When done right, internal controls help streamline processes, increase transparency, and build trust among stakeholders and customers. In this article, we examine how ERP can help take the hassle out of financial reporting.
Proper financial reporting has everything to do with trust. While conventional wisdom says that up to five percent of revenue in America is lost due to fraud — and even more to waste and inefficiency — our hope is that we can provide guidance on how internal control can help eliminate those losses.
The secret lies in a well-designed ERP system that can achieve the following objectives in operations, reporting, and compliance:
- Provide a single source of truth
- Streamline executive approvals
- Make it instinctive to follow generally accepted accounting principals
Meeting these requirements can be expensive and complex when you don’t have the right ERP solution. That is why it is essential to get the right software and make sure it is implemented by team that knows what it is doing. At ERP Advisors Group, we have consulted on hundreds of ERP software implementations, and we provide independent guidance to find the best software for internal control over financial reporting.
Trying to enforce internal controls with an enterprise solution can spell catastrophe for midsize businesses and organizations — so perhaps a brief look to the past for some historical context is in order.
Enron, WorldCom and Financial Fraud
“Fraud” and “prison” are ugly words. Yet the words are never worse than the nightmare of the experience itself. It’s true: false financial statements can mean jail time for corporate officers. That few are ever prosecuted is actually a testament to just how seriously this is treated.
All of which is to say: internal control over financial reporting is important. Even in uncertain times, it can’t be overlooked, because the consequences of slipshod accounting are all too grave and unrelenting.
But for the backstory on how the penalties came to be so stringent, we look to the financial scandals of the early 2000s, and behemoths such as Enron, WorldCom, and Tyco International. These high-profile financial disasters destroyed investor confidence and led many to demand a complete rework of regulatory standards that hadn’t touched in decades.
And thus, the Sarbanes-Oxley Act of 2002 was born.
What is Sarbanes-Oxley?
On July 30, 2002, the U.S. Congress passed the Sarbanes-Oxley Act to help prevent fraudulent and dishonest financial reporting. The act resulted in widespread reform to existing securities regulations, thanks to an extensive docket of requirements — and penalties for violations.
Named after Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio, who wrote the original legislation, the act is known by many other names, including the SOX Act of 2002, the Corporate Responsibility Act of 2002, or just “SOX” for short.
Here is a brief summary of SOX requirements:
- The CEO and the CFO are held fully accountable for internal accounting controls, including signing off on financial reports and reporting any material deficiencies
- Financial reporting must contain no misrepresentations or known errors
- Off-balance sheet liabilities, obligations, and transactions should be noted
- Management must attest to having an adequate internal control structure and report any shortcomings
- External auditors are required to verify that internal controls are in place
- Material changes in financials must be disclosed on a close to real-time basis
- An annual report must be compiled containing all of these points
- It is also noted in the requirements that any destruction or alteration of documents will be met with criminal charges
According to a survey by the Center for Audit Quality, “79% of chief financial officers (CFOs) feel that the overall quality of information in audited financial statements has improved since the enactment of SOX.”
Examples of Internal Controls in ERP
The benefit of an ERP system is that it can help remove manual processes and do some of the work automatically, thus increasing organizational efficiency.
An electronic accounts payable workflow can be set up inside an ERP application, where all formal approvals required by the organization’s procedures are captured according to vendor, amount, cost center, account, location, or project. You can also have a purchase order approval process where approvals are captured within the ERP application.
An ERP system also helps the auditor test internal controls and analyze the effectiveness of the company’s procedures. The focus is on limiting employee authorizations, protection and preservation of assets, and separation of duties.
We feel that conducting internal control within an ERP application is the most effective way to handle internal control, and it will be the most efficient and cost-effective in the long term. You will be able to prepare accurate and timely financial statements, and most importantly, it will help you maintain Sarbanes-Oxley compliance.
Working With an External Auditor
An ERP system streamlines external audits by making it easier for an auditor to examine financial statements and run tests with dummy transactions.
Audits usually have three stages:
Planning and risk evaluation: An auditor must have an understanding of the business and the competitive environment in which it operates. The auditor uses this industry knowledge to determine if there are risks that could affect the validity of the financial statements.
Testing of internal controls: The auditor analyzes the effectiveness of the company's internal control procedures. The focus is on limits of employee authorizations, protection and preservation of assets and separation of duties. Control procedures are tested to determine their strength.
In-depth examinations: If auditors find that a company's internal controls are highly effective, they may decide to scale to more intense auditing procedures. On the other hand, if ineffective control procedures are detected, auditors will conduct other financial examinations to assess the accuracy of the financial statements.
Internal Controls Apply to Everyone
Internal control over financial reporting is not just an issue for public companies — private companies will do well to pay heed to this as well. And ICFR is not solely applicable in those instances where a startup is looking to go public in the future. With the uncertain state of current affairs, private sector financials are coming under increased scrutiny, and companies are being held accountable for having accurate financial statements.
There is a philosophic approach to internal controls that is prescriptive here: it is simply a matter of following best practices. Companies that adhere to generally accepted accounting principles (GAAP) will tend to be more efficient in their operations and will make more prudent financial decisions.
Even non-profit organizations can benefit from internal controls when reporting to donors, government agencies, and the like, because the data they need will be readily accessible.
No matter what your situation is, financial reporting demands the highest levels of integrity and accuracy — after all, the ultimate reason you are putting an ERP system in place is so you can generate accurate financial statements.
Narrator: This is the ERP Advisor. Today’s episode: Internal Control Over Financial Reporting with ERP.
Juliette Welch: Hi, everyone. Thank you for joining us for today's call internal control over financial reporting with ERP. Shawn Windle is our speaker for today. Shawn is the Founder and Managing Principal of ERP Advisors Group based in Denver, Colorado. Our guest joining us today is Espen Jensen, Principal Consultant at ERP Advisors Group. Thank you guys for joining us, I appreciate you taking the time.
Shawn Windle: Absolutely.
Espen Jensen: Yeah, thank you.
Juliette: Okay well Shawn we will jump right in with you if you’re ready to go.
Shawn: Let’s do it.
Juliette: So, in the recent weeks, we've been covering a variety of different topics. So why are we talking today about ERP and internal control?
Shawn: What we’re seeing right now is that there is actually some demand in the marketplace for understanding internal controls around ERP which is great. So, our Digital Marketing Manager who is behind the camera, Shaun, said that we need to put some material together for this because people are asking about it. And we want to make sure that we can get experts — between Espen and myself we have a ton of experience, especially Espen on the practical side. So, that’s one reason that we’re talking about this.
But the real reason, when you look at ERP — and then we will bridge specifically into internal controls because it’s sort of like “why is ERP Advisors Group looking at internal controls?” because there’s other firms — lots of people I worked with at a firm that I’m sure will come up in this discussion, Anderson, went off and they just focused on internal controls work with some of these other firms out there. But, if you look at the reason ERP is in place, the ultimate reason especially from a CFO/CPA perspective is to create financial statements — to take all these transactions from across the entire business, from inventory on the balance sheet to operating expenses, everything, even leases — there’s new lease accounting requirements we were just looking at for a client — all of that accounting shows up in the financial statements for a public company, then that goes to the public who then decides if they want to invest in that company or not. That’s how it should work.
Juliette: Right.
Shawn: And how do you know that those financial statements are correct?
So, like if you're working with your son and you're teaching him about financial responsibility, you have to decide, do you put your money into this company or that company? Well look at the financial statements. But what if they're wrong? What if they're materially incorrect or there's mistakes that go into creating those financial statements? That's what internal controls prevent.
And remember, most of those financial statements come out of the ERPs or other financial systems that we advise clients on. So that's sort of the bridge into the discussion today.
Juliette: So Espen, can you provide some background on the Sarbanes Oxley Act and how it led to what we are familiar with today in terms of internal controls?
Espen: Do you remember the Telecom bust back in the year 2000/2001?
Juliette: Yes.
Espen: Well in the aftermath of that Telecom bust, we had some big financial scandals, and some of the companies — Enron you had some items that were placed off balance sheet and they played with US generally accepted accounting rules to achieve that. Then you had another player in the market, Tyco, who had some — let’s call it misappropriated assets — one of those being a toga party. And then another one was WorldCom, and what they did was essentially reported less in expenses than what US GAPP told them to, so they capitalized more, meaning their balance sheet or their assets increased but the margins looked better.
So that was the background for a — let's call it an upheaval and some new legislation that happened in 2002 and there was a two individuals in congress, Michael Oxley, a representative from Ohio, and then Paul Sarbanes, a Senator from Maryland got together and wrote some legislation.
And so, if you combine the two names Sarbanes and Oxley, then you get “sox” so SOX for short, the SOX act of 2002.
And so there's three major sections in this legislation; it's a very lengthy legislation. The section 302 talks about the financial statement needs to fairly present the financial situation of the company. And the corporate officers need to sign off on those financial statements, and if there is any — let's say the financial statements are false — then the corporate officers can get jail time.
Juliette: They’re held responsible for that.
Shawn: Did you know that? They can go to jail.
Juliette: I did not know that. So, they are verifying that those numbers are correct?
Shawn: Yeah.
Espen. Yeah. And then another section is 802 that has to do with destruction and falsification of records and needing to keep them for a lengthy period of time — or a certain period of time I should say. And what type of communication I need to store and so forth.
And then you have section 404 which deals with internal control which is today's topic. And so, on the internal control side, you have management and auditors that need to establish internal controls and reporting methods to ensure the adequacy of those controls. So that's a little bit of a background on the — if you picture certified public accountant, you'll have two tracks typically for the CPA tax and then audited financial statements is typically the two tracks that you have. So, the audited financial statements, the CPA on that assignment would be the auditor and the auditor — the company that's hires the auditor, they want to get an unqualified opinion, meaning the auditor is not pointing out any issues with the financial statements and that they’re giving a fair presentation of the company's financial condition.
So, the auditor is going into —they have the responsibility to understand the industry of the business and the business and also the competitive environment of this business.
So, they have industry knowledge and business knowledge and then with that, they can better assess the risk associated with this particular company. And also they need to go in and do some testing and analysis of internal controls to determine its effectiveness and so one of those things would be limits on employee authorizations, protection, and preservation of assets.
And then one key item is segregation of duties. So what does this boil down to? Well, financial statements are to be prepared according to US GAPP. And they need to be signed off by corporate officers.
Shawn: Yeah, it's a big deal.
Juliette: Better held responsible.
Shawn: Yeah, for sure. I mean, I can tell you it back in the day — with a firm I used to work with that no longer exists that was a big four, that had 70,000 employees at it — that exactly what Espen's talking about. I worked under a partner, whose picture showed up in the Wall Street Journal when all of these congressional hearings were happening, he happened to be a partner over
Telco and energy in the southwest region of the United States, which was WorldCom and Enron and Quest and yeah, this stuff is real. Like these are problems, these are responsibilities that our clients have every day. So, I think it's great to get that background.
Juliette: So, turning this to ERP which we are well versed in, what role does ERP play in following these generally accepted accounting principles? Can you speak to that?
Shawn: Yeah. When we talk about ERP like we have a lot, we talk about it as a conceptual framework. And for all of our clients. We always say, here's your business application ecosystem. And you might have a recent client — Espen and I are working on, and they have all these point of sales that all lead into accounts receivable, then lead into a general ledger, and then we have financial statements.
So, when we say what role does ERP have, we have to dig down below the surface to say it's specific modules. So, if you have a general ledger, which is an aggregator of all this summary data across the organization or transactional data and then it summarizes it, and then you push a button, hopefully — very few companies push a button and they export it out to excel and they usually do a little manipulation, but not bad manipulation — we're not into that business. But the financial statements are generated from the ERP or the financial application. So, you've got to make sure then when you're working and selecting ERPs that just — I mean, segregation of duties has to be built into the application. When you're looking at the ERPs that are going to be doing financial reporting, which most are, you've got to ask the question have you had clients that have gone live — or pardon me — have gone public on your software? “Well, you know, I don't have that requirement because I'm not going to go public, anytime soon.” Well, you don't know. And maybe you get bought by somebody who looks at your financial statements because they're going to uphold the same kinds of inventory controls requirements on your financials even if you don't go public.
So, if you have an app that companies have taken to public — that they've run on — that's a good indicator. And you want to see that.
So, the financials app, the financial reporting apps — I think we're going to talk a little bit more about that in another discussion about specific financial reporting apps — but the key thing is that if you are talking to an ERP vendor and you want to use it for financial reporting, then you better bring up internal controls and Sarbanes Oxley Compliance. And I think most of the people listening to our call with think to ask that question, but just make sure to ask it for sure because if they say — because frankly we have a client that's a smaller manufacturer lab company and they're really focused on the operational side around their new ERP, not necessarily on the financial side, it's not as critical. So, is it vital that the internal controls are built into that app? No, but if they want to get bought, if they want to go public, if they want some major liquidity event in the future where someone's going to give them a big check, they're going to expect those internal controls to be in place. So, there you go.
Juliette: To be prepared for it.
Shawn: That's right. You got it. You're like the Sage of ERP over there.
Juliette: So Espen, to give a practical example, can you provide a real world idea or example to help illustrate the proper implementation of internal controls?
Espen: Well, first I want to mention that internal control is geared toward achievement of objectives in operations reporting and compliance. So, that's the goal of internal control.
But according to conventional wisdom about 5% of revenue among companies in America is lost due to fraud and so it could be a big number. Maybe with more and more transactions going electronic maybe that is being reduced, but it's a big number.
There are basically three lines of defense and so picture the process owner or the supervisor as one defense. Another being other department owners or departments like financial planning and analysis type function where you're monitoring activity. And then the third one being an internal audit type function. So, those are three lines of defense.
One of my favorite activities is skiing, so about 20 years ago I got into mogul skiing or bump skiing and so that keeps me motivated even today to get up early in the morning to work out and get ready for the ski season. And so, what I did was one summer worked part time at a ski area at the ticket office. And it's one of the ski areas in Colorado, and so I worked at the ticket office in the summer and — picture people coming in at the ticket office. The things that you can do there would be going mountain biking, so you get a lift ticket to go up and down, up and down, up and down, and then you ride down on obstacle courses and then you go up on the lift again. Or you can bring your family, the small kids — you can do roller coasters and a bunch of different activities. So, you walk into the ticket office, and you buy your tickets, and you can pay with cash, check, or charge. So, the ticket office attendant would collect the appropriate payment — let's say it's cash — and you put that in the cash register and accumulate it over the day. And then at the end of the day, you need to settle that cash register. And so, either take it off as a tenant — I would gather up the information, total things, and then I would place all these items, pending the credit card receipts, the cash and the report into an envelope and then separately another colleague would run the report and then that would be brought to the supervisor who would check the two against each other. So, you can see that there's three different individuals involved, so you have segregation of duties.
So, one way to reduce the risk of internal control would be to no longer accept cash, so maybe that works in the coronavirus era and maybe in the aftermath of that, but it could be lost revenue for the business. So that's a consideration to make, but at the same time, it would lower the risk of assets being stolen or disappearing. So taking that another step to having incoming invoices to the business go through an ERP system where all the approvals are electronic, even the vendor setup is like is within the system with an auditable record, then you can make sure that multiple individuals are involved in setting up the vendor records so that you don't pay invalid vendors and also have each transaction having multiple approvals with thresholds for amounts and also cost centers and projects and — also maybe Joe has a bunch of vendors that he's responsible for so you can set up by vendor and have an audit of auditable record of the transactions. So that would help internal control as well — doing it electronically.
Juliette: Other sets of eyes just help keep people honest.
Shawn: Yeah. And Espen you have great practical experience from summers at ski resorts but also the organizations that you’ve worked in. It’s great.
Juliette: Yeah, so thank you guys, that’s a lot of great information. I know we just touched on this today and I’m sure it’s a lot deeper than that, but thanks for your time.
Shawn: Sure.
Juliette: And Espen thanks for being our guest this morning.
Espen: Thank you, Juliette.
Narrator: ERP Advisors Group is one of the country's top independent enterprise software consulting firms. Advising mid to large sized businesses on selecting and implementing business applications including ERP, CRM, HCM, business intelligence, and other enterprise applications which equate to millions of dollars in software deals each year across many industries.
This has been The ERP Advisor.