Category Archives: Policy Making

17 Principles to Safeguard Assets and Ensure Organizational Effectiveness

One of my favorite aspects of being a financial professional is knowing that others on the management team and in my organization are relying on me. I am expected to handle key functions within the business, and if I do my job well I can contribute integrally to the organization’s success. This can provide a constant sense of urgency but also a rewarding feel of satisfaction and significance.

Among the not so glamorous yet important features of an organization’s structure are internal controls. Accountants are expected to implement sound measures to safeguard assets and reasonably ensure that management’s objectives are achieved toward effective operations, reliable financial reporting, and legal and regulatory compliance.

Even if this sounds boring, take consolation in the fact that your organization’s survival and success depends on it.

The Committee of Sponsoring Organizations (COSO) first released its Internal Control-Integrated Framework in 1992. This document defined internal control and provided accompanying standards. Over twenty years later the framework is still highly relevant.

In May of 2013 changes were made that kept the core intact and added, among other things, seventeen principles to help with implementation of the framework in light of changes over the years. A recent article in The CPA Journal discusses these seventeen principles as organized under the five categories of internal control within the COSO framework.

    • Control Environment

1) Commit to integrity and ethical values – this largely entails setting an effective “tone at the top.”

2) The independent Board of Directors should oversee internal control – among other things, objectively evaluate managers and ask appropriate questions.

3) Establish appropriate authority, responsibility, and reporting structures.

4) Attract, develop, and retain the right talent to achieve objectives.

5) Hold employees individually accountable for fulfilling organizational objectives.

    • Risk Assessment

6) Be able to identify and assess risks by having first formulated objectives with sufficient clarity.

7) Identify and analyze risks throughout the organization to determine how they should be managed – choose whether to accept, avoid, reduce, or share risks.

8) Consider potential fraud risks, including misappropriation of assets and alteration of records, that could deter the organization from achieving its objectives.

9) Be ready for changes, including within the external environment, business model, or leadership, that could impact the internal control system.

    • Control Activities

10) Mitigate risks to acceptable levels by choosing and implementing appropriate control activities.

11) Technology is a special category of importance for implementing control activities that help enable the organization to achieve management’s objectives.

12) Policies establish expectations and procedures put these policies into action in order to deploy control activities.

    • Information & Communication

13) Support internal control functions with relevant and timely information – capture data, transform it into information, and protect its availability and accessibility to appropriate parties.

14) Communicate internally regarding internal control objectives and responsibilities.

15) Communicate with appropriate external parties regarding internal control, carefully considering the timing, audience, and nature of the communication.

    • Monitoring Activities

16) Have ongoing evaluations to determine whether internal controls are working effectively.

17) Communicate internal control deficiencies to senior management and the board of directors so that they can timely take corrective action.

In short, internal controls help management set a proper tone, define organizational objectives, and run the business effectively. A leadership-oriented financial professional who wants to be indispensably valuable within an organization should study and understand how to effectively choose, implement, and monitor internal controls on an ongoing basis.

Think Twice Before Mixing Personal Relationships With Business

Have you ever tried to mix personal family or friendship relationships with business? How did it work for you? Some people function very well in a context of mixing work with friendship or family life. Others struggle with many inherent pitfalls. Whether you choose to rush in or avoid these arrangements, it is wise to be prepared. More than likely, even if it’s not of your own making, you will someday be in a position to deal with a scenario that involves the mixing of personal with business relationships.

In my experience as a finance professional I have seen business situations in which the participants’ actions were heavily impacted by relationships with family or friends who were involved. Even the savviest businessperson can struggle to make decisions at “arm’s length” when the personal relationship is clearly not arm’s length.

Personal finance guru Dave Ramsey advises, “I do a lot of business with friends. But I make sure that the specific requirements of our relationship are laid out very clearly, in writing.” In addition, “Just be straightforward, and make sure the rules are understood by everyone involved. Then, when you have to enforce the rules, do it gently but firmly.”

Of course, the tendency when working with friends or family members is to avoid solidifying details or getting anything in writing, let alone seeking legal counsel. After all, this can wrongly be perceived as demonstrating a lack of trust.

In reality, the best way to preserve relationships is to manage expectations. Talk through the relevant deal points, and solidify your agreements in writing. No exceptions really means no exceptions: Get your agreements in writing, even (or perhaps, especially) when dealing with family or friends.

Blogger Ron Edmondson provided some cautions on working with friends, including risks for both the organization and the relationship between friends: “The bottom line is that doing the best thing for the organization often involves making hard decisions. Leaders should not be held back because of the level of difficulty.”

Doing business with disinterested third parties is more straightforward in some respects because both parties are clear that the relationship is business, not personal. Attorney and CPA Mark Kohler recommends a simple test to determine whether to enter a business relationship: “Bottom line: if you feel you can’t ask for thorough documentation, or could never sue or send a nasty letter to the person you are going to be in business with, this is probably a project you should walk away from to hang on to the relationship.”

Rob Weinberg gives insight on his approach: “So if I’m doing business with a friend I find it’s critical to insist at the outset that the friendship is the priority. If there’s ever a question of the business tainting the friendship, we both agree to walk away from the business relationship. Furthermore, any indication of uncertainty at the outset eliminates the possibility of our working together.”

Harrison Barnes provides perspective on why organizations do not allow managers to hire their friends or relatives: “Reducing corruption and increasing efficiency are the primary reasons many organizations have anti-nepotism policies. Corruption has always been a concern in this realm. If individuals who are friends or relatives work together, organizations fear that these individuals may collaborate to advance their own interests rather than the interests of the organization.”

In future installments we will look at how finance professionals can position themselves to help navigate their businesses through tricky scenarios, and one of these would be a personal-turned-business relationship that goes awry.

Five Reasons to Implement Written Policies and Procedures

As with putting goals in writing and getting agreements in writing, successful organizations follow the best practice of documenting policies and procedures in writing. Here are five reasons to put time and effort into documenting policies and procedures:

  • As with writing down goals and agreements, the process of documenting policies and procedures forces senior management to step back and carefully think about how they run their business. Rather than spending days “putting out fires” that are often created by having no formal standards, management can work toward smoother operations by documenting policies and procedures for every area of the business that requires judgment and discretion or involves risk.
  • New hires will quickly get up to speed on how management runs the organization. To be sure, documenting policies and procedures takes some thought and effort on the front-end. However, in today’s world of high employee turnover, the initial new hire training process will be more effective when supervisors have a standard approach to bringing employees up to speed.
  • Employees will appreciate knowing what is expected of them and what they can expect from management. No one appreciates rule-makers who “make it up as they go along.” Take time to systematically document clear answers to implicit questions that every employee asks. Never assume that employee assumptions — absent clear and documented guidance — about organizational policies and procedures will align with management’s intentions.
  • Employees, investors, customers, vendors, regulators, and other stakeholders will have the perception that the company is well-managed by people who care.
  • Implementing consistent and predictable processes will facilitate company growth. Putting out fires all day long is not a scalable management style; the organization can only grow so far until one of the fires gets big enough to finally burn it down. Enhance scalability by standardizing processes, policies, and procedures. The constantly changing marketplace provides more than enough uncertainty for every senior manager that I know. Consistent policies and procedures provide a welcomed oasis of stability and predictability in today’s business world. This is often more than a luxury; it is a requirement for growth and survival as the organization adapts to external challenges.

I once heard a senior-level manager communicate his preference for leaving policies and procedures unwritten so as to avoid legal ramifications in case the organization diverged from them. This is a good strategy for managers who are unwilling to put thought and care into formulating good policies and procedures and maintaining effective enforcement mechanisms. However, it is a bad policy for an organization that plans to significantly scale operations over time. There are plenty of reasons why large organizations take time and exercise care to document and communicate their expectations for consistent, reliable operations and behaviors within formal, written policies and procedures. Finance professionals can contribute needed professional judgment toward every area of the policy-making process.

Managing Perceptions: The Hidden Value of Policy-Making

We have all heard the expression: “Run it like a business.” Some church leaders try to run their organizations “like a business.” Politicians sometimes speak of running government “like a business.”

So what does it mean to “run it like a business”? When you think of a “real” business, what comes to mind? The essence of how a management team “runs” a business is found in its policies and procedures. These can be formal and written, they can be communicated, and employees can receive training in them. Or they can be informal, ad hoc, unwritten, and generally fuzzy so that employees are uncertain about the policies and procedures. Senior management gets to decide which approach to take on the question of policies and procedures.

Consider the difference between a major league baseball game and a neighborhood game on the sandlot. The stakes are higher — lots of money and pride are on the line — in the majors. The level of care and documentation for policies and procedures (rules), as well as training (for coaches, players, umpires, etc.) is staggering compared to how much thought goes in to an informal sandlot game.

Policies and procedures help set the tone for whether a business is playing in the majors or on the sandlot.

One advantage of carefully thinking through, documenting, and providing training in policies and procedures is consistency. No matter who is handling a particular matter, senior management can be confident that employees who were carefully selected and trained for their roles will reach the proper conclusions and undertake the appropriate actions that management intended.

Another great advantage of a deliberate approach to policies and procedures is not so obvious initially: perception. Employees perceive that management cares and the company is a “real” business when formal, written policies are in place. When employees perceive that management cares, employees take a greater interest in performing their roles effectively. Management sets the top at the top and should devote company resources to training employees in the policies and procedures of the business. This creates a perception of organizational soundness and stability among employees. Also, employees can confidently communicate with customers, vendors, and other stakeholders about the company policies. Employees need to know how the company does business. This sets a tone for managing business relationships.

Perhaps management wants to provide guidance and boundaries but also wants to give employees leeway to use their judgment. An employee can articulate a variation of the following: “Company policy says X, Y, and Z regarding this situation, but I have discretionary leeway built into my role so that I can use my best judgment and diverge from company policy just this one time for your benefit” (usually these are the words of a supervisor, not an entry-level customer service rep). In this scenario the customer perceives that the company is doing something thoughtful and gracious by making a one-time policy exception.

The other option is to give no guidance on policies and procedures and leave it up to the individual handling the matter to navigate through the complexity. An inexperienced employee might say, “I think a 90 day return policy for a used and abused item is reasonable.” This might avoid a conflict with an unreasonable customer, but it is not a good policy. Even when the customer gets its way in this scenario, the customer walks away with no perception that the company is a “real” business. The company has not done something thoughtful but has been manipulated by an unscrupulous customer. The scenario is a joke, not an opportunity to build customer value and loyalty. The matter could have been settled by senior management beforehand by setting sound policy and training the employee accordingly.

Again, this responsibility falls on senior management. When employees have no policies and procedures to follow and make inevitable mistakes, management has no one to blame but themselves. The tendency more often is to blame the employee that did not do it management’s way — even though management never bothered to communicate to the employees how the job should have been done.

Not only do employees, customers, and suppliers have a better perception of the business when policies are in place. Policies and procedures affect the perceptions of other stakeholders. Even regulatory agencies in certain cases can consider a company’s compliance policies, procedures, and training as mitigating factors for penalties when unintentional regulatory noncompliance takes place. Again, perception is a massive benefit for a company in this scenario, as compared to having no policies, procedures, and training — which can be expected to lead to regulatory noncompliance due to management’s negligence.

Several areas for policies and procedures include (but are not limited to) the following:

  • Accounts receivable, credit, and collections
  • Accounts payable
  • Human resources (the subcategories here are vast)
  • Customer service
  • Tax and regulatory compliance
  • Any other area that involves risk or requires judgment and discretion

Position your business for success by setting policies and procedures. Train your employees to comply. Drill this into them at every opportunity and set an example. This will set up your business to compete in the majors rather than on the sandlot. Every individual and organization that interacts with your business will have a better perception that your business is “run like a business” and is a “real” company rather than a joke.

Whitepaper: Do I Need a CFO or a Controller?

What are the differences between the roles of the CFO and Controller? How does an organization determine whether to utilize the functions of a Controller or CFO (or both)? A white paper by The Brenner Group provides this summary: “The CFO and the Controller play very important, yet different roles within growing companies. The CFO typically serves as a strategic partner for the CEO and the Controller is more focused on day-to-day tactical accounting matters.”

The white paper gives the following descriptions for the role of the Controller:

  • Implement and/or create fundamental accounting policies and procedures
  • Manage day-to-day accounting and cash flow maintenance (including payroll processing, accounts receivable and collections, and accounts payable distributions)
  • Implement accounting software and establish chart of accounts
  • Update financial models and analyze budget to actual activity
  • Prepare financial management reports in a timely manner for use by the management team and the Board to run the business
  • Handle basic Human Resource tasks such as maintaining employee files, generating offer letters, researching benefit questions, processing 401K activities, etc.
  • Help recruit, build and manage the accounting and finance department
  • Manage annual audit preparation and process
  • Act as the historian with respect to accounting matters

On the other hand, the CFO’s role is distinct from that of the Controller:

  • Be intimately involved with the CEO and Board on strategic planning matters, effectively serving as the “right hand” to the CEO
  • Assure adequate capital or growth by assisting with financings, including preparation and presentation for Angel or Venture Investors
  • Manage cash flow and provide timely communications regarding the future cash projections and needs
  • Function as the “Vice President of all other”—i.e. any function not directly involved in designing, manufacturing, selling or supporting the product
  • Direct or implement accounting systems, policies and procedures
  • Facilitate the development of annual strategic operating plans
  • Create and implement forecasting tools to measure the business
  • Administer stock option issuance and tracking
  • Manage the human resources function, including obtaining and administering employee benefits
  • In cooperation with the CEO and the Board, locate and negotiate facilities and fixed asset acquisitions
  • Initiate and retain outside relationships with independent accounting, tax and legal advisors
  • Work with the sales department to establish pricing policies
  • Hire and staff the finance and accounting department
  • Oversee risk management, including adequate insurance coverage

Read the complete whitepaper: Do I Need a CFO or a Controller?

Senior Management Sets the “Tone at the Top”

As a generalization, our culture tends to respect individualism and prioritize the valuable contributions that each person can make to an organization or society. This “democratic” view of culture, for all its merits, must be balanced with an insight formulated by the audit profession: Tone at the Top.

Tone at the top, in the context of establishing an effective control environment within a business, is best explained by COSO, an organization founded by several professional finance and accounting organizations to provide thought leadership on risk management, internal controls, and fraud prevention. COSO’s Internal Control — Integrated Framework Executive Summary states:

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control (emphasis added).

The best example I saw of “tone at the top” was at a business in which the owners had invested significant effort toward intentionally creating a culture of integrity and value creation. This “tone at the top” was not imposed upon the enterprise and its subsidiaries. Rather, the culture of the organization reflected the vision, values, and ethics that senior management believed and practiced. These leaders understood “tone at the top” and effectively took the lead to guide their organization to success in the marketplace.

What steps did this organization take? There were many facets of the tone at the top and how it was manifested throughout the organization down to the lowest level, but here are just a few that come to mind:

  • A clear vision and mission statement, which defined the organization for its customers, employees, partners, investors, and other stakeholders
  • A principles-based approach toward leadership within the organization
  • A minimalist approach toward detailed rules
  • An emphasis on hiring people who would “fit” well into the organization’s culture based on character and skill
  • Leadership by clarity of articulation and example by senior management

This deliberate approach to “tone at the top” creates an effective control environment, as compared to a disjointed or even nonexistent plan for establishing organizational culture. Whether senior management acknowledges or ignores the concept of “tone at the top,” the reality is inescapable. Employees hear what senior managers say and, more importantly, see what senior managers do. The example senior managers set, both by formal policies and procedures as well as by daily conduct, sets a tone — whether positive or negative.

Although each individual can play a valuable role within an organization, senior management first and foremost must take its responsibility seriously to nurture a culture of integrity, discipline, and effectiveness. Done properly, the established “tone at the top” can propel an organization on a trajectory toward achieving its goals and objectives.

How Can You Prevent Fraud in Your Business?

Soldiers have their battle stories. Athletes recount memories of their on-field exploits. Actors make a living out of drama. So what type of exciting professional adventures would you expect from an accountant? No, we’re not talking about paper cuts, out of control copy machines, or circular references in Excel files. The most exciting shop talk within accounting circles invariably involves uncovering a massive fraud in one of our client’s companies. Off the top of my head, here are some of the most infamous examples I have heard from my fellow accountants:

  • When I was in one of my first accounting classes my teacher told a story of a bartender whom she discovered was pocketing money from the bar sales and covering the inventory discrepancy with his own booze brought in from the outside (he was pocketing a nice margin along the way).
  • When I was an auditor my boss told me a story about his discovery that a credit union employee falsified records in a failed attempt to cover up theft of the institution’s funds.
  • I became familiar with a situation in which an elderly professional client of our accounting firm had a long-time, trusted employee use her employer’s funds to pay her mortgage, provide gifts for her family members, pay her debts, and more. As you might have guessed, our client had not taken upon himself to review the banking information for his business.
  • A finance executive friend shared about an employee within his company that he had to fire and evict from a company-owned rental unit because she was stealing funds from the business.
  • A forensic accountant at a recent seminar shared her story of discovering a fraudulent CFO’s misdeeds not once, not twice, but three times. When her client (the business owner) refused each time to do anything significant about this problem, she fired her client and discovered not long thereafter that the business had gone under.
  • Another story I heard (one of my favorites) involved an inept management team that provided free and open access to all employees to every module within the information system. When the auditors arrived to do their standard year-end work, one of the employees became very inquisitive and showed signs of nervousness. Although they would not have otherwise been inclined to investigate her specifically or to look at detailed payroll data, the auditors decided to take a look at her payroll transactions and discovered that she was getting paid far more than other production workers in the business. As it turned out, before each payroll was run, she took it upon herself to increase her pay rate by $5 per hour. After the payroll run, she would decrease the rate back to normal so that hopefully no one would notice.

Fraud often resembles lightning: It strikes you suddenly, when you are least expecting it, and often when you are comfortable. Experienced risk managers understand that fraudsters don’t fit the popular media stereotype of slimy connivers. Rather, they are often regular people, even trusted long-time employees.

The key to preventing fraud is situational awareness. Know the yellow and red flags such as a rapid and unusual increase in an employee’s living standards, an employee who unnecessarily works long or odd hours and refuses to take vacations (for fear that another person covering the role for a few days could discover the misdeeds), or an employee who noticeably faces financial pressures. Also, be aware of the “fraud triangle”:

  • Pressure – an employee or someone else with access to company resources might have a personal financial pressure in life such as uninsured medical bills, a gambling habit, credit card debt, or a divorce. Many savvy employers check credit history for potential new hires to initially screen out employees who might bring unwanted personal pressures into the workplace environment.
  • Opportunity – the employee sees a weakness in the company’s systems, whether an open door in a secluded part of the warehouse, an unsecured cash drawer, or in the case of many large frauds, a material internal control weakness that enables an employee to misappropriate funds without getting caught.
  • Rationalization – most people understand it is wrong and risky to steal, but if they feel the need and see the opportunity, they can often come up with ways to justify it in their minds. Some employees, especially in times of tight corporate budgets during economic uncertainty, may feel overworked, underpaid, and under-appreciated. Perceptions about unfair treatment and office politics, regardless of whether these notions are justified or mere fabrications in the employee’s mind, can breed resentment and a desire for revenge.

A successful fraud involves all three elements to one degree or another. An employee without some type of pressure to defraud her company — even if she sees an opportunity and might be able to perversely rationalize it in her mind — will probably back off when she considers the potential consequences if she got caught. Likewise, without an opportunity or a way to rationalize a fraud, an employee will probably think better of it.

Business owners can exert the most direct influence over the second point, opportunity. One of my accounting teachers recounted when he tried to suggest sound financial controls for his church finance committee. His pastor did not take kindly to this, assuming that he was “accusing the brethren” within the leadership. However, as my teacher pointed out, there is nothing to be lost from implementing measures to keep honest people honest.

Internal controls are aimed at preventing, detecting, and correcting fraud, whether misappropriation of assets or fraudulent financial reporting. Furthermore, beyond safeguarding physical and intangible assets, controls also should be designed to ensure operational effectiveness. (More on this in future installments.)

The primary preventative internal control is segregation of duties. Specifically, companies are well advised to separate these functions among employees:

  • Custody of assets, e.g., inventory and cash
  • Authorization of expenditures or disbursements, e.g., cash payments or inventory shipments
  • Recording of transactions, e.g., entering payments or inventory transactions into the system
  • Reconciliation, e.g., the monthly bank statement reconciliation or the periodic inventory count and reconciliation to inventory records in the accounting system

For example, ideally the same person should not have access to company funds (e.g., to be a signer on the bank account), the ability to authorize spending those funds, the authority to record the transaction, and the responsibility to reconcile the bank statement at the end of the month. Some or all of these duties should be segregated among several employees so that any fraud would require collusion. Even if one employee had the pressure and rationalization to commit fraud, in an environment with segregation of duties, he would have to take the risk of recruiting another employee to cover for him.

The warehouse manager who has physical access to inventory should not have the ability to make inventory adjustments in the accounting system, as this segregation between custody and recording prevents the manager from stealing product and recording adjustments to make the system data match the physical inventory. Rather, inventory shrinkage should show up on reports monitored by inventory accountants who do not have access and authorization to remove product from the warehouse; by segregating these duties, discrepancies should be detected, monitored, and accounted for by the appropriate authorities.

A final word for business owners and CEOs: Especially in this era of automated and integrated accounting systems that allow a small finance staff to handle high transaction volume, many companies do not have adequate staff to properly segregate all duties among finance staff. This means that the business owner or CEO should be involved and situationally aware of risks. Although hiring trustworthy staff members who can be relied upon is one essential component, if there are limited numbers of staff in the finance group (i.e., one or two people), the owner needs to take some time to monitor the activities of this important department. At the very least, take time to check the bank statement each month, look at reconciliations for asset accounts such as inventory, and consider engaging an outside professional for a year-end audit. (As a bonus, an experienced auditor with industry expertise can provide input on enhancing operational and financial effectiveness.) However, do be aware of the limitations of assurance that auditors provide regarding detecting fraud (this is spelled out clearly in auditor engagement letters). If you have a suspicion that fraud might be taking place, consider engaging a fraud examiner or forensic accountant to investigate.

Categories for My Website

This is my CFO Career Development Plan website. I will post my career plan and chart my progress, and this site will be a tool in the process. For example, part of my career plan will involve reading books, and I can review them on this site to give valuable input for others from my learning.

Here are some of the categories I plan to cover on this site as I develop my career as a financial professional:

  • Risk Management
  • Tax and Regulatory Compliance
  • Human Resource Management and Supervision
  • Policy Making
  • Decision Making and Analysis
  • Forecasting and Budgeting
  • Professional Development
  • Strategy and “Big Picture” Focus
  • Investor and Lender Relations
  • Information Technology Tools
  • And More …