The dozen accounting controls all organizations need
Accounting controls are necessary for organizations to operate efficiently and above board. The controls adopted vary depending on business type and need, but there are some that all organizations should consider. Here are our top 12.
Accounting controls — the procedures and methods used by organizations to operate efficiently and deliver accurate financial statements — are as varied as the organizations that employ them. Controls are specific to each type of enterprise and its particular needs.
And while there’s no “one-size-fits-all” control policy that applies to all organizations, some controls are so important that they should be universally adopted. Here’s our list of 12 controls that we think are essential to all organizations.
- Robust account reconciliations: This encompasses a meaningful examination of the detail transactions in an account, identification of the reconciling differences with supporting documentation, and a policy that governs an acceptable level of unreconciled differences.
- Understanding of segregation of duties (SOD): While organizations are usually aware of the SOD issues they face, many often don’t fully appreciate the associated risks. It’s important to get to a detailed layer of user roles and, more importantly, the capabilities and authorization outside your core ERP to understand the risks and how to monitor or mitigate them.
- Revenue recognition: In early finance classes, you may have heard the term “cash is king.” Expanding on this theme, it’s critical to have controls around how to recognize revenue for your method of accounting, whether it be cash, modified accrual, IFRS, or U.S. GAAP. These controls are essential in understanding your growth, and this is often one of the first places financiers will look when evaluating your organization.
- Suite of organizational policies: While this seems to be obvious, having robust guidance for your team is important. It sets the tone for how you want the organizations to operate at a tactical level and provides a sound foundation across your key departments.
- Three-way match: This control is as old as time itself. In the setup to your disbursement cycle, it provides you with the confidence that a purchase was authorized, you received the goods or services, and the invoice is in agreement with the purchase agreement. This is the bedrock of a sound “procure to pay” practice.
- Cash disbursement review: Rolling forward from the three-way match is the review of disbursements. This is often the last checkpoint before cash leaves your organization. Is the vendor valid? Are changes they requested to their banking information valid? Do you have confidence that the payment is in alignment with the agreements and services received?
- Adjusting journal entry review practices: This is one area that can go haywire quickly. A simple input error can turn a $100,000 adjustment into a million-dollar adjustment. Good governance in your accounting function will catch this before you prepare financials and have a panic attack, or worse, your auditor catches it. It’s also a key component of how an internal fraudster may try to cover his or her tracks. This, coupled with account reconciliations and segregation of duties, goes a long way in mitigating risk.
- Estimate/judgment procedures: Much like adjusting entry controls, the underlying thinking and decision-making that goes into those adjustments is vitally important. If someone needs to hit a target to trigger a bonus, it’s theoretically easy to adjust assumptions and alter reserves that require judgment. Having strong oversight and sound policies helps you dig in and question the “soft” numbers.
- Variance review practices: Executive time is precious, often leading organizational leaders to rely on budget to actual (forecast to actual, variance to prior period, etc.) as methods to spot unusual activity and swings. To make this an effective process that identifies issues and creates value, leadership needs to specify thresholds at level of granularity that will catch issues and warrant a deeper examination.
- Service provider reviews: Many modern organizations don’t do everything themselves — it’s sound logic to outsource items that aren’t one’s core competency. Understanding what your service providers do to protect your company and ensure the data you give them is safe and processed accurately goes a long way in helping you sleep at night. Large service providers will receive a SOC-1 report — an opinion by a third-party firm to validate their internal controls and processes.
- Delegation of authorities: This is often considered a check signing policy but delegation of authorities goes much deeper. Who has agency? Who can hire? Who can fire? Who should be consulted when reviewing a contract? These are several of the attributes that should be in place to protect the company.
- Banking controls: What controls does your financial institution have at your disposal? A sound suite of banking controls includes access to the banking portal, multistepped authorization for wire transactions, and clear signers for checks. This protects the organizations from unauthorized disbursements even further than the three-way match and disbursement reviews.
This isn’t the only list of controls available but it’s a good foundation to build upon. For example, manufacturing and distribution organizations should consider adding inventory controls, while service companies may look more closely at areas such as percentage of completion revenue and change orders. For help setting up or reviewing accounting controls in your organization, give us a call.