In the late 1990’s and early 2000’s the country witnessed accounting scandals in several large companies like Enron (which included Arthur Anderson), WorldCom, Rite Aid and Bristol-Myers Squibb. These companies were faced with satisfying investor’s desire for profits, trying to obtain loans on non-existing profits and they had to keep investor confidence high to keep revenues flowing in. However, in doing so, they cut corners and ultimately collapsed due to the lack of mitigating controls within their organizations, lack of management oversight and other acts of fraud. In 2002, Congress passed the Sarbanes-Oxley Act of 2002, also known as (SOX) to help circumvent these issues as it was having a devastating impact on the world economy.
This legislation, specifically section 404, changed the face of how publicly traded companies handle their financial matters and the role of executive leadership within the organization in regards to the management assessment of internal controls. This is interpreted by the U.S. Securities and Exchange Commission to mean “controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards §319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board”.
(http://www.sec.gov/rules/final/33-8238.htm) While there are many sections within the act the concentration of this review is section 404 dealing with managing assessment of internal controls. Prior to any company moving forward with publicly trading a company they should study all aspects of the SOX act and pertinent sections related to this legislation.
LBJ has an interest in going public in the future and would like to know what steps it would need to take to be in compliance with any and all regulations regarding internal controls. This evaluation is to provide recommendations to the leadership of LBJ Company for consideration of its internal controls according to the Sarbanes-Oxley Act of 2002. SOX states that companies must develop sound principles of control over financial reporting and continually assess that the independent controls are working (Kimmel, Page 337). Creating an atmosphere of controls internally with employees, customer and investors inspires confidence that the company is providing the mitigating controls necessary to prevent fraudulent activity. In reviewing these items the goal is to provide the leadership of LBJ the resources and knowledge they need to make fact based decisions it needs to move their company forward so that they can start trading its company publicly. The areas of internal controls that we will review involve the establishment of a control environment, risk assessment, control activities, information and communication, and monitoring (Kimmel, Page 338). In reviewing these components current practices of LBJ that are in compliance and other items that need to be reviewed in order to meet current regulations will be studied. Control Environment
As part of SOX, LBJ will have to establish a control environment within the company. The control environment reflects top management’s awareness and commitment to the importance of controls throughout the organization, and encompasses management integrity, ethical values, and operating philosophy. (http://www.nysscpa.org/cpajournal/2007/307/essentials/p58.htm) A strong control environment supported by an ethical tone at the top is the cornerstone of a system of internal controls. One of the first recommendations for LBJ Company would be the creation of an ethics policy for the company as a whole and for the board of directors to follow. This ethic policy statement should not only have expectations but should also include disciplinary steps shall this policy be violated. The creation of a balanced scorecard system should also be implemented by LBJ Company. This system allows for internal assessment, improvement and reporting system. It supplies key indicators to management that are linked to the company’s strategic plan which includes items beyond just financial matters. A scorecard approach measure key factors such as: 1) financial; 2) customer; 3) internal business processes; and 4) learning and growth. Inducing improved performance to meet your strategic plan requires the monitoring the companies obligations to stockholders, creditors, customers, and employees.
These obligations rely on ethical systems that produce accurate, reliable and transparent financial information.
(http://www.nysscpa.org/cpajournal/2007/307/essentials/p58.htm) A control environment can be broken down into hard and soft controls for the company. Hard controls are examples of an organizational chart, assignment of authority and policies and procedures. Soft controls would be considered items such as ethics, competence and managements operating style. In the case of LBJ Company we look at the assignment of authority that has been given to “long term employees”. While this may be a lean organization, the responsibility of controls rests with top management. Many of the current practices related to internal controls within LBJ Company would be found to be deficient in regards to hard controls that the company does not have in place. One example of a hard control deficiency would be that the company is so lean that a predefined organizational chart does not currently exist and also a soft control deficiency would be the lack of an ethics policy for the company. Risk Assessment
One of the most prolific documents a company can fill out and reveal its vulnerabilities for internal controls is to complete a predefined Risk Assessment Questionnaire. Risk assessments are essentially surveys that look at four major areas within your organization; control activities, financial, information systems, and operational activities. An example of a risk questionnaire produced by the State of North Carolina can be found at (http://www.osbm.state.nc.us/files/pdf_files/OIA_T15_SampleInterviewQuestionaire_IADirector.pdf) As part of ongoing risk assessment, organizations should have internal audits on annual basis and the need for an audit committee as part of the governing board according to the Corporate Governance Standards in the New York Stock Exchange Code Company Manual. (http://nysemanual.nyse.com/lcm) The development of internal audits and risk questionnaires will allow management to think about deficiencies in a timely manner so that they can respond appropriately within the organization. Control Activities
The presence of control activities are the backbone of the company’s efforts to address the risk it faces in regards to fraud. (Kimmel, Page 338) There are six principles of control activities:
1. Establishment of responsibility
2. Segregation of duties
3. Documentation procedures
4. Physical controls
5. Independent internal verification
6. Human resource controls
1. Establishment of Responsibility
The establishment of responsibility is important when a task should be only assign to one person. An existing practice with LBJ Company is the issuance of petty cash. Currently the petty cash is left within a drawer for anyone to use and all they have to do is leave a note. This is an example of no responsibility being assigned to an employee to watch and account for this cash. The lack of assignment of responsibility makes it impossible to find out who took funds from the drawer shall monies come up missing or unaccounted for. In this example, petty cash should not only have a designated employee responsible for these funds but also some level of signatory authority should be used so that employees receive a signature from a supervisor or another staff person verifying that they are using these funds according to established procedures. 2. Segregation of Duties
Segregation of duties within an organization can sometimes be a daunting task but when you map out the responsibilities within your current staff you may be able to meet this requirement by shifting duties amongst existing staff to have sufficient controls in place. Two key elements to remember when looking at the segregation of duties are; 1) different individuals should be responsible for related activities; 2) the responsibility for record keeping for an asset should be separate from the physical custody of that asset. (Kimmel, Page 339)An example of this in the LBJ Company is the role of the Treasurer and Controller. Currently this is one person within the company but they are completing tasks of what should be two different employees. Why you might ask? Making one individual responsible for related activities increases the potential for errors and irregularities. (Kimmel, Page 339)
So in the case of LBJ, the employee accepting checks for your company should not also be completing the bank reconciliations for the same company. The idea is that one individual employee receives all checks for the company and records them into the accounting system. Subsequently a separate employee should be reconciling the system those checks were entered into and reconciling that to the bank statements received on a monthly basis. Without this segregation of duties between employees a single person could manipulate the incoming checks to your company and divert them to another account and thus it never goes into the accounting system and it’s never deposited to be seen on a bank statement. The remedy, without hiring anyone, could be to allow the accountant on staff to complete the bank reconciliation as the check and balance. 3. Documentation of Procedures
When looking at internal controls the best way to show that you have sufficient controls in place is to have documentation of procedures. In the absence of documented procedures in standard operating procedures manual, the documentation used in the ordering, receipt and payment of assets can be just as useful when reviewed to show internal controls. For instance, currently LBJ is looking into purchasing a indelible ink machine to print their checks. This is a positive sign in regards to showing controlled activities. The checks are printed form a software system that has controlled access by identifying system users based on some type of username or other identifying characters. Showing the employee who is entering the payments, showing the person who is printing the checks then lastly showing who is signing off on the check registry to the actual printed checks show that you have documented procedures in this process to justify the internal controls for this area within the accounting office. The need to purchase this indelible ink machine and the use of pre-numbered invoices is a positive first step in identifying the controls that you will need to move the company forward. 4. Physical Controls
In order for LBJ Company to protect its assets from potential fraud a consideration must be given to physical controls that are currently in place and those activities that are currently not controlled. Recently LBJ had to fire an employee for viewing inappropriate material on their work computer. However, a confession was needed to fire this employee because certain physical controls were not in place. The company should have username and passwords issued to all employees to allow for the tracking of inappropriate behavior on their network. In addition to this physical control the company could go one step further and incorporate website blocking software on its network that prevents employees from viewing gambling, pornography, sales and other websites that are not appropriate for employees to be doing during the day. Examples of this type of software are Webscence (www.webscence.com), Barracuda (www.barracudanetworks.com), and K9 (www.k9webprotection.com).
Another example of a lack of physical controls is the holding of payroll checks by the accountant in his office until the end of the week. Currently the accountant put the checks for pickup in his desk until the end of the week. These checks represent assets of the company and should be secured on a regular basis. Thus, the checks should be secured in a locked file cabinet or held in the safe on a ongoing basis and removed when an employee arrives for those checks to be picked up. Also, upon picking up a check the employee should have to show his/her identification and sign for the check to ensure you are releasing those checks to the appropriate person. Failure to secure checks could cost the company money due to the re-issuance of lost checks, stop payment charges on checks that employees say they never received, or checks that were cashed by the inappropriate person. 5. Independent Internal Verification
The principle of independent internal verification is a key aspect to the checks and balances approach of internal controls. Companies, such as LBJ, should verify records periodically or on a surprise basis to verify that controls are being maintained. (Kimmel, Page 339) An employee who is independent and not the employee who initiated the transaction should make the verification that the appropriate steps were taken. In my earlier example of cutting checks we described a person verifying that the checks cut were actually on the check registry. This is an example of this verification step. The verification of these activities can be handled by a manager, another employee or a managing supervisor in the company. The verification process is an important step in the internal control process. Shall a manager realize that there is an error or discrepancy in what they have found they must report the issue to upper management and take appropriate action. Failure to report anything that is found to be out of the ordinary would be considered a control deficiency because while you have controls in place for the transaction to occur the control broke down at the verification process. 6. Human Resource Controls
Human resource controls are the front line of all controls within a company. While not full proof, a company should take the necessary precautions it needs before hiring someone to ensure that they meet the standards a company wants in an individual. For instance, everyone that is handling cash within your accounting office or cashier windows should be bonded. Bonding agencies provide insurance against cash theft and they help screen all individuals before adding them to the policy. Bonded employees also realize that they will vigorously prosecute all offenders that were bonded to handle cash. (Kimmel, Page 344) LBJ Company can also ensure that it rotates employees on a regular basis and ensures that employees take vacations. This will allow the employees not only to learn other skills in the office for redundancy but it also allows that if theft or fraud has occurred it is more likely to come out during a time in which an employee has been off for a while or rotated to other duties within the office. (Kimmel, Page 344)
LBJ Company can also conduct thorough background checks against all employees it plans to hire. In a recent example LBJ found that an employee was a felon and was convicted for molesting children. While a background check may or may not have found this information, depending on how long they have been hired, periodic background checks and policies that require employees to self-report convictions would have signaled to Human Resources that actions needed to take place before the termination. Another valuable tool is to not only background check but also run credit scores as part of hiring any positions that work in the executive ranks or business functions of the company. Potential employees with low beacon scores or substantial debt may have the opportunity to defend if there is something causing this action but it may be a signal that they have a hard time accounting for their personal finances. Then as a company you will need to decide if that if they cannot handle their own income, can they handle the monies for the company, which are substantially larger. Information and Communication
There is an expectation that LBJ Company will need to identify, collect, and communicate key metrics for specific areas that are being audited. For instance, as a company you may want to achieve a standard of 85th percentile of all accounts payable are paid within 30 days or you may to have 90% of all travel reimbursement vouchers to be processed error free. These are a couple of example of metrics you could use for a specific area. The metrics and complexity can change from one department to another. It needs to be understood that the control responsibilities are understood by all employees and how those controls relates to the company at large. LBJ will need to put in place mechanisms for addressing customer, supplier, or employee concerns, complaints, and disputes in a timely manner. (Applegate & Willis)
While all of these sound easy enough to handle in a company they can be more daunting than you realize. It’s almost necessary to designate an employee or group of employees who will act as your ombudsman person in handling these types of issues. Ombudsman programs are popular as it allows current employees to help the company and it also exposes them to areas of the company they would not otherwise work. For instance you may have a forklift driver helping answer complaints against delivery drivers or you might have accountants helping you address customers issues related to deliveries. The nature of this type of program is to leverage existing employees without hiring new employees to help you mitigate this level of control within the organization. Monitoring
While internal controls are important, they are only as important as to how you are monitoring those activities. For instance, you do not want a department to create internal controls without third party oversight because that within it can lead to potential problems. Monitoring of these controls should be done by third parties not associated with the controls. (Applegate & Willis) Some companies will set up a performance audit group made up of board members, executive staff and shareholders. While this group can take on many forms it is required to have some level of oversight to ensure that your internal controls have sound principles backing them. There are times that certifications for your company may force certain monitoring to happen for you. For instance, many companies have adopted ISO 9000 type standards. By doing this you have agreed that many aspects of your company will be done the same way as other companies who elect to be certified. This is helpful in monitoring as you can allow other companies to sit on monitoring panels for you to ensure compliance in many of these areas of internal controls, deliveries, etc. In many instances, especially in government sectors, this is considered a peer review. This is the ultimate way of having transparency for your organization if you allow other likeminded companies to review your practices and likewise you would be evaluating them as well. Summary
We have reviewed several criteria that would be required for LBJ Company to potentially go public in the near future. It’s important to understand that internal controls and the legislation that support them are not meant to provide a financial burden to the company. In some instances examples have been provided to prevent just that. The value of internal controls is now well documented as it has been 11 years since the passage of SOX. While many companies, not publicly traded, are not required to use internal controls; it has proven to be a useful tool in many areas. Governments, Universities, Small Businesses and others have seen the benefit of using internal controls in regards to how they handle the business of their organizations. Consumer confidences of those entities that have internal controls have increased over time. (Kimmel, Page 338) The greatest ideal in reading this brief is to note that the goal is to prevent what is considered the fraud triangle. (Kimmel, Page 337) LBJ Company wants to put the measures in place to prevent the opportunity to employees to commit acts of fraud in the workplace.
The control mechanisms should discourage employees from having the opportunity to commit such an act as to steal from the company. Secondly, the controls should help prevent employees from committing theft or fraud that are feeling financial pressure. By having the appropriate human resource controls in place the goal is to have employees who are not stressed about their personal finances that require them to think about the “what if”. Then lastly, the internal controls of the LBJ Company should prevent the rationalization of dishonest employees. By moving employees around, having checks and balances, monitoring and information/communication, the organization should be able to keep idle minds busy to not allow for any employee to commit fraud within your organization no matter how they may rationalize it in their minds. By keeping the above principles in mind, appropriate planning and the implementation, LBJ Company should be able to have a successful model that allows the company to go public in the future. Shall the company decide not to go public, and then these practices can do nothing but improve the operational integrity of the company and bring good will from investors, creditors and customers.
1. Applegate & Willis (1999). Struggling to incorporate the COSO recommendations into your audit process? Institute of Internal Auditors December 1999.
2. Kimmel. Financial Accounting (6th ed). John Wiley & Sons. Retrieved from http://devry.vitalsource.com/books/9781118233634/idBlll7-1