Close this search box.
Home / Articles / Internal Controls: an effective line of defense against fraud and business losses

Internal Controls: an effective line of defense against fraud and business losses

March 16, 2018


Article by CSH’s Melissa Meeker

How would you assess the strength of your existing internal controls system? Many people who work in an operational capacity for a healthcare practice would guess that their internal control system is strong. Others would acknowledge that their system needs improvement. And then there are those folks who genuinely have no idea about the integrity of their practice’s internal controls.

Fortunately, there are some straightforward ways to assess the strength of your internal controls system, understand why you need one, and begin implementing the right system for your practice.

Why do you need a strong internal controls system?

According to data on employee theft, over $50 billion is stolen annually from businesses in the U.S. by employees. A strong internal control system can prevent those dollars from being siphoned off the bottom line, and can establish the mechanisms to stop fraud before it starts.

The most effective internal controls are built into the practice’s daily operations, implemented by the people who work in the system, and adaptable to changes in the business. Having the right controls in place can help you avoid the pitfalls of a weakened system, which include such risks as business losses, fraud, poor employee morale, tarnished brand image or financial misstatements.

Building a strong internal controls system requires some research on your part, including due diligence, in order to establish the foundation of your controls program. These key elements include (1) the establishment of a control environment, (2) a comprehensive risk assessment, (3) identified control activities, (4) a robust communication system, and (5) clearly defined monitoring activities. Below are actions to take to build a strong program:

Control Environment

  • Demonstrate a commitment to integrity and ethical values
  • Exercise oversight responsibility
  • Establish structure
  • Demonstrate commitment to competence
  • Enforce accountability

Risk Assessment

  • Specify suitable objectives
  • Identify and analyze risk
  • Assess fraud risk
  • Identify and assess significant changes

Control Activities

  • Select and develop control activities
  • Select and develop general controls
  • Deploy thorough policies and procedures

Information and Communication

  • Use relevant information
  • Communicate both internally and externally

Monitoring Activities

  • Conduct ongoing and separate evaluations
  • Evaluate and communicate deficiencies

Everyone in business, including healthcare practices, should have an internal controls system in place that is regularly tested, monitored and updated. CSH can help you no matter where your organization stands in the process. For more information, watch our recent webinar or contact our expert advisors.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Hackett professional. Clark Schaefer Hackett will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.


Related Articles


2 Min Read

The Vital Imperative: Why Businesses Must Undertake Risk Assessments 


2 Min Read

5 Ways Financial Institutions Can Minimize Risk


7 Min Read

Suspicious activity: Are you seeing the big picture?


2 Min Read

Oversight and controls are key to limiting fraud in nonprofits


3 Min Read

Disbursements: Internal Controls in a Remote Environment


4 Min Read

Top 5 Reasons to Use Cloud-based Data Backup

Get in Touch.

What service are you looking for? We'll match you with an experienced advisor, who will help you find an effective and sustainable solution.

  • Hidden
  • This field is for validation purposes and should be left unchanged.