Taking Command of Your Internal Controls
Internal controls are an essential part of every business to help reduce misstatements in finances due to fraud or error. Construction companies are vulnerable to this threat because they are often reactive to incidents that occur, as opposed to proactive in putting controls in place to prevent incidents from taking place. It can also be very difficult to implement internal controls without a management team with expertise in the area. The factors that can lead to fraud are opportunity, incentive, rationalization, and capability. The only factor that a company can control is opportunity. Good internal control implementation will lead to minimal opportunity for fraud to occur.
There Are Several Important Internal Controls That Every Company Should Have in Place
- Monthly review of financial activity– Monthly review allows for the identification of significant errors or other issues in a timely manner. An example would be comparing the balance sheet and income statement from the prior month to the current month, budgeted amounts or to the same month in the prior year.
- Use of checks and balances– Dividing responsibility of sensitive tasks between multiple individuals can preserve the integrity of the information. An example would be having a bank reconciliation performed by someone who isn’t normally responsible for the bank account transactions. Also, rotating responsibility can achieve the same result.
- Limitations on user access– Requiring the use of strong passwords and regularly changing passwords, restricting user access (both physically and logically) to only those that need access to perform their regular work duties, and installation of security cameras can help to protect sensitive information and assets.
- Segregation of duties– The three duties that should always be segregated are: recording transactions, authorizing transactions, and custody of cash/signed checks. Although this can be difficult with limited staff, it is an area that needs continuous attention as circumstances within a company change over time. Poor segregation of duties creates opportunity for rationalization leading to fraud.
What Are Some Steps to Implementing Great Internal Controls?
- Tone at the top – Top level management and ownership should take implementation seriously and stress the importance to employees.
- Document current policies and procedures for every significant transaction cycle. Examples are revenue recognition and cash receipts, expenses and cash disbursements, payroll process, etc. Use of checklists and user control matrices can be helpful.
- Identify current control weaknesses, gaps and incompatible duties. Think critically about how someone might try to manipulate financial data or steal assets and implement changes to the current policies to address those issues.
Example: If an employee receives mail, including checks from customers, then records it into the accounting software, and completes the deposit slip that goes to the bank, they have duties that can easily lead to fraud. These duties include both the custody of assets and recording of related transactions. This creates an opportunity for the employee to cash the check and keep the money for themselves, while still recording the account as collected, or potentially writing off the account as uncollectable, when the customer actually paid. To fix this issue, have an individual outside of the recording process open the mail and document the total checks received. Another employee should be responsible for depositing the checks in the bank, while yet another employee is responsible for recording the cash remittance against the related customer account. This segregation of duties does not completely eliminate the possibility of fraudulent activity through collusion of parties, but it would greatly reduce the risk.
How Can Your Accountant Help?
- Transaction level or higher‑level services like regular meetings, outsourcing accounting services can help smaller companies to produce timely financial information. This is especially helpful for companies that lack management expertise or the resources to hire someone who does.
Financial Statement Engagements:
- Audit– Provides “reasonable assurance” whether the financial statements are free from material misstatements through various procedures such as observing physical inventory counts, gaining an understanding of internal controls in place, confirmation of balances with outside parties and testing of transactions to source documents. A management letter will provide recommendations about internal controls that can be implemented.
- Review– Provides “limited assurance” through the inquiry of management and analytical procedures on your financial data. This type of engagement is less in scope than an audit but will provide a closer look through your finances than a compilation engagement.
- Compilation– Provides no assurance on the accuracy of financial data, however, will organize management’s financial information into a standard format under Generally Accepted Accounting Principles in the US (GAAP). Significant errors may be recognized and corrected during a compilation engagement, but generally this type of engagement shouldn’t be relied on to find errors or fraud.
Other Services or Engagements:
- Agreed-Upon Procedures– Specific procedures are performed on an account, class of transactions, or internal controls that are agreed upon in advance by management or a third‑party requesting these procedures. An example is if a construction company only wants to test their work‑in‑progress accounts. Agreed‑upon procedures provide a more cost‑effective way to gain comfort on a specific account balance without having an entire financial statement audit performed.
- Internal Control Consulting– Consulting engagement where the organization’s internal controls are documented, and limited testing is performed to provide recommendations on improvement to management. This can be a great way to develop better procedures and to objectively reassign duties.
- Service Organization Control (SOC) Audit– SOC for Service Organizations audit reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs whether it be reporting on internal controls surrounding financial reporting or internal controls related to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Protecting your company’s assets should be among the highest priorities for organizations of all sizes and stages. While internal controls may not be able to completely prevent errors and fraud from occurring, a strong system of controls will reduce the opportunity for these issues to transpire.