, do you make sure that the location of the key is not common knowledge? ____ Yes ____ No

Do you wait until the end of the day to deliver cheques to the mail room for mailing? ____ Yes ____ No

Are unsigned cheques always left in a secure location while waiting for signature – and not on someone’s desk in an empty office? ____ Yes ____ No

Is the positive pay file uploaded only when cheques are mailed? ____ Yes ____ No

Are cheques only printed when they are going to be mailed – not earlier so they will reflect a date that matches your payment terms? ____ Yes ____ No

Are open receivers and POs always extinguished when an invoice is paid even if the invoice is paid outside accounts payable? ____ Yes ____ No

Is access to the master vendor file for entering vendors or changing vendor information severely limited? ____ Yes ____ No

When an employee making electronic payment transfers is terminated or leaves voluntarily, is the bank and p-card administrator immediately notified and passwords changed? ____ Yes ____ No

When a new vendor is to be entered into the master vendor file, do you require at least two signatures or approvals before adding them? ____ Yes ____ No

When a new vendor is to be entered into the master vendor file, do you do some checking to make sure the vendor is legitimate before adding them? ____ Yes ____ No

If you have a petty cash box, do you hold surprise audits and does everyone know you do that? ____ Yes ____ No

Do you have a written fraud policy, signed by a top-level executive, indicating zero tolerance for employee fraud? ____ Yes ____ No

The Answers

The preferred response, as you probably now concluded, to all the questions is yes. A negative response does not indicate fraud but rather that the controls surrounding that issue are weak and your organization is vulnerable. Nearly every organization will have at least a few areas that are less than perfect when it comes to internal controls. Look into them and determine if it is possible to tighten the controls or if you have to live with the weaker controls. If you cannot implement the best practices suggested here, regularly audit your problem areas.


Strong internal controls are very important to small business wherein many times the owner delegates various responsibilities to key employees. Without proper systems and “built in” internal controls, weaknesses are exposed and brought to the attention of the employee.

To minimize the impact of employee theft and embezzlement strong internal controls are essential.