Using Internal Controls to Lay a Strong Foundation
Internal controls are like a hard hat for your business. Just as you would never walk around a job site without taking simple steps to protect yourself, establishing a structure and culture that protects your business from fraud and theft is nothing more than the bare minimum in safety protocol.
Having served the construction industry for several years, I have conducted audits of companies that understand how strong internal controls can deter fraud and have also witnessed the unfortunate effect when weak controls have left the door open to temptation and harmful behavior.
The benefits of effective internal controls range from improved efficiencies to the prevention of fraud.
Let us explore the importance of internal controls, the most common control deficiencies found in construction companies, and several corresponding actions that can be taken to alleviate these deficiencies.
Conditions for Fraud
Fraud is as ancient as the construction industry itself, so be mindful that it can affect any organization—no matter the type or size.
Furthermore, three conditions tend to be found whenever fraud occurs: incentive (pressures), opportunity and rationalization.
Our ever-changing economy has renewed our appreciation for the fact that everyone faces financial pressures throughout life and, while most of us will find ourselves with an opportunity to commit fraud at some point, the majority cannot rationalize committing a crime and therefore are unlikely to act upon it. Nonetheless, as pressures intensify, an individual becomes increasingly more likely to rationalize fraudulent activity where the opportunity exists.
Installing the Insulation
Although it is difficult to fraud-proof your company, there are many simple and yet effective controls that can be implemented to prevent and/or detect fraud. As the economic environment worsens, pressures and incentives are at an all-time high. At the same time, as companies reduce their overhead to cope with the economic downturn, internal controls are loosened—creating opportunities for fraud.
The following is far from all inclusive and relates to matters that could lead to fraud via misappropriation of assets. Owners should also keep in mind the other type of fraud—fraudulent financial reporting.
Payroll is one of the most common areas where control deficiencies exist. Usually, multiple employees have access to the payroll system and have the authorization to create new employees or change their information. Given the nature of the construction industry, payroll costs tend to vary significantly from period to period depending on the number of ongoing projects, thereby impacting the number of employees currently employed and the overtime incurred.
One concern to which you should pay particular attention is the ability for employees with access to the payroll system to add “ghost” employees to the database or give themselves raises without prior approval. The likelihood of these fraudulent transactions being detected is extremely low and even lower when the company has a significant number of employees.
A common response of management to such a discovery is, “Joe has to approve all raises…” However, there is no system control in place to prevent the person from changing a pay rate.
Management will commonly also question the significance of the potential exposure, stating that any loss would not be material. The rebuttal to this statement is that fraud, whether material or not, is never acceptable. Additionally, “immaterial” amounts can easily add up to significant losses over time.
Although segregating the payroll functions among various independent employees is the optimal control to overcome this deficiency, it is often impractical and unfeasible for many companies. But don’t panic as other less costly, but still effective, alternatives exist.
For example, companies that use a service provider to process payroll can take advantage of the payroll reports included with payroll package each pay period. These reports usually detail all changes made to the payroll database, including pay rate changes and employees added. Someone independent from the payroll function should receive these reports directly and review them. Any unusual changes should then be investigated. Companies that do not use a service provider to process payroll should consult with their IT personnel or with the software developer as these reports are usually available or can be easily generated.
Furthermore, companies should compare the monthly payroll expense to the budgeted amounts and investigate any unusual or unexpected variances. If your company does not have a formal budgeting process, then this would be a great time to start. Budgets can be great tools when tailored, monitored and adjusted.
It is very common for project managers to originate, authorize, purchase and sometimes even receive goods. This lack of segregation of incompatible duties creates an opportunity for such fraudulent activity as kickbacks from vendors and/or personal use of the company’s resources to occur.
While many companies have policies requiring multiple quotes before a vendor or subcontractor is chosen, there are no controls in place to monitor that these policies are being followed or to ensure that the lowest cost (and qualified) provider is selected.
The optimal control to prevent fraud is to assign the purchasing function to another individual, such as a purchasing agent. However, this solution requires additional resources which many companies do not have.
An alternative to mitigate the effects of this deficiency will require more involvement from management. Members of management should review purchases in excess of a certain dollar amount, review job costs incurred in detail, scrutinize vendors used and identify any patterns (i.e. project manager always favoring one particular vendor/subcontractor), and compare the actual subcontract amounts awarded to the original bids gathered by the estimating department to ensure that the most cost effective subcontractor was selected.
In addition to the above, management should also review the gross profit by job and investigate unexpected changes. However, caution should be exercised when reviewing the gross profit by job as changes might be disregarded if not considered significant. These seemingly “small” changes can add up to a significant amount when analyzed in actual dollars depending on the size of the project.
Consider including the original estimated gross profit in the work in progress schedule as well as the current gross profit. If only the current gross profit is kept and compared to the previous month’s gross profit, identifying projects that have significant changes over time would not be possible.
Fraud through the creation of fake vendors is also common. An employee might simply take an existing vendor and change the corporation type from “LLC” to “Inc.” The check signer is unlikely to notice such a subtle change and could easily approve the disbursement. The employee committing fraud creates a bank account with the new name and deposits the funds.
To address this risk management should limit the ability to create new vendors to employees who are not authorized to approve expenses and are independent from check processing and signing. Additionally, management should periodically review the vendor listing for unusual entries or duplicates and disable vendors not used.
It is common practice for the chief financial officer (CFO) to have check-signing authority and access to the general ledger, which, since they hold significant power, may lead to misappropriation of assets. Management should evaluate the functions performed by the CFO and determine whether access to make changes to the general ledger is relevant to this individual’s job responsibilities.
In some companies, the CFO performs top level reviews and therefore “read-only” access to the general ledger could be sufficient to fulfill their responsibilities. When the CFO is more involved in dayto- day accounting processes, granting full access to the general ledger would be necessary. In these situations, someone without check signing authority should reconcile the bank statements. The same controls should be applied over wire transfers.
So, how do you begin assessing your current controls to determine if they are sufficient? Well, you can begin by requiring employees to write down their functions, responsibilities and processes. Then, one individual can compile the processes and identify those that are interconnected. Through this exercise, controls in place (or lack thereof) will be identified.
As a byproduct of this exercise, you will have created a procedures manual that can be used for training purposes and reviewed your employees’ workload to determine the adequacy of your organization’s staffing needs.
Once you have compiled all your processes and procedures, identify all of the existing controls and the areas where controls are needed. Then, design effective controls for these areas and include them in the company’s policies and procedures manual.
Now that you have controls in place, make sure you are monitoring them throughout the year and that they are operating as intended (implemented properly). Remember that controls are only as good as the people who implement them. If anyone with authority overrides internal controls, the whole internal control structure will breakdown, leaving the company at risk. It is important to set the tone at the top and lead by example so this does not occur.
Some other worthwhile steps to take include paying attention to significant changes in your employees’ lifestyles, creating reports detailing posting dates and reviewing them for unusual dates and times (such as nights and weekends), maintaining a skeptical attitude at all times, establishing a whistleblower policy and hotline, and encouraging employees to report fraudulent activity.
Communicate your company’s zero-tolerance policy for fraud with your employees, maintain open communication with vendors and suppliers about the company’s policies and request they not send gifts to your employees.
Also, never assume that because someone has been with your company for several years and has been a loyal employee that they will never commit fraud. Throughout my years as a construction auditor, I have seen individuals with key managerial positions and more than 20 years with a company commit fraud.
Last but certainly not least, if you detect fraud in your organization, terminate the individual and ensure that you report the incident to the authorities. Simply terminating an employee and sweeping the problem under the rug will send the wrong message to the rest of your staff. Furthermore, the fraud perpetrator will be able to apply for employment at another organization and you will not be able to discuss the incident with the new employer. As a result, the individual, having left with your funds and an unblemished resume, will be free to strike again.
Dalia Pearson currently serves as an audit manager with McGladrey & Pullen LLP, a leading national CPA firm. Pearson has served the construction industry for more than six years. In 2007, the South Florida Chapter of Young Constructors Forum, a division of The Associated General Contractors of America, named her as Member of the Year. Pearson is also the chairman of the organization’s Young Constructors Forum. She can be reached for questions at (800) 966-0428 or email@example.com.