by John Heveron
Your staff may have shrunk, and work may be both remote and on-site. So, how have your internal controls survived these changes?
See how you match up against this list of best practices. Make sure that your policies and practices are addressing these important items.
- Be sure that every employee gets a copy of the organization’s up-to-date personnel manual. Most lawsuits come from employees and former employees.
- Have a written code of conduct that describes proper ethical practices and be sure that everyone knows that they must abide by that code.
- Show no tolerance for improper practices. Even minor violations should be addressed as a serious matter.
- Question unusual activities. Don’t be hasty to accuse someone of wrongdoing, but be sure you understand the activity.
- Develop a good budget and look at variances from that budget. Update the budget throughout the year as appropriate. When you do this, variances are red flags that deserve your attention.
- Someone who is not involved with billing or accounting should initially receive incoming payments and record them on a deposit ticket or in a separate place.
- Incoming checks should be stamped “for deposit only” as soon as they are received.
- The monthly bank statement (checks, electronic payments, etc.) should be reviewed by someone who does not prepare checks. If you do not get check images, request them or change your banking relationship.
- Mark invoices to show that they have been reviewed and paid.
- Credit card statements should be received and reviewed by an independent person. There should be proper documentation for all charges.
- After checks are prepared, they should be submitted to the check signer with original invoices. Invoices should then be marked paid to prevent reuse.
- Someone who is not involved in preparing payroll (entering payroll information or calling it into a service bureau) should review payroll reports to be sure that hours and rates are proper.
- Accounting and other important data should be backed up, verified and stored off-site.
- Log off or shut down computers at night.
- Anti-virus, anti-spam, and Internet firewalls should all be implemented and kept up-to-date.
- Surge protectors or battery backups should be in place.
- Any laptops or mobile devices with access to your server should be password-protected, and possibly encrypted.
- Have someone review error logs and run software updates regularly.
- Computer access should be limited with passwords and physical controls.