Things work in a business until they don't.

You aren't stolen from until you are.

But how do you get in front of these "problems?"

Today we'll talk about controls in accounting and how policies and procedures create the structure required to have a high-functioning finance and accounting team.

But first, our sponsor.

 

 

Thanks FNRP for sponsoring this issue. Ready To Invest in Commercial Real Estate? Whether you're a seasoned investor or just starting out, First National Realty Partners offers investors the opportunity to invest in commercial properties, with the potential for passive income and strategic growth. FNRP is your partner for hassle-free CRE investing. Join our community of investors today. Check Out First National Realty Partners

Want to advertise to 40,000 small business owners and leaders? ​Go here​.

 

Demystifying Accounting: How to Create Policies & Procedures

We’ve all heard about fraud and I’ve even written about it a few different times:

1.  ​Segregation of duties​ 
2.  ​7 ways to protect your business from fraud​ 
3.  ​A story of getting stole from (and how to stop it)​ 
4. The FTX Story ​Part 1​ & ​Part 2​ 

Despite all these warnings, no one ever thinks fraud is going to happen to them.

But it does and small businesses are some of the primary targets.

 ​A 2018 report from the Association of Certified Fraud Examiners​ said that small businesses had an annual median fraud loss ($200,000) LARGER than that of larger businesses ($104,000).

This seems counterintuitive, but 42% of those losses were the result of a lack of controls in the business.

The friendships and “good ole boy” mentality within small businesses makes fraud substantially easier than in big business. Add to the fact that fraud is often perpetrated by someone you know and it becomes easier to see while small businesses are so susceptible.

So how do you stop it?

1. By putting controls in accounting and the business
2. By documenting these controls, as well as the overall processes

Today we’re going to walk through each of these.

Controls in Accounting

Simply put, controls ensure the business owner keeps their money and protects employees from mistakes they could regret.

But the internal conflict with controls is always there: any control put in place reduces the perceived speed the business can act in.

If Joe as to get approval from Sally, he can’t buy that thing right now and could lose the discount.

But Sally sees the control as essential because it helps reduce spending… sometimes Joe forgets about the “essential” purchase and overall they spend less as a business.

This dance of controls often puts accounting and the general business at odds. Shoot, controls often put FP&A and Accounting at odds.

The general business wants speed and ease. FP&A wants speed. Accounting wants accuracy and control.

These goals are counter to each other and always create a bit of tension, but by understanding the why behind each parties desire we can relieve a bit of tension and get people working together.

Within the world of financial controls, there are three types of controls:

• Preventative: stop errors or fraud from happening
• Detective: to detect and report errors (internal audit)
• Corrective: to prevent the recurrence of previous errors

Preventative Controls

Standard preventive controls should be implemented early and often in businesses. The key to preventative is creating separating duties in everyday tasks.

Separation of duties means taking different parts of the transaction and having different employees perform those parts, so that no one person has full control over the transaction.

A common example is forcing an approval of transactions over a specific dollar amount. One person makes the charge and another is responsible for its approval (either pre or post-transaction).

Within accounting, there are generally 3 stages:

1. Preparing
2. Reviewing
3. Approving

Some examples within Accounting of this are below:

• In reconciliations, one person prepares it, another reviews it, and a third approves it.
• In Accounts Receivable, one person invoices it, another collects deposits, another records it, and another verifies and reconciles it.

When there are not enough people in the department to complete these tasks independently of each other, you have to get creative in how you approach controls. Ultimately, this can mean seeking management’s approval.

While I had check-signing authorization as CFO, because of my relationship with the CEO/ownership, I would generally create processes that required their sign-off on all check writing. This was a way to not only protect myself but for them to see I went over and above what was necessary to protect the business.

The key is to make sure to implement controls that won’t allow fraud or mistakes to go unnoticed, but do your best not to excessively impede the other areas of the business.

There are wrong answers (ie. refusing approval because Sally is on vacation when it clearly meets the intent of the funds), but the right is always grey and requires cooperation and conversation.

Detective & Corrective Controls

I’m not going to go deep into detective and corrective controls today, as they’re often outside the scope of a traditional small business. As a business grows, there will be internal and external auditors who can review records to determine if controls in a business are sufficient.

This, as well as control lapses, determines what corrective measures are needed and these are typically addressed at that time. You might set up a policy or procedure for how to handle detective findings or the corrective process, but outside that your documentation on this will initially be light.

Documentation of Controls & Processes

Now that we understand controls, you potentially understand why this next step is so important: your controls are only as good as your documentation and adherence to that documentation.

So, to create the best possible system of documentation, I thought in 3 levels:

1. Policy: Defines what should be done and why.
2. Procedure: Describes how to do it.
3. Process: Shows the sequence of steps to achieve an objective.

Policies and Procedures are documented clearly, but broadly, and should only be updated annually or in specific emergency situations.

If you’re updating your policy and procedure manual more than once a month, you’re doing something wrong.

Processes, or SOPs (Standard Operating Procedures), are updated as needed and ideally should be touched every time the process is run. It’s when this doesn’t happen that they get out of date!

Policies

The policies set the tone.

A policy is a high-level statement that outlines the intentions, principles, and goals on that subject.

In some ways, policies are stale. They don’t go into specifics and without the procedures could leave you scratching your head.

A good policy will:

1. Clarify the intent behind the rule
2. Identify the approval steps and internal controls
3. Lay out a clear expectation for frequency
4. Identify any accounting treatments

For example, a sample policy statement in regards to budgeting would be:

You aren’t giving specifics in regards to the nitty gritty, but you are establishing your goal.

By doing this, you allow people to interpret intent, which is often missing from manuals.

This is key for creating a team that can act independently.

Procedures

A procedure sits underneath a policy and outlines how to perform a specific task related to that policy.

Think of it as the policy sets the direction and intent, while the procedure tells you the high-level steps to follow.

Budgeting procedures would outline:

1. the timeline for the budget process
2. identify the scope of a specific task or role
3. address company-specific procedures
4. Provide high-level guidance and steps to follow, but not granular-level detail

Process (SOPs)

The process is the exact means the team has determined to comply with the policy and procedure.

The process is something that can be updated daily, whereas policies and procedures are updated annually or with special approval.

Processes can also touch multiple policies and/or procedures, depending on the complexity of it.

The purpose of a process or SOP is to provide any employee trying to do the task on hand with step-by-step instructions on how to complete it.

I like to split my SOPs into sections:

1. The Why and linked Policies and Procedures
2. The software, tools, or log-ins needed to complete the task
3. Video and written step-by-step instructions, down to what buttons to click
4. Any specific templated language or copy/paste info
5. The end state, or what successful completion of the task looks like (often including a checklist of things to review)
6. Any “lessons learned” or things to watch for

While I am talking about checklists at a Process level, they can also happen at a Procedure level as well.

Often the checklist at the Process level is adapted the Procedure level checklist.

Checklists help make sure everyone is on the same page of what “done” is.

Example

Since this can be a little unclear, I wanted to give an example (which came from ChatGPT) of a bank reconciliation policy. ​Click here to read it​.

While you don’t have to follow this specific process, i’ve used it in every business I’ve worked as a full-time CFO and have had a ton of success implementing it with my clients.

For it to work well, you have to:

1. be consistent in spot-checking the SOPs to ensure they’re being updated
2. create a process for updating Policies and Procedures annually

Once you do this, you’ll wonder how you operated without it before.

If you have any questions, or if anything is unclear, don’t hesitate to reply to this email.

I love hearing from you and helping you as much as I can!