By Bob Swetz
Controller Consultant | Tier One Services, LLC
All organizations, no matter the size, should have adequate internal controls. Internal controls are things like having multiple staff count cash so that no one person has sole access at any given time.
One thing that may be overlooked is establishing a process of assessing control risks on a regular basis.
What is Control Risk?
To put is simply, control risk is the risk that the internal controls in place will not meet the organization’s objectives. According to the AICPA AU-C Sec940.05, A Control Objective is “the aim or purpose of specified controls. Control objectives address the risks that the controls are intended to mitigate.” In the example above the control objective over counting cash may be to deter the risk of employee theft.
Risks can arise out of a given set of circumstances, or they can be inherent in the nature of the transaction or function.
How and When to Assess Internal Control Risk
How and when to assess internal control risk depends on the nature of the risk or a situation that may arise and cause an increase in risk that did not previously exist.
Let’s look at cash counting again. Because if it’s nature, cash is inherently risky. Assuming the organization’s cash inflows are consistent this risk could be assessed on an annual basis. The risk assessment would involve addressing the possible ways cash could be stolen and determining if the controls in place sufficiently address that risk.
Other types of risks may arise based on circumstance. For example, one of the church’s weekly cash counters just filed for bankruptcy. That situation would give rise to the need for risk assessment at that time, not merely at the end of the year. In this case, the church’s management should consider whether the situation creates additional risk in the cash counting function. A simple way to do this is to list all the possible ways cash could be stolen and whether the controls currently in place (given the situational change) still reduce the risk of employee theft to a reasonably low level.
These are just a few simple examples but should be enough to get you started in developing a plan for risk assessment that makes sense for your organization.
If you have questions or want to dig deeper, feel free to schedule a 15-minute troubleshooting session with me at http://bit.ly/Scheduling_Troubleshooting or connect with me on Facebook at https://www.facebook.com/bobswetzonline.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.