A little over four years ago, the Sarbanes-Oxley Act (SOX) was signed into law. The most significant provision was Section 404, which requires corporations to conduct an annual assessment and report on the effectiveness of their internal financial controls.
While SOX applies to publicly traded companies, the office of the New York State Comptroller instituted the requirement in response to the much-reported school district scandals on Long Island. The New York State Attorney General has also applied comparable provisions to not-for-profit entities. As expected, these concepts are filtering down to smaller and smaller companies. In fact, this year The American Institute of Certified Public Accountants has issued eight statements on auditing standards, focusing on the internal control and risk assessment issues highlighted in SOX. While early application of these statements is recommended, application is not required for audits conducted prior to calendar year 2007.
While SOX has the most name recognition regarding the internal control issue, publications of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are the real authority. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal control and corporate governance. The group established the most popular framework for internal controls, focusing on the tone set by top management, internal accounting and audit function and establishment of audit committees. A new guidance initiative for smaller businesses is expected as the period for comment has expired. The guidance is expected to reinforce the broad applicability of the integrated framework to organizations of all sizes.
Control and Compliance
Given this environment, this may be a good time to review the basic internal controls that should be in place in any small business—including your building. Internal control is a process implemented by an entity’s board of directors, management and other personnel. The internal control process is designed to provide reasonable assurance of the effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.
In the past, many building boards simply accepted the internal control processes they inherited from their managing agents. The amount of board oversight over the managing agent varied a great deal, depending on the relationship between management and board. It could be formal, or less than formal. Regardless of the cordiality of the relationship however, it is imperative that all boards understand and exercise their oversight responsibility. No better internal control exists than curious board members utilizing a scheduled approach to review of the day-to-day issues affecting their building. This should include a review of the monthly management report, paid invoices, bank statements and reconciliations prepared by the managing agent. While such detailed review can be assigned to the treasurer and/or a finance committee, each board member should not be afraid to ask questions and request information until they fully understand the issues being presented to the board.
Further, your board also needs to assure sound integrity and ethical values for all involved in the building. It is the buildings with boards that rarely meet, where one person makes all the decisions, where no one has the time to review the managing agent reports, and where commonsense questions go unanswered that have a significantly higher risk of theft and improper financial reporting. Many of these problems are direct results of the tone being set at the top, and correcting such situations is an important aspect of COSO.
Another part of the COSO framework that is applicable to all corporations is control over the processing of internal accounting and audit functions. Fundamental internal accounting function controls include reconciliations, approval procedures involving the segregation of duties (called supervisory review) and basic input controls, among others. As mentioned earlier, it was the norm in days past to accept whatever practices were used in the managing agent’s office. Along with conducting internal audits as a function of your building’s integrated control framework, it’s a good idea to involve a periodic re-evaluation of the financial controls used by your management company as well.
More Control Basics
I’d like to first review some of the more important fundamental internal accounting control concepts and then suggest a simple internal audit function role that might be utilized in your building.
Let’s start with the basics of internal control. I can’t stress enough the importance of internal controls. These should exist for almost all procedures and processes, including approving invoices for payment, signing checks, managing human resources and handling receipt of correspondence. Accountants often use the phrase “cash is king,” and many of these fundamental controls involve cash—either your operating/checking or reserve/money market or brokerage accounts. There are controls to assure all funds are properly received, deposited and recorded, and that no unauthorized funds are withdrawn. Many board members forget that their managing agent may be handling a portfolio of perhaps dozens of buildings. Even with a seasoned, experienced manager, it’s not unheard of for funds to be mistakenly deposited into the wrong building’s bank account.
In order for mishaps like these to be resolved quickly, it’s vital that controls over funds received include utilization of a lock-box, use of a restricted deposit endorsement stamp, and the prompt preparation of bank reconciliations. It’s important for bank reconciliations to be prepared for all bank accounts—not just the operating/checking account.
Just as important as these basic cash controls is the segregation of duties within your building’s financial hierarchy. Segregation is vital to the proper recording of your cash transactions and your protection from misappropriation of your building’s funds. Let’s start with the operating fund account. Previously, I mentioned the use of a lock-box and a restricted endorsement stamp. The lock-box allows an independent party—namely your bank—to record the receipt of cash. Instead of the check being mailed to the managing agent, who then turns it over to an accounts receivable bookkeeper to deposit it into the bank and record it to the proper account, the bank directly deposits the check and forwards electronic record information to the managing agent. This is the most important part of the control, and automatically satisfies the need for segregation of duties between the individual who posts a unit owner payment and the individual maintaining the arrears records. Thus, after the lock-box, segregation of receivables duties can be limited to the use of a restricted endorsement stamp, and a person independent of the accounts receivable bookkeeper approving credits to owner’s accounts and preparation of bank reconciliations.
Let’s now turn to expenditures. Here the segregation is between the individuals who prepare the checks and those authorized to sign checks. Another layer of protection is added when dual signatures are required for checks over a set amount. In this industry, it is common for the second signature be waived for certain non-discretionary expenditures, such as mortgage payments or other recurring monthly payments. Due to the lack of an invoice to examine, expenditure controls should also exist over payroll. There should be separation of the supervision of employees and the payment of payroll. In any case, I suggest that every building periodically review their expenditure policies. Besides controls over the building’s operating account, there should also be controls over transfers between accounts. That might mean involving senior management or members of the board. At the very least, copies of the monthly bank statements for accounts other than the operating account should be reviewed by a member of the board.
Segregation does not stop with cash. To make sure that any discrepancies in the accounting records are not hidden by a bookkeeper, the receipt of correspondence and recording of transactions should be separated. This way, an letter from a unit owner complaining that they did not get credit for payments made or repeated requests for payment from a vendor won’t fall on deaf ears.
Another form of protection from the types of fraud perpetrated in the Long Island School Districts can be had by requiring that invoices be processed by someone other than the person maintaining unpaid invoice records. The school districts learned the hard way that the lack of segregation of duties in a small accounting department offers opportunity. Another area where your building should assure segregation of duties is in engaging services or ordering supplies and the approval/payment of vendor invoices. Here too, the separation of tasks offers protection from loss.
One area on which any good basic control program must focus is the importance of board governance and establishing a supervisory role over operations. Recent corporate boardroom scandals—such as what has occurred at Hewlett Packard, for example—demonstrate the more involved role boards are taking in their day-to-day operations. No longer is it considered adequate for a board to simply rubber stamp their management’s decisions. Enhanced board oversight is an important internal control.
As outside auditors, we verify that at least one individual—usually the treasurer—reviews the monthly management report prepared by the managing agent. Such review should include a review of the report and copies of the paid invoices and bank reconciliations/statements. No formal internal control is as effective as having board members ask simple questions about items that they do not understand, or transactions that are out of the ordinary. After concentrating on knowledge of the transactions, another important procedure that is part of the review of the monthly report is the monitoring of actual expenditures against budgeted amounts. Analytical procedures, such as comparing the information presented to what’s expected, is a valuable monitoring tool. Not only will significant trends be noted, but certain transactions will stand out for further inquiry.
The one area of monitoring which we often find missing in the industry is an approval process for journal entries and other adjustments. The mass recording of cash receipts and disbursements has become automated, and assuming adequate segregation of duties, carries minimum risk for misappropriation. However, adjustments such as journal entries have been determined to carry the risk of hiding a trail of misappropriation. Therefore, several years ago a Statement on Auditing Standards required outside auditors to obtain an understanding of the essence of all the types of journal entries recorded.
Another vulnerable area for adjustments is the writing off of receivables. Should unit owner payments due to your building be misappropriated, it might be possible to hide the fraud with a credit or write off to that unit owner’s account. In this situation, the fraud is concealed and the unit owner won’t complain that their funds were not applied to their arrears.
Lastly, assure copies of bank statements and bank reconciliations accompany the management reports. Certain agents do not supply these documents unless asked. We suggest you assure a monitoring function including these procedures exists within your building’s internal control structure.
Stephen Beer is a principal with Manhattan-based accounting firm of Czarnowski & Beer.