Accounting controls — the procedures and methods used by organizations to operate efficiently and deliver accurate financial statements — are as varied as the organizations that employ them. While controls are specific to each type of enterprise and its particular risk management needs, simply starting a plan to put them in place helps to establish an essential foundation supporting a proactive risk strategy.
There’s no “one-size-fits-all” control policy that applies to all organizations, but some controls are so important that they should be universally adopted. Here’s our list of 12 controls that we think are essential to all organizations.
1. Understanding of segregation of duties
While organizations are usually aware of the segregation of duties issues they face, many often don’t fully appreciate the associated risks. It’s important to get to a detailed layer of user roles and, more importantly, the capabilities and authorization outside your core ERP to understand the risks and how to monitor or mitigate them. A simple security assessment is generally not adequate to uncover deeper conflicts.
2. Robust account reconciliations
This encompasses a meaningful examination of the detail transactions in an account, identification of the reconciling differences with supporting documentation, and a policy that governs an acceptable level of unreconciled differences and timely resolution of those differences.
3. Revenue recognition
It’s critical to have controls governing how to recognize revenue for your method of accounting, whether it be cash, modified accrual, IFRS, or U.S. GAAP. These controls are essential in understanding your growth, and this is often one of the first places financiers will look when evaluating your organization and often the area that auditors look at most closely. Lack of confidence in the controls around revenue can raise concerns among the investor community.
4. A documented list of organizational policies
While this seems obvious, having robust guidance for your team is important. It sets the tone for how you want the organizations to operate at a tactical level and provides a sound foundation across your key departments.
5. Three-way match
This control is as old as time itself. In the setup to your disbursement cycle, it provides you with the confidence that a purchase was authorized, you received the goods or services, and the invoice is in agreement with the purchase agreement. This is the bedrock of a sound “procure-to-pay” practice.
6. Cash disbursement review
Rolling forward from the three-way match is the review of disbursements. This is often the last checkpoint before cash leaves your organization. Is the vendor valid? Are changes they requested to their banking information valid? Do you have confidence that the payment is in alignment with the agreements and services received?
7. Adjusting journal entry review practices
This is one area that can go haywire quickly. A simple input error can turn a $100,000 adjustment into a million-dollar adjustment. Good governance in your accounting function will catch this before you prepare financials and have a panic attack, or worse, your auditor catches it. It’s also a key component of how an internal fraudster may try to cover their tracks. This, coupled with account reconciliations and segregation of duties, goes a long way in mitigating risk.
8. Estimate/judgment procedures
Much like adjusting entry controls, the underlying thinking and decision-making that goes into those adjustments is vitally important. If someone needs to hit a target to trigger a bonus, it’s theoretically easy to adjust assumptions and alter reserves that require judgment. Having strong oversight and sound policies helps you dig in and question the “soft” numbers.
9. Variance review practices
Executive time is precious, often leading organizational leaders to rely on budget to actual (forecast to actual, variance to prior period, etc.) as methods to spot unusual activity and swings. To make this an effective process that identifies issues and creates value, leadership needs to specify thresholds at a level of granularity that will catch issues and warrant a deeper examination.
10. Service provider reviews
Many modern organizations don’t do everything themselves — it’s sound logic to outsource items that aren’t your core competency. Understanding what your service providers do to protect your company and ensure the data you give them is safe and processed accurately goes a long way in helping you sleep at night. Large service providers will receive a SOC-1 report — an opinion by a third-party firm to validate their internal controls and processes.
11. Delegation of authorities
This is often considered a check signing policy, but delegation of authorities goes much deeper. Who has agency? Who can hire? Who can fire? Who should be consulted when reviewing a contract? These are several of the attributes that should be in place to protect the company.
12. Banking controls
What controls does your financial institution have at your disposal? A sound suite of banking controls includes access to the banking portal, multifactor authorization for wire transactions, and clear signers for checks. This protects the organizations from unauthorized disbursements even further than the three-way match and disbursement reviews.
Build your risk-prevention foundation
This isn’t the only list of controls available but it’s a good base to build upon. For example, manufacturing and distribution organizations should consider adding inventory controls, while service companies may look more closely at areas such as percentage of completion revenue and change orders.
Regardless of industry, organizations should treat accounting controls — even the most fundamental — as a critical component of a healthy risk strategy. With a solid foundation in place, you’re better positioned to create a control policy that can evolve and offer a more nimble, strategic approach to managing risk.