The Internal Controls of Your CPA Firm
A strong internal control system for your PA accounting or CPA firm is critical for the accuracy, compliance, and internal security of your firm. If you haven’t developed an internal control system yet, take these steps to start. If you already have a system, go through these steps regularly to ensure it is functioning optimally.
If you are a firm of one, you may benefit from understanding risk management and mitigation, but you may not be able to apply all these steps. However, if you have employees, it is important to apply whatever internal controls you can.
There are many aspects to internal control, but they can be summarized in three steps: risk assessment, control activities, and communication.
Risk Assessment
The first step is to ensure that your management team understands the importance of internal control and that you get their buy-in. Then, together, you can begin the risk assessment.
Going through each of the functions of your firm, ask what kinds of vulnerabilities exist in the areas of cybersecurity, compliance, operations, reputation, and professional liability. Ask yourself:
-
What laws and regulations apply?
-
What are the risks of human error?
-
What are the risks of fraud?
-
Where are the compliance risks?
-
What is the likelihood of each of these risks?
-
Do we have a crisis management or business continuity plan in place in case of an emergency?
Control Activities
In risk assessment, you asked yourself, “What can go wrong?” Now you develop the controls and monitoring to significantly mitigate the risk.
First, list the steps taken in each of your critical accounting functions. This includes client work as well as your own firm’s accounting. The key component of internal control of financials is the segregation of duties. In a smaller firm, this may be a challenge.
An example of a significant risk of inadvertent error or intentional fraud would be to have the same person authorizing payments, signing checks, entering vendors into the system, and reconciling bank statements. The simple answer is to give each step to a different person.
If this is not possible, you should at least have bank statements reviewed by a third party for appropriateness. Another solution is to create a policy of “surprise audits” at least twice a year. Write the policy to allow for a broad range of bookkeeping aspects that may be reviewed so that the sole bookkeeper is aware that every aspect of his or her work may be analyzed.
Other control activities may involve limiting the number of people who have access to passwords or keys, installing and continually updating cybersecurity software, protecting sensitive data via professional shredding, and applying security procedures for those who work from home.
Communication
As you develop the procedures and policies for each function of your firm, you will need to create a clearly written document that includes not only all policies and procedures, but also all steps to monitor these internal controls. The controls will be worthless if they are not used, and if you don’t monitor their application, you won’t know they aren’t used until it’s too late.
The document should also include clear messaging about the importance of these controls and any consequences for those who intentionally do not follow them. Of course, to avoid any unpleasant consequences, be sure to thoroughly train your staff on the controls and provide regular reviews.
Benefits
Instituting internal controls benefits your firm by decreasing your risk of errors, fraud, or business liability. It benefits your firm by attracting high-quality clients who are looking for a professional financial expert who understands the importance of safety and security and practices it both internally and for the firm’s clients. If you have any questions about internal controls, reach out to our PSTAP members on our member portal. They are always happy to answer questions from other financial professionals.