Your internal controls — Is it time for a tune-up?
- March 4, 2011
Recently, I asked my favorite service adviser if my car needed a tune-up. His answer surprised me. “Why do you ask that?” he asked. “The parts that used to need a tune-up don’t even exist on today’s cars. Today’s technology has surpassed yesterday’s distributors and spark plug wires. However, if you’re asking whether your car needs preventive maintenance, the answer is ‘yes.’”
I’m happy my service adviser was looking out for my best interest. My understanding of the work needed had been way out of date. I still had the right idea about the overall purpose, but I didn’t know that to avoid trouble, today’s new technology requires new maintenance procedures.
What does this have to do with internal controls? Everything. Just as cars have changed to become more efficient, financial transactions have changed, too. Increasingly, businesses are saving time and money by paying bills online, making sales on the Internet and paying employees by direct deposit. Businesses need these innovations to stay competitive, but these new processes come with a trade-off. Electronic transactions bring new internal control risks, and executives must address these new risks with new procedures.
Does your system of internal controls need some preventive maintenance? Over the past few years, most executives have fine-tuned their system of internal controls to prevent financial misstatement and embezzlement. They have put checks and balances in all the right places, with dual signatures on checks and lock box collection. These longstanding control procedures work well to control paper transactions, but they do nothing for electronic transactions. Organizations that depend on the efficiency gained from electronic transactions, without evaluating the need for new controls, may be leaving a window open to financial misstatement and fraud.
If you have added some new financial processes, your system may require some new control procedures. To find out, do some preventive maintenance. Take a look at your financial processes in four basic areas: online payments, website sales, direct deposit of payroll and investment withdrawals. Let’s see how it works.
Online bill paying allows your controller to make payments from your account without getting a check signed. It saves time and money. If you have online bill paying in your company, ask yourself: if someone made an unauthorized online payment from our account, how would we know?
In most cases, you can’t prevent an unauthorized payment from happening, but you can set up a procedure to detect it and address it in a timely manner. To catch any unauthorized payments, consider having an independent individual review all bank activity online daily and compare it to authorized payments.
Automated Clearing House (ACH) payments can be another open window to your bank account. Individuals with a little bit of your banking information can set up an ACH payment to pay their bills from your bank account. Find out if you can block or filter ACH payments to prevent them from hitting your account.
Many businesses depend on online sales. Customers enjoy the convenience of purchasing online and their payments are deposited right into the organization’s bank account. If you have online sales, ask yourself: how do we know that all the money from our online sales made it to the bank?
Sometimes, the person who manages the online sales function has the ability to change the destination of those online bank deposits. If your accounting department records income based only on the bank deposits, a few payments could be diverted to another account and you might never know. To address this condition, many companies have added a control procedure to match online sales data to bank deposits.
Payroll direct deposit
Direct deposit allows employers to deposit paychecks directly into their employees’ bank accounts. If you pay your staff using direct deposit, ask yourself: if someone paid unauthorized payroll, how would we know?
The person who initiates payroll transactions by direct deposit has the same power as a check signer. If this person declared an extra payday and didn’t tell you, how would you find out? What if he gave himself a raise? What if he paid a terminated employee or a fake employee, and directed the paycheck to his own account? If the person who initiates payroll is also the person who keeps the books and does the bank reconciliation, he could cover his tracks. Develop a procedure where an independent individual reviews all payroll transactions using reports that come directly from the payroll system, not from the individual initiating the payroll.
At a minimum, have an independent individual review the state unemployment tax form. It lists each employee’s wages for the quarter. If you compare the current form to previous quarters, you can see if anyone received much more pay than normal. You can also see if terminated employees are still being paid and whether there are employees whose names you don’t recognize. While you probably won’t catch a minor discrepancy with this review, you could catch a big one. Keep in mind, though, that the form is only prepared once each quarter, so three months could go by before you discover unauthorized pay.
Often, one individual has the authority to transfer funds out of the organization’s investment accounts without limit. Ask yourself: if someone took money out of our investment account, how would we know?
Any withdrawals would be identified in the process of reconciling the investment account, but the withdrawal might not be identified as unauthorized. If the person who makes investment withdrawals also keeps the books, that person could disguise an investment withdrawal as “market decline.” Depending on the market, you might believe it. If you have this procedure in your company, make sure an independent individual reviews investment account transactions regularly online. Also, make sure an individual charged with oversight sees the complete investment account statement monthly.
We all know that the vast majority of business people and their employees are honest, hardworking individuals. However, executives charged with keeping the organization’s assets secure are still responsible for addressing any new risks with new controls.
I’m glad I had that conversation with my service adviser. Now, I won’t ask for a tune-up when my car needs preventive maintenance. A tune-up won’t keep today’s cars out of trouble. In the same way, traditional internal control procedures, designed for paper transactions, won’t keep today’s businesses out of trouble. New electronic financial processes require new internal control procedures to promote accurate financial reporting and prevent fraud. If it’s been a while since you reviewed your system of internal controls, you may need a check-up in a few key areas. Consider what new processes you may have added such as online payments, website sales, direct deposit of payroll and investment withdrawals. By developing new procedures to keep electronic transactions under control, you can benefit from efficient new processes and still stay secure.
Joan M. Renner, CPA, is shareholder of Renner and Co. CPA PC, a provider of audit, accounting, tax and advisory services in Alexandria. She is a member of the Virginia Society of CPAs (VSCPA). Contact her at firstname.lastname@example.org.