Reviewing internal controls for new working processes

Promotional Business Feature by Hazlewoods

In response to the rapidly changing environment we now live and work in, Hazlewoods business advisers continue to provide insightful content to support your business now and focus on a #BusinessForTomorrow.

During the COVID-19 lockdown, many businesses had to put plans in place for their employees to work from home and provide them with the necessary tools to do so. Businesses may already have had experience of employees working from home, but a significant number will have had to put measures in at little or no notice.

As we know, the workplace has changed, maybe forever, and there will be further evolution as lockdown measures are eased. Some employees may continue to work at home, whilst there may be a phased return for others to office life, abiding by all necessary measures including social distancing. Employees have also been put under pressure by having colleagues who have been furloughed and may continue to be so until October, given the Chancellor’s recent extension of the coronavirus job retention scheme.

Internal controls lie at the core of a business’ financial reporting mechanisms; so, how have these been affected during lockdown by home-working, staff absences, work pressures etc.?

Internal controls will vary from business to business and their extent will depend on business complexity. These may be relatively informal at owner-managed business level, extending to very formal processes at larger entities. Some controls may be paper-based and some IT based. The objective of an internal control includes the prevention and detection of errors; errors here can be both the inadvertent and the deliberate.

One of the biggest risks arises from control slippage. Before lockdown, there may have been a hierarchical structure of approval and processing, so that it was not left to a single person to be in control of these and there was an appropriate segregation of duties. For the factors outlined above, lockdown may have changed this; for example, one person in the accounts team deals with everything – all the sales invoicing, posting of purchase invoices and makes payments. This creates an increased risk that something could go wrong, whether inadvertently or deliberately, as demonstrated below:

A business has set authorisation levels for the approval of purchase invoices. Before lockdown the purchasing assistant would match delivery notes to invoices and authorise invoices up to £5,000; the purchasing assistant would do the same for invoices up to £10,000 and provide the matched invoices and delivery notes to the purchase manager for approval from the purchase manager, with amounts above that requiring approval from the production director. That process has been shown to work well so invoices are only processed where the goods have been received.

The purchasing assistant has subsequently been placed on furlough and so the purchasing manager has to cover the assistant’s work as well as his own. As the purchase manager is extremely busy, a scan sense check of the delivery notes and invoices is performed, but a delivery note for an invoice of £9,000 is missing as the goods had not been delivered – this is not picked up on the scan sense check. The upshot is the authorisation and subsequent payment for an invoice where goods had not been received, at a time when cash flow is important to the business.

Could this have been avoided? Absolutely.

Reviewing the authorisation processes and limits in place could have eased the work pressure and responsibility of the purchasing manager, and prevented the shortcut taken. By moving the responsibilities and limits down a step, this would have brought into play a ‘second eye’ review by the production director and reduced the risk of the invoice being incorrectly approved and paid. Ultimately, there is no substitute for complying with processes as, after all, they are there for a reason – but we are all human.

So, in certain circumstances a subtle change can reduce the risk of errors arising. Other relatively easy steps to implement could be a review of bank statements to see if there is anything ‘out of the norm’, or an added stage in the BACS payment review process, just to be on the safe side to ensure that no undue payments get through.

It is also important not to forget IT controls, including access level rights and the ability to override IT controls. Some questions to consider would be:

  • Are you able to review details of changes made to access level rights and are those access level rights still appropriate given how the business is now operating?
  • Who can override IT controls and to what extent have they been overridden? Typically, these can be reviewed by exception reports to pick up issues. At a time like this you will want to ensure you limit your risk to bad debts, but are you aware if credit limits have been unduly increased by a control having been overridden putting recovery at a higher risk?

There is more about limiting the risk to bad debts and using cloud accounting systems to manage credit limits in our article here.

As a country, we are pretty much certain to be heading into a recessionary period and there is never a more appropriate time for businesses to ensure that their controls and processes are robust now and going forward for their own protection.

If you are looking for advice on managing your internal financial controls, please get in touch with Julian Gaskell at or 01242 680000. If you would like to discuss any of our other #BusinessForTomorrow content or have suggestions for content you would like to read that could help you and your business now and in the future, please let us know: