By Jonathan Bayeff, Holtzman
With investment opportunities on the rise, what are some basic expectations you should have from your investee as regulations continue to tighten? Whether you are a venture capitalist or a private equity firm, you need to know that you are making a sound investment. In this article, we will give you a detailed breakdown of the key internal control expectations you should have when investing in a company. These controls will help you minimize the risk of fraud.
Investors should look for the following three critical elements in potential investees as part of due diligence: 1) Tone at the Top, 2) Segregation of Duties, and 3) Policies and Procedures. Let’s take a closer look.
1. Tone at the Top
The first key element to have from your investees is an established tone at the top, meaning an ethical environment fostered by the Board of Directors, Audit Committee, and Senior Management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.
There are three elements to fraud: pressure, rationalization, and opportunity. Pressure motivates crime. This could be caused by debt, greed, and illegal acts. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. They may feel that they are entitled to the money, they may feel that they are underpaid, or simply think that they are “borrowing” it and have every intention of paying it back. If they have the opportunity to commit fraud and believe they will get away with it, they may just do it. It is the responsibility of the Board of Directors to select and monitor executive management to ensure best practices are in place.
2. Segregation of Duties
The second key element to look for in companies you are thinking about acquiring is well-established segregation of duties. The idea is to establish controls so that no single person has responsibilities that would allow him or her the opportunity to commit fraud. Companies must make it extremely difficult for any employee to have the opportunity to perpetrate a crime and then cover it up.
Did you know there are three types of controls that help reduce the risk of fraud: preventative, detective, and corrective?
- Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best kind because if they are designed correctly, they prevent an undesirable event from happening.
- Detective controls exist to detect and report when errors, omissions, and unauthorized uses or entries have already occurred.
- Corrective (also called compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.
Preventing Misappropriation of Assets
An important component of segregation of duties is to prevent the misappropriation of assets. Here are some examples of best practices for various kinds of assets:
- Cash Receipt: have at least two individuals to receive and record physical cash or checks, with one person to open the envelopes and another to record the amount of money in the accounting system.
- Accounts Receivable: have two people: one to record cash received from customers, and another to provide credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account.)
- Cash Reconciliation: have at least two people: whoever authorizes, processes, or records cash should not be the individual who performs the bank reconciliation to the general ledger.
- Inventory: have at least two people, so that whoever orders goods from the suppliers is different from whoever logs the goods received in the accounting system.
- Payroll: have at least two people: one compiling gross and net pay for payroll, and another who verifies the calculation. (If the same person performs both functions, it allows the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks.)
3. Policies and Procedures
The third key element to have from your investees is well-established policies and procedures. Make sure that any company you are thinking of acquiring has a Delegation of Authority (DOA) or Signature Authority Matrix (SAM). The DOA is a policy where executive management delegates authority to the management of the company. These individuals should be considered appropriate to fulfill the delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed and that approvals do not deviate from it. Any such anomalies need to be reviewed and approved, and they should be minimal and rare. Constant deviations from the DOA may be a sign that it needs to be restructured.
A second essential policy and procedure is restricted computer and application access, to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should be only granted by the owner of the application or system and subsequently logged by the administrator. With so many more employees working remotely than ever before at most companies, having a good IT controls environment is essential.
After spending time, money, and energy to find perfect investments, you want to make sure you do not end up buying a company in great danger of being compromised due to poor internal controls. The three key internal control elements discussed above ensure that risk is minimized.
Here to Help You
Since the inception of the Sarbanes-Oxley (SOX) Act, Holtzman Partners has helped clients to design and maintain a system of internal control over financial reporting. Whether you are looking for a full-blown internal audit team, or simply a SOX veteran to consult, we have you covered. Our SOX Readiness & Compliance team has expertise in a multitude of industries, and decades of experience among our Partner group. If you would like a detailed consultation around internal controls that especially pertain to your company or industry, our team is ready to help. Get in touch!