Assessing the effectiveness of your internal controls

By Randy Bonnecaze

Construction-company owners often give three basic excuses for not implementing better internal controls: 1) They don't have enough staff to adequately segregate job duties, 2) They believe establishing an ideal control environment would be too expensive, or 3) They trust their employees enough not to feel threatened by fraud. In reality, each of these arguments represents a pitfall that could cost these companies a fortune in lost money, wasted time and diminished morale.

Fact is, valid counterarguments exist for virtually any contention against internal controls. For instance, you can address the problem of not having enough staff or other resources via outsourcing or simply more carefully guarding business functions. And if internal controls seem too expensive, bear in mind that fraud's full cost goes far beyond lost funds or equipment: You also need to consider the expense of time spent investigating the matter and of finding, training and hiring a new employee.

Last is the issue of employee trust. Sure, most workers are trustworthy and responsible. But though openly recognizing this fact should play a key role in your employee relations, you must remain objective as well. Sadly, often the most trusted employee commits fraud. Getting worried? Then read on to learn more about how to assess the effectiveness of your construction company's internal controls.

Defining the term. An internal control is a procedure that safeguards your construction company's assets and other resources and assures you that employees use those assets and resources as you have directed. Collectively, internal controls should work together in a formal plan that:

Protects your assets from fraud and other criminal activities,

Lessens exposure to risks that could prevent your company from achieving its financial and strategic objectives,

Verifies the accuracy and reliability of your financial data (accounting controls),

Promotes operational efficiency (administrative controls), and

Encourages adherence to prescribed managerial policies and laws.

Each of these internal controls can be detective, corrective or preventive. Detective controls identify errors or irregularities that may have already occurred, corrective controls rectify detected errors or irregularities, and preventive controls keep mistakes and wrongdoings from happening again. Please note: An internal control should never be a single task performed only at a certain point in time. Rather, each one should be an ongoing operating procedure that affects all company levels.

Recognizing the limitations. Unfortunately, no matter how well you design your internal controls, they can provide only reasonable assurance that you'll prevent fraud and achieve your strategic objectives. Some limitations inherent in any internal control system include:

Human error. Even the most skilled, hard-working employees can make mistakes. Thus, decisions made under pressure and based on only the limited information on hand - which occur quite often on hectic, sometimes chaotic job sites - will limit your controls' effectiveness.

Equipment or technological breakdowns. Errors may also result from new technology and the complexity of computerized information systems. Employees may not receive adequate training, or the technology itself may contain flaws. Also, as you know, construction equipment can break down, causing workers to cut corners and break rules.

Management overrides. High-level personnel may override prescribed policies or procedures for personal gain or advantage. Don't confuse this with management intervention, which is when management actions depart from prescribed policies and procedures for legitimate purposes.

Employee collusion. Workers can circumvent your control system by colluding with one another. Employees cooperating - in the worst way possible - may alter financial data or "misplace" physical assets in a manner your internal controls can't detect.

Overcoming the obstacles. So how can you keep these shortcomings from short-circuiting your internal control system? A good place to start is by evaluating your company's current controls and identifying and addressing any weaknesses. To do so, compare your internal controls with the following seven objectives and improve any areas that don't measure up:

1. Secure authorizations. Ensure that responsible personnel approve all financial transactions according to specific guidelines before each transaction occurs and is recorded.
2. Valid transactions. Confirm that all recorded transactions fairly represent the economic events that actually occurred, are lawful and were executed according to your authorization.
3. Complete records. Verify that no valid transactions have been omitted from your accounting records.
4. Accurate data. Make sure all valid transactions are accurate, consistent with the originating transaction data and timely recorded.
5. Well-guarded physical assets. Check that you control access to physical assets and information systems and properly restrict these items to authorized personnel.
6. Effective error handling. Make certain that errors detected at any stage of processing are promptly reported to the appropriate level of management and, of course, corrected.
7. Segregated job duties. Take care that you assign duties to employees in a way that ensures no one worker can control both a transaction's processing and recording.

An internal control system that meets most or all of these objectives will provide a formidable defense against costly mistakes and criminal activities. But remember that every manager (from yourself on down) is responsible for creating and maintaining successful internal controls.

And your employees aren't off the hook either: They must report the operational problems, deviations from established standards, and violations of policy or law that trigger your internal control system and protect your company.

Ensuring your success. As the economy continues to challenge construction companies everywhere, the need for internal controls is more important than ever. These days, having a successful system in place is more than a necessary evil required by auditors. It's just good business.

Editor's Note: Randy J. Bonnecaze is a Certified Public Accountant (CPA) with Hannis T. Bourgeois LLP, Baton Rouge.