Internal Controls of an Accounting System

Karen Doerner, CPA Shareholder - Auditing & Accounting   email | bio
June 2009

The economic events of the past two years, combined with the increase in government oversight, has dramatically changed our awareness of the nature and extent of business and personal risk. 

Public companies are required by regulations to formalize control procedures in writing as a method of controlling risk.  Sarbanes-Oxley comes to mind as one of the most recent regulations that requires a written internal control document.  In addition, in July 2009, the U.S. Securities and Exchange Commission (SEC) proposed new rules for public companies that would require disclosure of the board of directors' roles in managing risk.  Privately held companies, however, are not required but are highly encouraged to comply with these regulations.

So how does a privately held company manage risk in the current financial crisis?  Can enhanced internal controls reduce a company's overall business risk?

Let's start with the company's financial reporting (accounting) system.  An accounting system provides businesses with a uniform way in which to use its data and financial information.  A good accounting system must be complemented with a system of controls, and the controls play a key role in the success of any accounting system.  With the establishment of a formal written internal control document within the accounting system, management can:

• Create and expand guidance for implementation of the controls;
• Reduce the risk of errors and fraud;
• Focus on high-risk areas in order to lessen the chances of errors and fraud;
• Examine conflicting policies and duties (i.e. segregation of duties issues);
• Provide a system to create cross-training procedures; and
• Provide support for operational and performance decisions.

Of course, the internal control document should be continuously reviewed and updated for changes within its business environment.

Where should a company begin?  The process that management has identified as having the greatest risk of errors or fraud is the best place to start.

Written internal control documentation should continue throughout the process.  All aspects of the system should be examined in order to highlight areas that may result in errors or fraud.  Management should brainstorm with the individuals that work within the different levels of the process in order to obtain feedback that will support the internal control procedures.  The internal control documentation may be considered sufficient when:  specific risks of errors or fraud in the process are indentified, preventive controls are designed and put in place, a person assumes responsibility for the process, and written evidence is available to support the process.

Remember that even a strong internal control system does not provide absolute assurance that the company will remain free of errors or fraud.  Written internal control procedures should be implemented, reviewed and updated in the company's financial reporting system and every area of the business that the risk of errors or fraud may occur.  Failure to mitigate exposure to risks in every area of the business may open the door to errors and fraud that could cripple or destroy the entire company.

If you have any questions, please contact Karen Doerner.