United States

Internal controls at private clubs: Go beyond segregation of duties


The persistent discussions that insist segregation of duties is the heart of internal control in the club industry can be exasperating.

Any review of internal control best practices, typically the COSO Framework, should lead one to conclude that internal control has five timeless concepts or components that are equally important. They are:

  1. The control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring

These concepts embody 17 principles that every club should consider when reviewing its internal control structure. While control activities would, to some degree, include segregation of duties, focusing internal control on that sole concept could prove to be a critical error. Segregation of duties can quickly become irrelevant to internal control if these four other elements are not given appropriate consideration first.

While it is hard to rank any one of these concepts above the others, the control environment¹ and risk assessment² are critical to placing the rest of the internal control structure in its proper perspective. Simply stated, if a club does not establish the proper control environment and assess where its risks (financial, operations and regulatory) lie, then arguably, focusing first and foremost on segregating duties can become a futile exercise to some degree.

It appears that the clarity audit standards issued by the American Institute of Certified Public Accountants (AICPA) agree with this theory. The new standards require the auditor to consider a club’s risk assessment methodology. While many clubs have some procedures in place, few have thoroughly documented the risks faced by their operation and the process they have adopted to deal with these risks.

Looking back at some of the club headline makers in recent years, one must question what would have happened had a robust, documented, and monitored risk assessment process been in place. For example, would a club that failed to comply with state law over employee tips have suffered such severe financial penalties? Would the club that found itself in deep water with environmental agencies and the local community over golf course chemical run off have had to deal with the regulatory, public relations and financial nightmare that ensued? Clearly, good segregation of duties did little to help clubs in these cases. Robust risk assessment would have at least raised areas of exposure that the clubs could have focused on when seeking to improve their internal control.

And risk assessment does not just require an operational focus. Good club governance requires that boards of directors consider at least six areas of risk oversight:

  1. Reputation risk – How is the club perceived by the community it serves and what are the risks to that reputation? Does the club board and committees have a reputation for micro-managing its professional staff, such that it fails to attract high caliber individuals?
  2. Leadership risk – How is the club exposed if its trusted senior executive decide to move on? What will happen the day a visionary president or financially astute treasurer retires from the board?
  3. Regulatory risk – Is the club complying with all aspects of the legal framework in which it operates? How does the club comply with federal, state and local taxing authorities? Are department heads kept abreast of changing regulatory issues within their field and does the club support their continuing education?
  4. Organizational risk – Do human resource policies protect the organization? Is it exposed to losses due to fraud, abuse and corruption?
  5. Financial – How seriously does the club approach its financial audit, budget process and the anti-fraud practices? Are department heads trained on their responsibility to prevent and detect fraud?
  6. Security – Are the extensive club amenities appropriately protected?

For clubs that still do not buy into the importance of establishing and maintaining a robust risk assessment process, consider this diagram from Jim Collins’ book, “How the Mighty Fall” which depicts the five stages of decline for a business.

Note that it is just when the business thinks it is at the peak of its powers – Stage 3 – that the rapid decline begins. In conclusion, club executives are encouraged to ask themselves two simple questions: (1) Do I really know what the risks to my club are? (2)How are we managing those risks?

¹Control environment:

  1. Demonstrated commitment to integrity and ethical values
  2. Exercises oversight responsibility
  3. Establishes structure, authority and responsibility
  4. Demonstrates commitment to competence
  5. Enforces accountability

²Risk Assessment:

  1. Specifies relevant objectives
  2. Identifies and analyzes risk
  3. Assesses fraud risk
  4. Identifies and analyzes significant change