Category Archives: Tax and Regulatory Compliance

Manage Risks with Preventive, Detective, and Corrective Controls

Is it better to sell a prevention or a cure? From a marketing standpoint, there is likely more money to be made selling cures. People would rather not attend to the many risks in their lives that may not materialize — after all, where does one begin? — but once a contingency does manifest itself, the same people are willing to pay great sums for cures.

The world of a finance professional is different. Some of our core functions include thinking, planning, and communicating about risk. We do not have the luxury of taking a “wait and see” approach toward managing risk. We have to be proactive about foreseeing risks and planning accordingly. We think in terms of broad categories, such as regulatory and legal compliance risks, IT-related risks, political risks, market risks, credit risks, and more.

Finance professionals measure the extent of our organizations’ exposure to risks and help guide senior management in assessing the best way to effectively expose our organizations to risk and at the same time manage risks. After all, if an organization is not taking risks, it might as well shut down because it cannot grow or produce a return on investment.

Part of an auditor’s evaluation of an organization is in terms of internal controls, how they are documented, how they are communicated, how employees are trained in them, and so forth. Controls are designed to prevent fraud and material misstatements of financial results, as well as to ensure effectiveness in carrying out management’s objectives.

Here are three types of controls to consider in your organization:

  1. Preventive — Some of the best controls prevent fraud, theft, misstatements, or ineffective organizational functioning. For example, we saw in a previous post the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
  2. Detective — A security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
  3. Corrective — Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.

Think in terms of preventing, detecting, and correcting risks of fraud, theft, ineffectiveness, and breakdown. The world is full of risks, and problems tend to strike suddenly and unexpectedly. Cures are great, but if you rely on finding a solution once a risk has already materialized, you might find that your lack of planning has made the risk unmanageable.

Managing Perceptions: The Hidden Value of Policy-Making

We have all heard the expression: “Run it like a business.” Some church leaders try to run their organizations “like a business.” Politicians sometimes speak of running government “like a business.”

So what does it mean to “run it like a business”? When you think of a “real” business, what comes to mind? The essence of how a management team “runs” a business is found in its policies and procedures. These can be formal and written, they can be communicated, and employees can receive training in them. Or they can be informal, ad hoc, unwritten, and generally fuzzy so that employees are uncertain about the policies and procedures. Senior management gets to decide which approach to take on the question of policies and procedures.

Consider the difference between a major league baseball game and a neighborhood game on the sandlot. The stakes are higher — lots of money and pride are on the line — in the majors. The level of care and documentation for policies and procedures (rules), as well as training (for coaches, players, umpires, etc.) is staggering compared to how much thought goes in to an informal sandlot game.

Policies and procedures help set the tone for whether a business is playing in the majors or on the sandlot.

One advantage of carefully thinking through, documenting, and providing training in policies and procedures is consistency. No matter who is handling a particular matter, senior management can be confident that employees who were carefully selected and trained for their roles will reach the proper conclusions and undertake the appropriate actions that management intended.

Another great advantage of a deliberate approach to policies and procedures is not so obvious initially: perception. Employees perceive that management cares and the company is a “real” business when formal, written policies are in place. When employees perceive that management cares, employees take a greater interest in performing their roles effectively. Management sets the top at the top and should devote company resources to training employees in the policies and procedures of the business. This creates a perception of organizational soundness and stability among employees. Also, employees can confidently communicate with customers, vendors, and other stakeholders about the company policies. Employees need to know how the company does business. This sets a tone for managing business relationships.

Perhaps management wants to provide guidance and boundaries but also wants to give employees leeway to use their judgment. An employee can articulate a variation of the following: “Company policy says X, Y, and Z regarding this situation, but I have discretionary leeway built into my role so that I can use my best judgment and diverge from company policy just this one time for your benefit” (usually these are the words of a supervisor, not an entry-level customer service rep). In this scenario the customer perceives that the company is doing something thoughtful and gracious by making a one-time policy exception.

The other option is to give no guidance on policies and procedures and leave it up to the individual handling the matter to navigate through the complexity. An inexperienced employee might say, “I think a 90 day return policy for a used and abused item is reasonable.” This might avoid a conflict with an unreasonable customer, but it is not a good policy. Even when the customer gets its way in this scenario, the customer walks away with no perception that the company is a “real” business. The company has not done something thoughtful but has been manipulated by an unscrupulous customer. The scenario is a joke, not an opportunity to build customer value and loyalty. The matter could have been settled by senior management beforehand by setting sound policy and training the employee accordingly.

Again, this responsibility falls on senior management. When employees have no policies and procedures to follow and make inevitable mistakes, management has no one to blame but themselves. The tendency more often is to blame the employee that did not do it management’s way — even though management never bothered to communicate to the employees how the job should have been done.

Not only do employees, customers, and suppliers have a better perception of the business when policies are in place. Policies and procedures affect the perceptions of other stakeholders. Even regulatory agencies in certain cases can consider a company’s compliance policies, procedures, and training as mitigating factors for penalties when unintentional regulatory noncompliance takes place. Again, perception is a massive benefit for a company in this scenario, as compared to having no policies, procedures, and training — which can be expected to lead to regulatory noncompliance due to management’s negligence.

Several areas for policies and procedures include (but are not limited to) the following:

  • Accounts receivable, credit, and collections
  • Accounts payable
  • Human resources (the subcategories here are vast)
  • Customer service
  • Tax and regulatory compliance
  • Any other area that involves risk or requires judgment and discretion

Position your business for success by setting policies and procedures. Train your employees to comply. Drill this into them at every opportunity and set an example. This will set up your business to compete in the majors rather than on the sandlot. Every individual and organization that interacts with your business will have a better perception that your business is “run like a business” and is a “real” company rather than a joke.

Regulatory Compliance is a Requirement, Not an Option

Among the best ways to get your business into irreparable trouble, not paying taxes (especially payroll taxes) and breaking the law have to rank near the top. Sometimes noncompliance with laws and regulations is simply a matter of indifference. However, ignorance is no excuse, so business leaders must be proactive with compliance programs and training. Such programs and training give evidence of due diligence rather than negligence, which can mitigate consequences for unintentional noncompliance.

Various local, state, and federal agencies have literature and resources to help companies stay in compliance. Especially within small and mid-sized companies, this compliance role is a control function that often naturally falls within the accounting and finance group.

Many companies find themselves doing business abroad, and the US Customs and Border Patrol has a Trade Compliance site, and the Census Bureau has Export Training. Each industry has its own sets of laws and regulations — including environmental, health and safety, and HR-related, to name just a few categories — and a busy finance professional probably cannot expect to stay on top of every detail and change. Thus, outside compliance professionals can provide systematic and ongoing support, often for a reasonable fee. That said, a finance professional needs to know the broad categories of compliance that need to be monitored on an ongoing basis, as well as red flags to look for. This is integral to an effective enterprise risk management program.

The best compliance initiatives and training programs are ongoing, proactive, and systematic. If you want your business to survive and thrive, compliance is a fundamental requirement, not an option, for every person and group within an organization. Senior management sets the “tone at the top” for zero tolerance of regulatory noncompliance.

Smart Controls: A Financial Institution Disables Admin Accounts After 30 Days of Inactivity

I once had the experience of working with a financial representative to pay employees’ retirement contributions, along with my employer’s matching funds, into employees’ retirement accounts. The representative informed me that my administrative account would be disabled if I did not log in within the next 30 days. Each time I log in, the 30 day countdown starts over.

The representative explained that his financial institution wants to give employers and their representatives (e.g., financial controllers or CFOs) incentive to deposit employee funds timely. The IRS requires companies to contribute the employees’ retirement funds within 30 days after the month in which the employees would have been eligible to receive the funds in cash. Thus, for example, any employee contributions withheld during August from employees’ paychecks must be deposited into their accounts by September 30th. To comply with regulations, the controller or CFO must log in at least every 30 days and make the deposits, so the financial institution’s policy is a handy reminder.

I also reasoned that financial departments have turnover, and one controller or CFO could replace another and assume the duty of depositing employee and matching employer funds into retirement accounts. Part of the controller/CFO function (in conjunction with IT) is to ensure that access to administrative accounts and information systems for the departing controller or CFO is appropriately disabled (or passwords changed, as the case may be) in a timely manner. However, in organizations with lax controls, sometimes during the transition no one thinks to disable the previous controller or CFO’s access. The financial institution I worked had thought of a solution for one piece of this problem by simply disabling the accounts of departing personnel after no one logs in for 30 days. The accounts are personalized for the employee who logs in and deposits the funds, so if a new controller or CFO takes over the responsibility, that new person would create a distinct account instead of using the account of the departing employee. Unless the departing employee made a habit of logging in, the account would be disabled after 30 days and the company would no longer have a risk that the departing employee could later gain access to sensitive financial information and functions.

Whitepaper: Do I Need a CFO or a Controller?

What are the differences between the roles of the CFO and Controller? How does an organization determine whether to utilize the functions of a Controller or CFO (or both)? A white paper by The Brenner Group provides this summary: “The CFO and the Controller play very important, yet different roles within growing companies. The CFO typically serves as a strategic partner for the CEO and the Controller is more focused on day-to-day tactical accounting matters.”

The white paper gives the following descriptions for the role of the Controller:

  • Implement and/or create fundamental accounting policies and procedures
  • Manage day-to-day accounting and cash flow maintenance (including payroll processing, accounts receivable and collections, and accounts payable distributions)
  • Implement accounting software and establish chart of accounts
  • Update financial models and analyze budget to actual activity
  • Prepare financial management reports in a timely manner for use by the management team and the Board to run the business
  • Handle basic Human Resource tasks such as maintaining employee files, generating offer letters, researching benefit questions, processing 401K activities, etc.
  • Help recruit, build and manage the accounting and finance department
  • Manage annual audit preparation and process
  • Act as the historian with respect to accounting matters

On the other hand, the CFO’s role is distinct from that of the Controller:

  • Be intimately involved with the CEO and Board on strategic planning matters, effectively serving as the “right hand” to the CEO
  • Assure adequate capital or growth by assisting with financings, including preparation and presentation for Angel or Venture Investors
  • Manage cash flow and provide timely communications regarding the future cash projections and needs
  • Function as the “Vice President of all other”—i.e. any function not directly involved in designing, manufacturing, selling or supporting the product
  • Direct or implement accounting systems, policies and procedures
  • Facilitate the development of annual strategic operating plans
  • Create and implement forecasting tools to measure the business
  • Administer stock option issuance and tracking
  • Manage the human resources function, including obtaining and administering employee benefits
  • In cooperation with the CEO and the Board, locate and negotiate facilities and fixed asset acquisitions
  • Initiate and retain outside relationships with independent accounting, tax and legal advisors
  • Work with the sales department to establish pricing policies
  • Hire and staff the finance and accounting department
  • Oversee risk management, including adequate insurance coverage

Read the complete whitepaper: Do I Need a CFO or a Controller?

Categories for My Website

This is my CFO Career Development Plan website. I will post my career plan and chart my progress, and this site will be a tool in the process. For example, part of my career plan will involve reading books, and I can review them on this site to give valuable input for others from my learning.

Here are some of the categories I plan to cover on this site as I develop my career as a financial professional:

  • Risk Management
  • Tax and Regulatory Compliance
  • Human Resource Management and Supervision
  • Policy Making
  • Decision Making and Analysis
  • Forecasting and Budgeting
  • Professional Development
  • Strategy and “Big Picture” Focus
  • Investor and Lender Relations
  • Information Technology Tools
  • And More …