Financial Audit or Control Audit

We are often asked by boards if we believe that the management company’s processes are effective.  The answer is, we have no way of knowing as we are conducting an audit of the financial statements, not an audit of the managers’ internal control system.  To which the response is typically a look of bewilderment as most board members don’t understand the difference.

An audit of the financial statement does require the auditor to understand the internal control structure put in place by management so we can plan and perform the audit.  But what typically happens is that the auditor says, “That’s great, but we are going to assume management doesn’t follow it and plan our audit as though the system doesn’t work.”

Given the size and simplicity of the transactions in the typical association, it is faster and more effective to avoid testing the internal control system to ensure it works.  Take accounts payable; walking a single transaction through the entire control system and documenting the steps would take about an hour.  In order to rely upon the system to ensure it leads to the correct recording and reporting of the transaction we would have to test several dozen.  But, since this is a financial audit and we are concerned with ensuring that vendor invoices are reported to the correct period, we can simply review the individually significant invoices reported in the subsequent period to determine the period in which it was incurred and recorded.  We can go through the 4 or 5 invoices in about 10 minutes.

Since we didn’t rely upon the control system to ensure the invoice was recorded correctly, we completed the procedure faster and determined the results just as effectively as though we had relied upon it.  If we find invoices in the subsequent period (typically January) that should have been recorded in the prior period, we propose a journal entry.  The internal control system might have worked but we can’t say that, even if we didn’t find an invoice posted to the wrong period.

We understand that boards are concerned with the effectiveness of the internal control system and agree that it is important.  But the individual board does not want to engage an auditor to test the management company’s system.  Boards should require their management company to have a SOC audit.

A SOC, or Service Organization Control, audit is performed by an auditor on the service provider: In this case the management company.  The SOC audit ensures the appropriate controls are in place and function as required.  While there are different levels of SOC audit, the end result is the same – reporting on the effectiveness of the providers internal control system.

Frankly, state law should require a management company to have a SOC audit in addition to requiring the association to have a financial audit.  Associations which outsource the receipt and payment of funds need to know that the company they use has the right systems in place and those systems work.  The annual financial audit is not designed to offer an assurance that this is the case.

We realize that a SOC audit could be expensive.  To be honest, it might not even substantially reduce the cost of the association’s financial audit; although I think there would be some cost savings.   If a manager could produce a SOC audit which stated that the controls were in place and effective, we could probably drop our audit charge by 10-20 percent.  But beyond the potential savings you would have a strong marketing tool.

The feedback we have received is that an association board would rather have a report which says that the internal control system is in place and works.  We would like to offer this to a board but this type of report is not cost effective at the association level. But it could be at the management company level.  And it is quite possible that having a SOC audit report can help you land new clients – since everything else being equal, having a documented and tested internal control system is much more important to boards than knowing their financial statements are prepared according to GAAP.

Something to think about.

Management’s Representation

We are often asked, “Why do I have to sign this letter?”  The letter being referred to is the management representation letter.  As to the why, because you as management, the owner, the board, are making specific assertions that we, the independent accountant’s are relying upon.

An important part of management’s representation is the concept of materiality.  The representation letter typically includes this paragraph, “Certain representations in this letter are described as being limited to matters that are material. Items are considered material, regardless of size, if they involve an omission or misstatement of accounting
information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would be changed or influenced by the omission or misstatement.”

In this section you are agreeing to the concept that the dollar value alone is not necessarily indicative of materiality.  I will use a real-world example (one we are currently facing) to explain:  Way back in November 2013, an association approved a special assessment.  Interest was to start December 1, 2013 if the full amount of the special assessment wasn’t paid by November 30.  Unpaid interest earned was about $3,500.  The manager did not accrue the interest for those who hadn’t paid by December 31.    Was it material?  Dollar-wise probably not.  But had it been known that over 30% of owners had not paid their first payment – which would have been obvious had the accrued interest been included – it is quite probably that a reasonable person’s judgement may have been changed.

So what are some of the specific representations you are making?  Regarding the financial statements, you represent:

  • You understand that you are responsible for the preparation and fair presentation of the financial statements.  This is true even if you entrust the preparation of the financial statement to the outside accountant.
  • You acknowledge your responsibility to design, implement and maintain an internal control system and you have fulfilled this responsibility.  This is a big issue; go back to the example above, obviously the control system to ensure that all relevant information was provided in the financial statement was not working properly.
  • You acknowledge your responsibility to design, implement and maintain an internal control system to prevent and detect fraud.  Fraud, by the way, is not just about people stealing it is also about ensuring the financial statements are not intentionally misleading.
  • Related party relationships and transactions have been accounted for and are disclosed.  This could be as simple as renting the building from an LLC owned by the majority shareholder or as complex as contracting with a company where the controller is a silent partner.  You are stating that these types of transactions have been fully documented and are properly disclosed to a reader of the financial statements.
  • Any important events that happened after the balance sheet date are accounted for and/or disclosed.  This means, if you decide to pay a large bonus to key employees after the year-end, at a minimum it needs to be fully disclosed and more likely properly accrued since the bonus no doubt stems from the profit of the year.

These are by no means all the things you are representing regarding the financial statements.  But you get the idea; you have the primary responsibility for all the financial information and making sure it gets in the financial statement.  You can and should bring it up to your accountant (or whoever is preparing the financial statement) if you have the slightest concern that it is something that should be included.

When is that you ask?  The fact it is on your mind means it should probably be disclosed.  The old saying, “When in doubt, let it out.” definitely applies to your financial statements.  Don’t try to suppress bad news or fluff up the good.  You, as management and the board (if it exists) have an obligation to ensure the truth is provided so that the reader can make an informed decision.

If you need help with preparing financial statements or designing an effective internal control system, feel free to contact us through our website.  We have worked with many large and small businesses, non-profits, and associations as auditor and also consultants.  We are here to be of service to you.

You, Your Business and Internal Controls

Some of the most exciting people to have as clients are driven small business owners.  Some of the most exacerbating people to have as clients are driven small business owners.  While they want to make their first billion in sales, they also don’t want anything to stand in the way of them making those sales; even if it keeps them out of hot water.

Invariably, the entrepreneur comes to a decision point; start putting others in charge of areas of the business or shrink the business back to a manageable level.  The really driven, focused owner starts hiring managers.  The rest, well they ignore the advice.

The excuse for not hiring managers is mostly permutations of the, “It is my company, I made it so therefore only I can control it.”  Really?  Look at your balance sheet:

  • You have uncollected receivables from 9 months ago
  • You have nothing recorded for inventory but your shop is stuffed to the rafters with stuff
  • You barely have enough cash on hand to make next weeks payroll
  • You have loaned the company $250,000
  • The bank loaned you $500,000

I can go on but I think you get the picture.  You are not in control.  Because you are the only person who makes decisions, you are merely at fault for what is happening.  Being “in control” in business doesn’t mean making all the decisions, it means that there are natural checks and balances which make sure that one person can start a transaction and someone else verifies it.

So, what should you do as a first step to start building a solid internal control structure?

Start acting ethically and responsibly.

I have worked with small business owners who don’t like safety rules.  I have walked into shops where employees are grinding metal and are not wearing goggles.  Guess what?  I carry a set of goggles in my backpack.  I have walked onto job sites where employees are not wearing hardhats.  Yes, I carry my own hardhat in the car.  The point to make is that you need to set the tone that safety matters.  And it is not just about safety, it is about acting ethically and responsibly at every moment.

Set the example: Be the example.  This one little rule applies to every small business and starts everyone on the path towards better decision making.

Reward good behavior when you see it.  I worked with a contractor who sat back and watched an employee help a subcontractor who dropped a bucket of nails off the back of a truck.  Nails scattered everywhere.  The employee stopped what he was doing and helped shovel up the mess.  It was the right thing for the employee to do.  The owner missed a great opportunity to teach his employees how to act responsibly and reinforce actions that benefit everyone.

Don’t be arbitrary as you teach employees to be arbitrary.  A business owner employed his daughter to work reception.  She would on occasion come back a few minutes late from lunch.  The owner berated her out in the open about setting a poor example.  Another employee came back over an hour late from lunch and he joked with him.  You might think it is not showing favoritism by abusing your receptionist/daughter but it is in fact an arbitrary enforcement pattern.  If the rule is “In your seat at 1pm” then make sure you enforce the rule on everyone, not just the convenient target who won’t fight back.

Strong controls begin with the tone at the top.  If you take shortcuts, your employees will take shortcuts.  If you pad your expense account, your employees will add time to their work week.  You cannot grow and be successful if everyone is always looking for the easiest route.  Believe it or not, your success as an entrepreneur is totally based on the success of the people you hire.  Act accordingly.

Have a great day.  If you would like to learn more about how to start implementing effective internal controls that won’t break the bank, feel free to write me anytime for a free consultation.  I can help you understand how to grow your business while also keeping it under control.  If you would like to learn more about C.O.R.E. and how our services can help your business and association, check out our website.

The Possible

There are times when I think we do not spend enough time thinking about the possible.  What I mean to say is, we are almost always fixated on the probable, or most likely to happen, outcome.  This is as true in accounting and auditing as it is in life itself.

One important aspect of our role as auditor though, is to consider the possible.  For instance, theft of company assets.  When we look at how assets are controlled, from their purchase to their ultimate disposal, we are looking for possible holes in that system.  Who approves a bad debt write-off, who can set the selling price of a piece of equipment that is no longer in use; the issues which concern is are possibilities.

If we focused solely on the probable, we would potentially miss a warning sign.  Is it probable that the purchasing agent is receiving a kick-back from a vendor for steering business their way?  Maybe not.  But what controls, what business process reduces the possibility?

It is one of the things that concerns us regarding condo and HOA audits.  As the association’s independent auditor, we are first and foremost concerned with the financial statement and the fact that it is materially correct.  But when you think about what provides a materially correct financial statement, it is all the controls and safeguards of the manager – who is charged with the board with carrying out the daily activity of the association.

This is the main reason we spend so much energy on understanding how the community manager does the job.  Who has access to a checking account, who initiates the transaction, who approves it?  These points reduce or increase the risk of misuse of the association’s assets. There are far too many stories about trusting a system that really did not provide any safeguards and addressing that possibility is the responsibility of the auditor.

For instance, what if employee A of the community manager could initiate a transaction for say, yard maintenance.  Employee A contacts the maintenance company, negotiates the price and sets the contract.  Employee A then reviews their work and approves payment.  Finally Employee A can write the check and have someone else sign.

This seems harmless doesn’t it?  After all, employee A can’t sign the check so the asset is safeguarded right?  Not at all.  Employee A could have created a fact maintenance transaction, set up a fake company, approved the work and, because everything was signed off on, the check is cut.  To employee A.

Is it probably this happens in any particular association?  No.  But this scenario could result in this possible outcome.  And the auditor should know that and make appropriate comment.

Community Managers will argue that this couldn’t happen.  They are, however, arguing that it is not probable because they believe they know their employees.  The fact that it could happen though is what we are concerned with when we try to determine the risks of weak internal controls.  Boards need to be made aware that the risk exists so they can take steps, if they feel it necessary, to eliminate, or at least reduce, the risk of it happening.

As a director, make sure your auditor works to understand how the community manager is operating and how it impacts your association.  Press them on their thoughts on what risks might exist to the assets of your association.  Your auditor should have a good grasp of the fundamentals of the control system and can give you some good points to consider.  And if they can’t, it may be time to switch auditors.  C.O.R.E. is here to help you, the board, rely upon your manager.  We do this by looking at the managers controls and how they impact your association.  Feel free to contact us to schedule a conversation about how we can be of service to your association.

Have a great weekend.