What are internal controls?
The easiest way to understand internal controls is to start by thinking about businesses and their day- to-day operating policies and procedures. These dictate how we go about performing our daily tasks in the running of the business. Internal controls are embedded within these policies and procedures to assist in managing risk and ensuring compliance with legal requirements.
Why do internal controls matter?
They are put in place to safeguard assets, reduce errors and fraud and ensure the integrity of financial and accounting information.
These are key to the successful operation of any business, regardless of size and type.
Are they relevant to e-commerce and businesses operating in the digital realm?
It’s no secret that technology has revolutionised the way we do business. It has streamlined everyday practices, but its overwhelmingly positive impact can lull us into a false sense of security. We expect that our IT systems will ensure protection of our information, restrict unauthorised access and/or modification and that they will be up and running 24/7.
Businesses have been operating in the digital realm for many years and this is now the norm. The internet allows for ease of communication and for transactions to take place in a global marketplace without traditional geographical borders. We are all fully aware of the advantages this provides to businesses but as with everything, there are risks. These need to be managed appropriately to ensure our businesses continue to operate and grow.
Technology is a great enabler and with the shift from traditional brick and mortar to e-commerce, it’s important to remember that businesses are still doing what they do. Take, for example, a retailer which previously sold goods from a store. They are still selling to consumers but perhaps via online means now, or a combination of both. The underlying principles of internal control are still a key aspect of business operations, although the playing field has changed dramatically. Internal controls must be adapted to respond to slightly different risks, or risks that now affect a business in a different way.
How to implement effective internal controls
The e-commerce landscape – with the internet playing a pivotal role – has made it very difficult to determine the path taken by a transaction. This is due to the many technological components involved in a transaction.
The reality is that it is impossible to guarantee a completely safe e-commerce environment by the very nature of the internet. This makes it necessary to adopt a risk-based approach in implementing internal controls. We don’t have infinite budgets to reduce or eliminate every risk we face as a business, which is why we need to prioritise the ones that leave us the most exposed.
The first thing is to understand is what level of risk the business is willing to accept and the risks the business is faced with. Then, you can determine to what extent internal controls need to be implemented to reduce this risk to an acceptable level, if not within the business’s risk appetite.
What are the risks affecting a digital or e-commerce business and how do we address them?
There are a host of risks that affect an e-commerce business.
One that springs to mind immediately and needs to be at the forefront of every e-commerce business’s security plan is the risk of cyber-threats. Cyber-security is all about protecting digital assets and has become a hot topic in recent times following some high-profile cyber-attacks with major economic and reputational ramifications on businesses. These are becoming more sophisticated, leaving all businesses with an internet presence at risk, regardless of size.
It is not possible to eliminate the risk of a cyber-attack and resulting data loss. However, businesses can build resilient IT systems by adding layers of security measures such as firewalls, segmented networks, anti-virus and anti-malware, intrusion detection systems and encryption.
Let’s be honest though – most of us have no idea what any of that means. It is for that reason that we leave the technical side of things to our IT departments in the expectation that they have all of this under control. One thing I always stress is that whilst these internal controls are very important, they can still easily be undermined by human misjudgment.
To put this into perspective, an astounding 9 out of 10 cyber-attacks begin with a phishing email.
Last year, I attended a presentation by a Certified Ethical Hacker who demonstrated how easily a hacker can gather information on any given organisation with an internet presence. This real time demonstration took no longer than 20 minutes in which the presenter was able to gather enough information from the internet about the organisation and its staff to orchestrate a cyber-attack. In practice, this would be followed by a well-thought-out phishing email in order to gain access and perpetrate cyber-crime.
Most people cannot identify a well-made phishing email and with about 300 billion emails sent per day, most people don’t spend enough time analysing emails to verify authenticity. Cyber-security awareness is very important and the lack of formal education and training for our workers in relation to this leaves our organisations more vulnerable to cyber-attacks.
So, two questions we need to ask ourselves in respect of cyber-security – what are we doing to ensure we are sufficiently addressing these risks from a technical standpoint? And what are we doing to ensure our employees are a strong first line of defense?
There is also a risk of failure to ensure that contracts evidenced by electronic means are binding. So how do we verify the identity of customers and suppliers and ensure agreement of terms of trade, delivery, credit terms, dispute resolutions or agreement of terms? Non-repudiation is a legal concept often used in information security which refers to a situation where the origin and integrity of data cannot be disputed by the party agreeing to an obligation. So, elements like digital signatures, combined with other measures can offer non-repudiation in relation to online transactions.
There are several other threats to e-commerce that an e-business will need to consider. For example, potential loss of transaction integrity means that the business must ensure the integrity of transactions by tracking the entire transaction and rejecting incomplete ones. Furthermore, potential exists for system and infrastructure failures or crashes and we often underestimate how big this risk is. An e-commerce business is customer facing 24/7 and any unplanned outages, however small, can impact the profitability of the business.
This is not an exhaustive list of risks, but some of the things most e-commerce businesses need to consider and address.
Are you in control of your business?
Which of the above risks relate to your business?
What can we do to mitigate these risks?
In my experience, most e-business owners/operators find these risks to be underattended to in their business. The New Year is an excellent time to investigate selecting the right internal controls and ensuring you have the resources to implement them in your business. Don’t hesitate to get in touch with a William Buck advisor for assistance in taking control of your business risks.