Professional services firms: Are your internal controls up to par?
Internal controls are critical to safeguarding the assets of professional services firms — and to overall performance. Without controls, you’re less likely to detect errors, fraud, and other common risks. Here’s how to ensure your internal controls are effective.

As much as we all would like to think that our businesses won’t experience financial reporting errors, cybersecurity breaches or any number of other potentially catastrophic events, the reality is that they can — and do.
Not only are we seeing such events occur with greater frequency, we’re also seeing them occur with greater velocity. One minute, things are fine; the next minute, a server has been hacked — and, without access to necessary data, business comes to a halt.
One minute, things are fine; the next minute, a server has been hacked — and, without access to necessary data, business comes to a halt.
Whether the catastrophic event is a high-velocity cyberattack or an embezzlement that occurs over a decade, the problem often comes down to the same thing: a failure of internal controls.
Professional services firms are at greater risk
From architecture and engineering firms to law firms (and everything in between), professional services firms are at heightened risk.
The reasons why include: operational, reputational, and financial. In an effort to meet client needs and expectations, many firms give their own operational needs short shrift — delaying a software upgrade because the package they’re currently using is good enough or postponing that staff cybersecurity training to a less busy time, for instance.
In addition, since professional services businesses are built on strong relationships with clients as well as vendors and other service providers, it can be easy to forego proper due diligence before engaging.
That focus on client service also may mean that internal functions like accounting can wear a little thin. Errors — even in the absence of fraud — can cost you big-time. Not only can they impact partners’ tax liabilities, but misreported financials can lead to issues like violations of debt covenants.
Questions to ask about your internal controls
It’s never too early or late to start the conversation about strengthening or establishing internal controls. Begin by asking your accounting and finance team these questions:
- How, specifically, are we addressing the risks our organization faces, including cybersecurity, fraud, and financial reporting errors? What internal controls do we have in place? In more than 50 percent of fraud cases we see, the organization simply didn’t have a control in place to address the risk.
- How recently have our internal controls and related policies and procedures been updated? Having an existing policy is good, but does it align with the way your business operates today?
- What controls do we have in place around accounting accuracy? There should be processes in place for monitoring write-offs, reconciling accounts, disbursing cash, and making journal entries. Do you have a designated financial review committee? Are you ensuring proper segregation of duties?
- What about our controls for engaging with vendors, service providers, and prospective clients — does our organization have consistent review practices in place that reflect our current operations? Practices that involve direct contact (i.e. phone calls) with known individuals at your vendors’ and clients’ organizations can often prevent issues related to cyber frauds.
- Do we have an effective, reliable process for gathering and analyzing data? It’s important to have the technology and processes to collect and export the data you need to perform analytics.
- If our business is internationally active: Does our organization have strong controls in place to ensure we meet the provisions of the Foreign Corrupt Practices Act (FCPA)? In light of the Yates Memorandum in 2015, the U.S. Department of Justice stepped up enforcement and actions against organizations that violate FCPA. It’s important to ensure your foreign operations are well-versed in what is acceptable and what’s not.
- How are we training our staff? Are our employees aware of the risks our organization faces and how to detect or prevent them? As examples, have staff been trained on how to identify a suspicious phishing email or a fraudulent request from a so-called vendor to reroute wire transfer payments to a new bank account?
The answers to these questions will help you identify areas of weakness that could benefit from new or stronger controls.
High-performing organizations
Unfortunately, it’s not uncommon for business leaders to consider controls a hindrance, a drag on efficiency, and hasty decision-making. This mindset represents a missed opportunity. A strong structure of checks and balances enables operational excellence. Professional services firms with good internal controls become more systematized and reliable. Judgment calls and inconsistency in discretion are no longer part of the equation. Particularly for firms in growth mode, a strong system of internal controls provides an excellent roadmap to integrating a new acquisition or a greenfield investment.
Particularly for firms in growth mode, a strong system of internal controls provides an excellent roadmap to integrating a new acquisition or a greenfield investment.
Bottom line: Strong controls demonstrate that your organization has carefully thought through all of its activities and processes. And, as a result, internal controls guide you to make better business decisions that align with what you’re trying to accomplish.