A strong system of internal controls is important to every organization regardless of type and size. However, it is possible to go too far. An unnecessarily strong system of internal controls may actually cost the organization more than it saves.
Diminishing Returns
Imagine a historic site which does not charge admission, but instead has a donation box at the entrance for voluntary cash contributions.
At the end of the day the cash box may have as much as one or two hundred dollars in it. Someone has to count the cash, prepare a deposit ticket, and get the cash to the bank.
Question: how many people should count the cash?
If you have just one person counting, he or she can easily pocket some money and no one will ever know. I think we can all agree that this is a situation in dire need of some internal controls.
Suppose we add another person to the counting activity so that both people count the cash together. This is certainly a strong control since if either person were to pocket some cash, the other would presumably see that and report it. Two people counting are definitely better than one.
Of course, our costs for counting the money have just doubled since we now have two people counting instead of one. But it would appear that the added cost of this control is far less than the potential benefit from preventing theft.
Two people, though, might still collude. Perhaps we need more people to help with the counting. If two people were better than one, would three be even better? Let’s add a third person. True, our costs for counting have just gone up again, but collusion is presumably harder with three people. But even three people could collude. Perhaps we should add a fourth person, or a fifth?
Clearly, at some point, the cost of adding additional people is not worth the expected benefit. Intuitively, five people seem to be too many. Two or three might be just right.
What if, however, the amount of cash, instead of being one or two hundred dollars, is $10,000 or $20,000? Are we still satisfied with our level of internal controls? We may need to get more people involved. We might also want to install a security camera to keep an eye on the counters. We may want to install special locks on the door of the room where the counting takes place. We might want to invest in a safe. We may also want to hire an armored car to pick up the bank deposit. The cost of all these controls is going up rapidly: extra staff, cameras, locks, etc. But we are hoping that the potential benefit, with thousands of dollars at stake, warrants this.
Can we go too far with controls? Consider this example from a nonprofit organization we work with. We would all agree that accounts payable invoices need to be properly approved. But what constitutes proper approval? At this organization as many as five people are involved with processing an accounts payable voucher: the person who prepares it, three people who approve it (e.g. department head, accounting manager, and executive director), plus the person who actually enters it into the accounting system. That’s too much!
From these examples, six basic truths about internal controls are evident:
(1) A system of internal controls that is right for an organization at one size will likely not be adequate if the organization experiences substantial growth, or if it shrinks substantially. The internal controls that were appropriate when a hundred dollars was at stake are not sufficient when thousands are at stake.
(2) There is a cost associated with adding controls, and at some point the cost of the additional controls might not be worth the expected benefit. Having one person count the cash may entail a 50% chance that some funds will be stolen. Adding a second person may reduce the odds of fraud to 5%. That’s a significant improvement. Adding a third person may only reduce the risk to 3%. That small improvement might not be worth the added cost.
(3) The expected benefit of adding internal controls is often times very difficult to know or calculate. How much are we really saving by adding more people to count the cash? How much are we saving by installing a security camera? We will never know.
(4) It is possible to go overboard on setting up internal controls where the controls might be so stifling that it adds to the bureaucracy of the organization and may actually prevent work from getting done. Who has not experienced the frustration of excess bureaucracy and red tape where we work or when dealing with government agencies?
(5) Reasonable people can and will disagree on the proper level of internal controls. This is quite frankly often times a judgment call. Do we need to add an extra person to count the cash? Do we need to install that security camera or not?
(6) No system of internal controls, no matter how strong, can guarantee to prevent fraud.
The graph at the top of this blog illustrates the diminishing returns from adding more and more internal controls:
As we spend more money along the X axis, we get corresponding improvement in benefits to the organization along the Y axis. However, the rate of increasing benefits eventually starts to slow. Finally, as we spend greater amounts on ever more controls, the systems and procedures we put in place can begin to muck up the works and decrease productivity which actually cause the benefits to decrease.
Moral of the story: carefully consider implementing a strong system of internal controls, but recognize that needs change as the organization grows, that it is very possible to overdo it, and that there is often no right or wrong answer.
Comments welcome.
Eric Fraint, President and Founder
Your Part-Time Controller, LLC
EricYPTC 