Amid the upheaval of recent workforce shifts such as the Great Resignation and remote work, it's likely your financial processes have been disrupted more than you realize. As a result of constantly adapting over the past two and a half years, many companies find themselves vulnerable to weaknesses and deficiencies in the internal control framework of the financial side of their businesses.
Internal control frameworks were largely designed for businesses with in-office employees. It’s easy to maintain things such as segregation of duties when employees are in-house and have strictly defined roles. But if your staff is partly or fully remote, your control structures may need to be changed or updated.
Then there’s the Great Resignation. Most businesses have seen at least some turnover. As a result, they’ve lost institutional knowledge and had to deviate from the way the internal control structure was designed. If not addressed proactively, these changes can create gaps or the potential for deficiencies in your control framework.
Why Is This Important?
Internal controls get to the heart of a company’s financial integrity. They are designed to ensure that financial statements reflect materially accurate numbers. If you have a poor internal control structure, your financial statements will carry a higher level of risk of material misstatement. A well-designed internal control framework means more reliable, trustworthy financial statements.
What Are the Risks?
One of the riskiest parts of the current high turnover in the workforce is the loss of segregation of duties. If you lose a large part of your accounting staff, for example, will you still be able to accurately monitor cash out the door? If an employee with access to expenditures is also the person in charge of overseeing transactions, there may be conflicting duties. There is the potential for errors or fraud because that employee will have too much access to post transactions. This situation can easily happen when key staff members leave and the remaining employees absorb their work.
To prevent this, ensure different job duties have different access levels in the control framework. Employees in charge of expenditures, for example, should be on a separate level from the staff who review transactions.
Problems occur when an employee has access to multiple levels and the ability to do something without it being detected. For example, if a staffer has access to the checking account as well as the reconciliation system, they could create their own invoice, pay themselves, and hide the transaction. Similarly, someone with the ability to create journal entries in the general ledger should not be the person who reviews those entries.
This is partly to protect employees. If they have inappropriate access or abilities, there’s a high risk of inadvertent errors, such as paying the same bill twice, even when there is no fraud.
How Do You Know if Your Framework Is in Good Shape?
It starts with a design evaluation of the current framework to understand the gaps in the internal control framework. Does the way things are set up still make sense? A walkthrough of the design confirms the processes or reveals gaps and issues.
Once you have a design that fits the current state of the organization, the next step is testing, which can be required for some public companies and is a good practice for private entities. Check to make sure there are enough controls per financial statement assertion so that there are no gaps in the framework. This establishes the reliability of the financial statements.
If there are several deficiencies surrounding one financial statement transaction cycle, determine the severity of the problem. Does it constitute a material weakness, which would have to be reported to the SEC? If there are compensating controls, it could just be a deficiency, which can be kept internal. Judgment is needed in this gray area to determine if these deficiencies could lead to a material misstatement in the financials.
Review and testing should be thorough and look at how controls interact with one another. If you have, say, 25 controls on an expenditure cycle, and five of them fail, did the other controls compensate for the failure?
Perfection is typically unrealistic. A success rate above 90% is usually sufficient because a given control often compensates for others. Anything lower could attract greater scrutiny from investors or creditors, even if it doesn’t rise to the level of a material weakness.
Once you’ve assessed the state of your current framework, build change into the process. Ensure that controls are remote-work ready and prescribe how duties shift if personnel changes. There’s a lot you can’t control in today’s rapidly changing business and employment climate, but your internal controls are one thing you can.
Mary Wisenski is a partner in the assurance and advisory services practice at Connecticut accounting and advisory firm Fiondella, Milone & LaSaracina, LLP (FML CPAs).