Public companies are required to evaluate and report on internal controls over financial reporting using a recognized control framework under rules set forth by the Securities and Exchange Commission (SEC). However, private companies also need checks and balances to help ensure their financial statements are correct and reduce the risk of fraud. Additionally, transparent reporting about the control system can give lenders, investors and other stakeholders greater confidence in a business’s financial results.
Develop an auditor’s mindset
The American Institute of Certified Public Accountants (AICPA) defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” AICPA auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. They routinely monitor the following three control features:
- Physical restrictions. Employees should have access to only those assets necessary to perform their jobs. Locks and alarms are examples of ways to protect valuable tangible assets, including petty cash, inventory and equipment. But intangible assets — such as customer lists, lease agreements, patents and financial data — also require protection using passwords, access logs and appropriate legal paperwork.
- Account reconciliation. Management should regularly analyze and confirm account balances. For example, bank statements should be reconciled monthly and inventory should be counted regularly.
Interim financial reports, such as weekly operating scorecards and quarterly financial statements, also keep management informed. However, reports are useful only if management finds time to review them and investigate anomalies. Supervisory oversight takes on many forms, including observation, test counts, inquiry and task replication.
- Job descriptions. Another essential control is to have detailed job descriptions. Company policies should also call for job segregation, job duplication and mandatory vacations. For example, the person who receives customer payments should not also approve write-offs (job segregation). And two signatures should be required for checks above a prescribed dollar amount (job duplication).
Private company auditors tailor audit programs for potential risks of material misstatement. Still, they aren’t required to specifically perform procedures to identify control deficiencies unless they’re hired to perform a separate internal control study.
Disclosures about the control system
Audited financial statements may include footnote disclosures that describe the control environment, including policies and procedures for risk management, compliance and governance. These disclosures help build trust with stakeholders by providing insights into the company’s control environment and its effectiveness in ensuring accurate financial reporting.
Reporting on internal controls is an ongoing process, not a one-time assessment. Even if you’re not required to follow the SEC’s rules on evaluating internal controls, a thorough system of checks and balances will help your company achieve its goals.
We can help
Company insiders sometimes need more experience or objectivity to assess internal controls. Our auditors have seen the best — and worst — control systems and can help evaluate whether your controls are effective. Contact us for more information.
© 2024