Public companies are required by the Securities and Exchange Commission (SEC) to evaluate and report on their internal controls over financial reporting using a recognized control framework. However, private companies also benefit from implementing checks and balances to ensure the accuracy of their financial statements and reduce the risk of fraud. In addition, transparent reporting on these controls can increase confidence among lenders, investors, and other stakeholders in the company's financial results.Develop an Auditor's Mindset
The American Institute of Certified Public Accountants (AICPA) defines control activities as "steps put in place by the entity to ensure that financial transactions are correctly recorded and reported." AICPA auditing standards also require external auditors to evaluate a client's internal controls as part of their audit risk assessment. Auditors often focus on three key control features:
- Physical Restrictions: Employees should have access only to assets necessary to perform their duties. Locks, alarms, and other security measures help protect valuable tangible assets, such as petty cash, inventory, and equipment. Intangible assets — including customer lists, lease agreements, patents, and financial data — should be safeguarded with passwords, access logs, and legal documentation.
- Account Reconciliation: Management should regularly verify and reconcile account balances. For example, bank statements should be reconciled monthly, and inventory counts should be conducted periodically. Interim financial reports, such as weekly scorecards or quarterly financial statements, are useful tools to keep management informed. However, these reports are valuable only if management reviews them and investigates anomalies. Supervisory oversight may include observation, test counts, inquiry, and task replication.
- Job Descriptions: Clear job descriptions and proper segregation of duties are critical controls. For instance, the person responsible for receiving customer payments should not also approve write-offs. Additionally, checks above a certain dollar amount should require dual signatures. Policies should also mandate job segregation, duplication of responsibilities, and mandatory vacations to reduce risk.
Auditors of private companies tailor their audit programs to address potential risks of material misstatement. However, unless specifically engaged to perform an internal control study, auditors aren't required to identify control deficiencies in detail.
Disclosures About the Control System
Audited financial statements may include footnote disclosures outlining the company's control environment, such as policies and procedures for risk management, compliance, and governance. These disclosures provide transparency and help build trust with stakeholders by offering insights into how the company ensures accurate financial reporting.
It's important to recognize that evaluating internal controls is an ongoing process, not a one-time assessment. Even though private companies aren't required to adhere to SEC regulations, a robust system of checks and balances is essential for achieving business goals.
We Can Help
Internal controls may be difficult for company insiders to evaluate objectively. Our auditors have extensive experience with control systems, both strong and weak, and can help assess the effectiveness of your controls. Contact us for more information.