Written by Karen Shenk, CPA, CVA, CFE
This article first appeared in CFMA Building Profits (a member-only benefit) and is reprinted with permission. Copyright © 2019 by the Construction Financial Management Association (CFMA). All rights reserved.
Construction companies are often built from the ground up without much consideration for internal control. These companies are more likely to react to specific incidents, rather than proactively identify risks and implement controls to mitigate them. And for a management team without expertise in this area, internal control policies can seem inefficient or difficult to implement, which can lead to misstatements in finances due to fraud or error.
We all hear stories of fraud and theft and hope it never happens to us or to our organizations. Many nonpublic organizations rely on a small accounting department and are not aware of some simple ways they can mitigate fraud and theft-related risk.
When looking at the factors contributing to these incidents, there needs to be opportunity, incentive, rationalization, and capability. The only factor over which a company has any control is opportunity because it is environmental. A good set of internal controls aims to decrease chances of fraud or theft by providing fewer opportunities for it to occur. Good internal controls also creates an environment where collusion is needed for the fraud to go undetected.
Types of Internal Controls
Reviewing Financial Activity Monthly
No matter the size of the organization, reviewing basic financial information monthly will quickly help identify significant errors or anomalies. The following are examples of reports that should be reviewed each month:
- Balance sheet (compared to prior year and/or prior month)
- Current month’s income statement (compared to the prior month or the same month last year)
- Current year-to-date income statement (compared to prior year-to-date and to current year-to-date budget)
- Current year-to-date statement of cash flows (compared to prior year-to-date)
- Most current work-in-progress (WIP) schedule
The management team, including someone with a financial background, should review these statements. Ideally, this monthly packet of financial information comes with an executive summary that provides the rest of the management team with the tools needed to understand the current performance compared to the original expectations. It should also be tailored to the individual company and include key performance indicators (KPIs) that are important to its decision-making process.
Utilizing Checks & Balances
There are a number of ways to implement checks and validations of information, some of which are made more efficient
by utilizing technology or data analytics. Some examples include:
- Reconciliations and independent reviews of reconciliations
- Employee rotation or cross-training
- Mandatory vacations
If a separate software system is used to track certain information, like accounts receivable (A/R) or inventory, it is important that these balances agree with (or are reconciled to) the balance sheet that comes out of the general ledger accounting package.
Although it can be difficult in smaller organizations, it is important that certain sensitive tasks, such as bank reconciliations and payroll functions, be performed by someone other than who is normally responsible for those tasks. This is critical in order to mitigate the risk of fraud, error, or theft and to also protect the company in the event the responsible individual becomes incapable of performing those tasks.
Having another individual trained to perform these tasks, and rotating them in periodically, protects the company from a number of circumstances.
Requiring the use of strong passwords, implementing a policy of changing passwords on a regular basis, and installing locks and cameras help to protect sensitive assets.
While this can be difficult in an organization with limited staff, it is one of the most important ways to prevent opportunities for fraud and theft. The three duties that should always be separated are:
Authorizing or approving transactions
Custody of the cash or signed checks
There are many rationalizations for poor segregation of duties that open a company to potential loss, including:
Too few people in the finance/accounting department
Processes were developed with a focus on efficiency or convenience
Duties shift as people are promoted or due to turnover
Placing too much trust in one person
This is an area that needs continuous attention because things change over time. It is important to document transaction cycles and the duties that are incompatible in each cycle so that those duties can be assigned to different people.
When we segregate duties appropriately, we are protecting the people we trust by removing them from a potentially compromising situation and helping to keep them above reproach.
Steps to Implementing Great Internal Controls
Document current policies and procedures for each significant transaction cycle, which can be as straightforward as drawing a diagram or flow chart of the process/cycle to make control gaps more evident. Some basic cycles that should be documented include:
- Revenue recognition and cash receipts
- Expenses and cash disbursements
- Bid process and contract execution
- Capital expenditures
- Payroll process
You should also be able to identify current controls and control gaps. Try to think like a thief and ask yourself how someone might be able to steal assets or manipulate financial data. Use this information to implement changes to current policies that help to cover those gaps.
Let’s take a look at some examples of common scenarios.
A Transaction Cycle Documented: Cash Receipts
In this example, the receptionist opens all of the mail, which includes checks received from customers. The receptionist, who has custody of the checks, puts them in the A/R clerk’s mailbox. The A/R clerk records receipts into the accounting package and completes the deposit slip, which gets mailed or delivered to the bank.
The problem is that the A/R clerk has duties that include both custody and recording transactions. This person could find a way to cash the check for themselves and then record something in the accounting system to make it look like it was collected when in fact it was not.
The solution is to have the receptionist complete the deposit slip, have the checks delivered to the bank (or utilize a scanning device that automatically deposits the checks into the company’s account), make a list of the checks with remittance advice, and then give that list of receipts to the A/R clerk. This separates the duties of custody of cash and recording the transaction, which means that even though the receptionist could steal the check, he or she cannot manipulate the accounting software to make it appear as though it was collected when it wasn’t.
Separating these duties does not prevent the receptionist from stealing, but it means that the receptionist would require the help of another person in order to cover it up (i.e., collusion).
Assuming these same circumstances, but consider that the receptionist has other responsibilities that include entering other types of transactions into the accounting software. If the receptionist’s access to the accounting software isn’t limited to that specific task and they can make journal entries or change transactions on the cash receipts cycle, then the original task of completing the deposit slip should be performed by someone else.
A Transaction Cycle Documented: Cash Disbursements
In this example, invoices are received by the receptionist and are disbursed to a department head who approves the invoices. The approved invoices are given to the A/P clerk who records them into the accounting package.
As invoices become due, the stack of checks along with the corresponding approved invoices are presented to the CFO for review and signature. The CFO reviews the approved invoices, signs the checks, and gives the stack back to the A/P clerk, who now has custody of the signed checks. The A/P clerk stuffs the envelopes with the checks and puts them into the mail to be delivered.
The problem is that the A/P clerk has duties that include both custody and recording transactions. So, the A/P clerk could steal the signed checks and change the transaction or record another transaction to cover up the theft.
As a solution, the CFO should give the signed checks to the receptionist who will stuff the envelopes and mail them to the vendors. This separates the duties of custody and recording. Again, the signed checks could be stolen, but in order for the theft to be covered up, the receptionist would need someone else to record something in the accounting software.
A Transaction Cycle Documented: Payroll
In this example, salary, benefits, and timesheets are approved by managers and provided to the payroll coordinator who enters the payroll information. The payroll summary is reviewed by the CFO before being processed, and since the CFO cannot edit the information, they approve the upload to the payroll provider. The payroll is automatically pulled from the company’s bank account and paid via direct deposit. The payroll provider also sends a file that assists the accountant in recording the transaction into the accounting software. Even though the duties are separated (and the CFO probably keeps an eye on the payroll coordinator’s salary), the payroll coordinator could still change another employee’s pay rate by such a small amount that the CFO would not notice.
In addition to reviewing the payroll itself, the CFO could also review a change report from the payroll processing company. A report that shows these changes (to employees, their addresses, pay rates, commissions, bonuses, 401k withholdings, etc.) is much more likely to highlight anomalies than reviewing the payroll report, as it is difficult and inefficient to go line by line through the entire report to pick out differences.
How Your Outside Accountants Can Help
Client Accounting Services or Outsourced Accounting
As the cost of hiring people continues to increase, some organizations are outsourcing accounting roles. Whether that is at the transaction level (entering invoices or receipts) or at a higher level (regular meetings or month-end closing and financial reporting), outsourcing certain duties can help smaller organizations produce timely financial information.
Financial Statement Engagements
The financial statements are always management’s responsibility and a company can hire an outside CPA firm to perform levels of assurance on those financial statements. There are significant differences among the following services that are often misunderstood:
An audit provides “reasonable assurance” about whether the financial statements are free from material misstatements. An audit involves procedures such as confirming receivables, observing inventory, and understanding internal control. If your company gets an audit, the auditor is required to provide a “management letter,” which provides some recommendations on internal control. It is important to read this letter and work to implement the auditor’s recommendations, if possible.
A review provides “limited assurance” and does not include confirming receivables or observing inventory. A review primarily includes the inquiry of management and analytical procedures. Analytical procedures generally mean that the CPA is developing expectations of financial results based on other financial or nonfinancial data, like analyzing salary expenses compared to a number of employees or cost of goods sold (COGS) to sales. Looking at source documents is not a requirement of a review.
For these reasons, a review is much less in scope than an audit and relying on a review can be problematic if
the fraud or theft is occurring at the executive level.
A compilation provides no assurance at all, and is simply management’s financial information put into a standard format, sometimes including footnotes. A good accountant will recognize if there are significant errors, like not booking depreciation. However, placing any reliance on a compilation is unwise.
Other Services or Engagements
This is when the CPA firm is asked to perform specific procedures that are agreed upon by management or the party requesting the procedures. Often, these are done in conjunction with a lower level of service, like a review or compilation. Not requesting a full-blown audit is often done to save time and money, but audits should be done when additional assurance is needed for a specific area, like inventory or receivables. For example, a bank might only care about A/R, so they might ask for an engagement where an outside accountant tests only A/R. It can be a more efficient way to gain comfort with one or more balances without a full audit.
Internal Control Study
This is a consulting engagement where the company’s internal control procedures are documented, and recommendations are made to improve upon existing controls or add nonexistent controls. No assurance is provided in this engagement either, but this can help management develop better procedures and can be used as an objective way to reassign duties.
Implementing a solid set of internal controls can help remove opportunities that might otherwise exist. Protecting your company’s assets is important for organizations of all sizes and stages. While stopping all fraud and theft from occurring may not be possible, creating an environment that reduces the opportunities available to employees makes it less likely to happen.
1. “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.” Association of Certified Fraud Examiners. 2018. s3-us-west-2.amazonaws.com/acfepublic/2018-report-to-the-nations.pdf.