C
Institute of
Finance & Management
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
Developed and Administered by Institute of Finance & Management (IOFM)
IOFM Leadership Team Brian Cuthbert Group Vice President
Josh Barrett Director, IOFM
Becca Carifio Membership & Certification Manager, IOFM
Grace Chlosta Content Manager, IOFM
Update Development Team Royce Morse Pam Miller
Judy Bicking Elaine Stattler
All rights reserved. Copyright © 2024, Institute of Finance & Management. Notice: No part of this publication may be reproduced, stored in a retrieval system or transmitted by any means, electronic or mechanical, without prior written permission of the Institute of Finance & Management.
© Institute of Finance & Management, 121 Free Street, Portland ME, 04101 IOFM.com
3
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
TABLE OF CONTENTS
DEDICATION ..................................................................................................................... 7
ACKNOWLEDGMENTS . .................................................................................................. 8
INTRODUCTION ............................................................................................................... 9
CHAPTER 1 INTERNAL CONTROLS ........................................................................... 11 1.1 I NTRODUCTION...............................................................................................................12 1.2 WHAT ARE INTERNAL CONTROLS?................................................................................13 1.3 CONTROL ENVIRONMENT...............................................................................................15 1.4 RISK ASSESSMENT........................................................................................................15 1.5 CONTROL ACTIVITIES.....................................................................................................16 1.6 AR INTERNAL CONTROLS ............................................................................................. 20 1.7 POLICIES AND PROCEDURES (P&P)............................................................................... 20 1.8 AUDIT AND KEY TERMS..................................................................................................21 1.9 FRAUD........................................................................................................................... 22 1.10 CONSEQUENCES OF INADEQUATE INTERNAL CONTROLS..............................................27 CHAPTER 2 UNDERSTANDING YOUR B2B CUSTOMER’S PROCURE TO PAY PROCESS (P2P) .......................................................................... 28 2.1 INTRODUCTION. ............................................................................................................ 29 2.2 NON-PO PURCHASES....................................................................................................29 2.3 PO PURCHASES..............................................................................................................31 2.4 THE PERFECT INVOICE...................................................................................................32 2.5 DSO AND DPO...............................................................................................................33 2.6 SENDING STATEMENTS OF PAST DUE INVOICES...........................................................34 2.7 AP AND PROCURE-TO-PAY BEST PRACTICES................................................................34 2.8 CONCLUSION................................................................................................................. 36 CHAPTER 3 CUSTOMER MASTER FILE . ................................................................ 37 3.1 INTRODUCTION. ............................................................................................................ 38 3.2 OWNERSHIP. ..................................................................................................................39 3.3 CUSTOMER FILE DOCUMENTATION................................................................................39 3.4 VERIFYING CUSTOMER DATA..........................................................................................41 3.5 UPDATING THE CUSTOMER MASTER FILE.....................................................................43 3.6 ENTERING AND SECURING CMF DATA...........................................................................43 3.7 CYCLE TIME...................................................................................................................44 3.8 CONCLUSION................................................................................................................. 44
4
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
TABLE OF CONTENTS
CHAPTER 4 CREDIT MANAGEMENT . ...................................................................... 45 4.1 INTRODUCTION. ........................................................................................................... 46 4.2 CREDIT MANAGEMENT..................................................................................................46 4.3 POLICY & PROCEDURES (P&P) FOR THE CREDIT MANAGER.......................................... 49 4.4 NEW CUSTOMER CREDIT...............................................................................................52 4.5 CREDIT APPLICATION....................................................................................................55 4.6 ASSIGNING A CREDIT LINE.............................................................................................57 4.7 RELATIONSHIP BETWEEN CREDIT AND SALES...............................................................59 4.8 RESOURCES FOR CREDIT MANAGERS AND THE CUSTOMER MASTER FILE...................62 4.9 FINANCIAL STATEMENT ANALYSIS................................................................................63 4.10 INTERNAL CREDIT SCORE.............................................................................................65 4.11 TERMS AND PAYMENT METHODS..................................................................................67 4.12 NEW CUSTOMER ACCEPTANCE LETTER.........................................................................70 4.13 CREDIT AND EXISTING CUSTOMERS..............................................................................71 4.14 METRICS........................................................................................................................72 4.15 BEST PRACTICE SUMMARY............................................................................................73 CHAPTER 5 CASH APPLICATION, DEDUCTIONS, AND DISPUTE MANAGEMENT .................................................................................... 75 5.1 INTRODUCTION. .............................................................................................................76 5.2 PAYMENT TYPES AND METHODS...................................................................................76 5.3 INTERNATIONAL PAYMENTS.........................................................................................88 5.4 CASH APPLICATION.......................................................................................................90 5.5 DISPUTE MANAGEMENT................................................................................................92 5.6 BEST PRACTICES..........................................................................................................99 5.7 CONCLUSION................................................................................................................100 CHAPTER 6 COLLECTIONS ...................................................................................... 101 6.1 INTRODUCTION ...........................................................................................................102 6.2 COLLECTIONS PRIORITIZATION....................................................................................103 6.3 COLLECTION TECHNOLOGY..........................................................................................104 6.4 COLLECTIONS STAFF...................................................................................................104 6.5 COLLECTION METHODS...............................................................................................105 6.6 ADDITIONAL PRACTICES AND TOOLS..........................................................................110 6.7 COMPLIANCE. .............................................................................................................. 115 6.8 BANKRUPTCY...............................................................................................................121 6.9 BEST PRACTICE...........................................................................................................125 6.10 CONCLUSION................................................................................................................125
5
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
TABLE OF CONTENTS
CHAPTER 7 ACCOUNTING, RECORDS, AND ASSOCIATED REGULATIONS .......................................................................... 127 7.1 INTRODUCTION. ...........................................................................................................128 7.2 ACCOUNTING DEFINITIONS..........................................................................................128 7.3 FINANCIAL REPORTING AND ACCOUNT STANDARDS...................................................129 7.4 GENERAL LEDGER........................................................................................................130 7.5 MONTH-END CLOSE.....................................................................................................132 7.6 FINANCIAL STATEMENTS.............................................................................................134 7.7 AUDITING—INTERNAL AND EXTERNAL.......................................................................134 7.8 RECORD RETENTION/DESTRUCTION............................................................................136 7.9 OTHER REGULATIONS..................................................................................................140 7.10 UNCLAIMED PROPERTY/ESCHEATMENT......................................................................145 7.11 CONCLUSION................................................................................................................147
6
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
DEDICATION
This program, dedicated to enhancing the accounts receivable profession, has been created to recognize, certify, and validate the knowledge and skill set of accounts receivable specialists, managers and departments. Their contribution to the successand welfare of their organizations deserves recognition and reward. The importance of accounts receivable is highlighted by rapid changes in technology and the importance of cash management. Senior management awareness is growing. Order-to-cash operations require a tremendous breadth of knowledge to perform effectively. This program is dedicated to the many that provide outstanding accounts receivable service to their organizations. There are other certification programs that address individual parts of the accounts receivable process, but The Accounts Receivable Certification Program is the first and only program that educates and cross trains professionals in all areas of the order-to-cash process, including order processing, credit, billing, collections, and cash application.
7
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
ACKNOWLEDGMENTS
The Accounts Receivable Certification Program is grateful to those professionals who have so generously shared their expertise and knowledge about the industry in the development of this program, including authoring the study guide, providing critical review of each chapter and the creation of the examinations, all to ensure the accuracy and timeliness of the content. Additional thanks go to the many unnamed professionals who have answered our innumerable questions about matters related to accounts receivable, provided insight gained only from hands-on experience, and willingly shared both their successes and their failures.
8
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
INTRODUCTION
Finance teams face many challenges in a global economy that is unpredictable, rapidly changing, and extremely competitive. Cash management, specifically, is one of the CFO’s biggest challenges. Concerns include whether sufficient money is being received to meet the needs of the business, the cost of the process, the customer’s experience dealing with the company, and how to protect the company’s cash from fraud. Accounts Receivable (AR) is a strategic process that has a direct impact on the success of an organization’s business plan and goals. To achieve the business plan set by the CFO, the AR process – from setting lines of credit through getting cash in the bank – must be secure, compliant with regulations, efficient, accurate, and timely. Accounts receivable is charged with protecting the cash by eliminating fraud, determining the acceptable degree of bad debt, and collecting monies due the company within terms, while supporting sales. This can be very challenging. Staying current on new payment methods and implementing best-in-class payment processes can make the difference between turning away an order and accepting it.
Supporting sales and protecting the cash (turning an order into cash) requires:
Agreement on the company’s receivables strategy—that is, how the company will use trade credit to maximize profit and cash flow; Thorough review of the current process; Mapping a future that meets the C-Suite goals and objectives, without any pre-conceptions; Knowledge of laws and regulations pertaining to business-to-business (B2B) and business-to-consumer (B2C) transactions;
Knowledge of internal controls needed to protect the cash; and Benchmarking to find the best process for your business plan.
Key performance indicators (KPIs) must support the CFO’s strategy and keep each AR function focused on the end goal on a day-to-day basis.
Because there are errors and inefficiencies in the process from the time the order is taken until payment is received, many businesses are taking a new approach. Through activities such as certification training and benchmarking, companies can discover proven new processes that remove errors, reduce costs, and have a direct impact on customer satisfaction. In today’s age of placing orders electronically, AR is becoming the first face the customer sees at many businesses. This places a new customer-service responsibility on the AR staff in resolving discrepancies and collecting past due accounts while keeping the customer relationship intact. AR therefore has an important role to play in an organization’s competitiveness. This is what makes the AR profession so exciting. It is diverse, complicated, and challenging – with an added dash of risk! This certification program explains the principles, policies, processes, and practices necessary for efficient and effective accounts receivable that meets an organization’s goals: supporting sales, cash flow, and customer service while protecting the organization’s money.
9
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
INTRODUCTION
A NOTE ON MODELS: BUSINESS-TO-BUSINESS (B2B) AND BUSINESS-TO-CONSUMER (B2C)
There are two very distinct business models, as determined by the customer base: B2B and B2C. While the workflows are very similar, there are different laws and regulations governing the two models. Both B2B and B2C involve selling products or services or loaning money, yet the customers being sold to are very different—as are the laws governing how a business collects on debt if the business customer or the consumer does not pay on time. For example, there are specific laws that protect the consumer regarding when, where, and how companies can collect debt. To be certified as an Accounts Receivable Professional, you must understand both B2B and B2C.
10
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
CHAPTER 1 INTERNAL CONTROLS
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8
Introduction.................................................................................... 12 What Are Internal Controls?............................................................13 Control Environment.......................................................................15 Risk Assessment............................................................................15 Control Activities............................................................................16 AR Internal Controls ......................................................................20 Policies and Procedures (P&P)........................................................20 Audit and Key Terms......................................................................21
1.9 Fraud............................................................................................. 22 1.10 Consequences of Inadequate Internal Controls................................27
11
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
1.1 Introduction
Internal controls are an essential foundation for any organization, regardless of size or complexity. An internal control system is designed to ensure timely and accurate financial information that is free from irregularities or errors. This chapter will take a detailed look at internal controls. To begin, it is important to understand that the AR process is critical to an organization’s financial statements. Each step of the process—from invoicing the customer through collecting the cash—creates a journal entry to the general ledger. The financial reports are created from the general ledger. The accuracy of the AR ledger is essential in providing an accurate picture of the financial health of the organization. for example, if the customer is invoiced but the invoices are never paid, this results in falsely overstated revenue. Overstating revenue is, at the least, poor and incompetent management and could have negative consequences for the organization. At worst, it is fraudulent and will likely result in more dire consequences.
In addition, internal controls are a defense against two things:
1. Errors – which, among other things, can negatively impact customer relations; and 2. Fraud – the intentional misappropriation of the organization’s assets, particularly, its cash. It is necessary that organizations understand which internal controls are needed and where best to place them. Organizations must include internal controls in the accounts receivable (AR) policy and procedures to ensure that they are carried out and monitored for effectiveness.
The design complexity of the internal control system required depends on the complexity of the organization’s operational processes.
All internal control systems have four key objectives:
1. Promote efficient processes; 2. Safeguard the organization’s assets (for AR that means the cash); 3. Provide reliable, timely, accurate, and consistent financial reporting; and 4. Comply with applicable laws and regulations.
No organization can protect itself from all risk, but implementing proper controls offers at least some degree of protection. Internal controls should be a part of each step in the AR process. It is important to understand that the responsibility for safeguarding the organization’s assets and resources through internal controls belongs to every employee, not just the internal control or internal audit department or the finance and accounting groups. Everyone working in AR must have a control mindset.
12
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
1.2 What Are Internal Controls?
Internal controls include processes and procedures that are designed to provide reasonable safeguards of the organization’s assets and other resources. Internal controls are also required to achieve reliable financial reporting; compliance with federal, state, and local regulations; and efficient operation of the business.
Order to Cash
Internal Controls
Customer
O2C
Thought of Need
Find Supplies
Sales Order Created
Order Fulfillment
Submit PO
Credit: Research, Set Credit Line
Quote/ Contract
Use existing preapproved suppliers or
Large dollars: request a quote 3-5 suppliers May require formal contract
Order Acknowl- edgement: Confirms all product/service details & Tems
Goods pulled from inventory or service is prepared
Need Specs
have purchasing locate appropri- ate suppler
Internal Controls
O2C
Customer
O2C
Invoice & Packing Slip Prepared
Deliver Goods or Service
Receipt of Goods/ Service
Payment to Supplier
Financial Statement
Payment Cashed
Packing slip w/ package Invoice to AP
Carrier is contacted
80% of mismatches
Based on terms
FIGURE 1
For example, the Sarbanes-Oxley Act (SOX) has had a far-reaching global impact due to its requirement that all publicly traded companies establish internal controls for all their locations worldwide. Many of these companies trade globally and so have required their suppliers to comply with SOX as well. Even if your organization does not have to comply, SOX clearly outlines requirements that help safeguard an organization’s cash. SOX, and regulations like it enacted in many countries around the world, require that effective internal controls over the financial reporting process be in place and that a recognized framework be used to assess and evaluate whether those controls are indeed effective. Section 404 of SOX, for example, requires management to certify their organization’s internal control over financial reporting. The impact of this on the AR process is that executive level management holds managers and supervisors responsible for having effective internal controls in their areas. Some require personnel to sign an annual statement attesting to their adherence to the company’s SOX compliance policies and procedures.
13
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Most organizations in the U.S. build their internal controls around a recognized framework that was created by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The COSO framework meets the requirements laid out in SOX and other regulations, such as the Anti- Money laundering (AMl) rules of the Bank Secrecy Act, the foreign Corrupt Practices Act (fCPA), and the Customer Information Program (CIP) regulations of the PATRIOT Act—also known as Know Your Customer (KYC).
COSO: Five Components in Assessing Internal Controls
Control Environment
Integrity, Ethics, Values & Competence
Missing Basic Controls
Risk Assessment
Contral Activities
Preventive Controls
Detective Controls
Both Controls
Compensating Controls
Separation of Duties Control
Analysis Control
Quality Control
Level of Authority Control
Processing Control
Reconciliation Control
Safeguard Control
Physical Control
System Control
Three Top Controls
FIGURE 2
There are five interrelated components in assessing internal controls:
1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication (or Proper Authorization activities) 5. Monitoring activities
14
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
1.3 Control Environment
A strong control environment is one of the key foundational elements of a good internal control system. Characteristics of the control environment include the integrity, ethics, values, and competence of the personnel. Management will set the tone—good or bad— and can create a strong control environment by providing structure and discipline, as well as by conducting themselves accordingly, with integrity. In essence, the company’s management philosophy, operating style, and accountability will determine the control environment. Since the creation of the control environment must consider the personal traits of individuals, some organizations communicate management expectations through a written code of ethics, which employees must sign. One necessary (personal) commitment is to make sure that policies and procedures (P&P) are not overridden. This is a key ingredient to the control environment. If P&P are overridden on a regular basis, it jeopardizes the control environment. Another important element of the control environment is independent oversight, such as by an independent board of directors or independent audit committee. This is also a SOX requirement, and though not required for privately held organizations, is worth adoption by all organizations seeking to implement best practices in governance and stewardship of assets. A well-defined organizational structure is an important component of a control environment. It provides a clear line of authority, accountability, and responsibility. Moreover, it helps determine how to properly segregate (separate) duties within an organization. Separating certain duties within the organization helps avoid a situation in which, if those duties were combined, there would be potential for irregularities, errors, and fraud. Job descriptions should include lines of authority, authorization limits, and a guide for escalation of issues—with periodic employee reviews of compliance.
1.4 Risk Assessment
Risk assessment is the analysis and identification of internal and external risks affecting the achievement of the organization’s objectives, from which a plan can be created to manage the risks. The assessment includes determining the significance of the risk, the likelihood of the risk occurring, and the actions required to mitigate it. Risks can come in the form of general market risk, such as an economic recession, government instability, or changes in regulations. For instance, if a new regulation is implemented affecting trade among countries, it could have an impact on an organization’s sales and collections of cash. Risk also occurs from within an organization. This can result from investing in a new product or market in order to gain market share. The CMO can challenge the sales team with promotions and terms in order to “get the sale,” while the CFO can enable the credit management team to take more risk when opening lines of credit. Depending on how much of a “financial bet” is being invested, this can put the organization’s financial health at risk.
15
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Examples of risk-assessment steps to help review and identify potential areas of concern include:
1. Assign groups or individuals to specifically address internal and external risk factors. 2. Create a communication process that ensures the appropriate level of management is aware of significant risks to the organization. 3. Perform periodic internal or external reviews of your processes used for risk assessment. 4. Implement processes to ensure that all functions of the accounting department are made aware of significant operating or regulatory changes in order to determine the impact on the organization’s accounting practices.
Risk assessment should cover several areas:
1. Control environment (including management behavior, enforcement, and override environment); 2. Department-specific risk (segregation of duties, accuracy of data, and prevention irregularities through access restrictions and compliance with federal/state regulations); 3. Data and information (data access, reporting of internal and external data, timeliness of data reporting, and accuracy of data); 4. Control activity (ensuring that control directives are carried out, preventing over- ride of internal controls, and implementing planning and budgeting controls); and 5. Monitoring (determining whether controls are functioning as established, ongoing quality review, and establishing company assets safeguards).
1.5 Control Activities
Control activities are the specific set of procedures and policies required by management to achieve the organization’s objectives. It is important to remember that internal controls are: 1. A set of processes and procedures; 2. Designed and implemented by management and the organization’s employees; 3. Not an absolute assurance, but a reasonable assurance; and 4. Focused on achieving the organization’s objectives.
There are three main kinds of controls:
1. Preventive —designed to prevent irregularities and errors; 2. Detective —aimed at finding irregularities or errors that have already occurred; and 3. Corrective —changes are made to P&Ps to correct for problems that have occurred. Most organizations use the detective method, whereby errors that occur are generally identified by the customer, researched, and fixed. This can reflect the following attitude: “We don’t have time to do it right, but we have time to do it over.”
16
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
By contrast, the best practice is to create an environment that not only tracks the types of errors and how often they occur, but also provides time to find solutions to eliminate the error from occurring again. Once that process is tested and shown to be effective in removing the error, rewrite the P&Ps and educate all those involved in the updated process. Benefits to this approach are lower cost, enhanced customer satisfaction, and reduced risk. PREVENTIVE CONTROLS Preventive controls are proactive and attempt to deter negative outcomes. The following are four examples of preventive controls: Segregation of Duties can be described as the most important control an organization can implement. This simply means ensuring that an entire process does not belong to one individual. The steps that comprise each process should be assigned among different staff. Examples of segregation of duties in the AR process include the following: The person responsible for the customer master file should have no access to billing or cash application. Cash application staff should not reconcile the bank statement or create orders. Creating lines of credit or putting a supplier on hold, cash receipts, and cash application are functions that should be separate from sales order entry. Those who can extend credit should be separate from those who handle sales, billing, cash receipts, and cash application. Bank reconciliations should be separate from the AR process. The simple control method of segregating duties can prevent an unscrupulous employee from easily committing fraud against the organization. It can also help uncover errors made during the process, since each step handed off to another person essentially undergoes a review as that person goes about performing his or her role. In surveys of fraud committed by employees against their organizations, the Association of Certified Fraud Examiners (ACFE) has found that, in a very high percentage of cases, the fraud perpetrator was a trusted individual who had control over an entire process on his or her own without intervention by others and with minimal review. For smaller organizations, segregation of duties can be difficult to implement simply because there are more tasks than staffers. In these instances, additional compensating controls should be conceived and implemented.
In order for segregation of duties to work effectively, there must be both personal commitments on the part of employees and comprehensive system controls.
17
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
BEST PRACTICES
Credit & Receivables Manager Lisa Rolfe explains that at The Reynolds Company there are only two AR and two AP staff, along with three senior accountants and a CFO. “We have policies and procedures in place to help with segregation of duties. We lean on others in opposite departments to assist.” Adding, “When coverage is needed for a person out of the office, one of the senior accountants steps in to keep the segregation of duties in place.”
For the city of Airdrie (Alberta, Canada), the taxation department owns the Customer Master File, and any changes must be approved by them, according to the AR Administrator Joyce Burrell.
1. System Controls are those put in place to ensure that the system reflects the policies and procedures established by the organization in reference to the functions carried out within the system(s), with the goal of preventing, detecting and correcting errors as transactions are processed. { System controls may be general or application-specific. General controls address the integrity and availability of the information or accounting system, networks, and applications. Examples of general system controls include security, access, change control, record retention, and disaster recovery (backups). { A critical component of system controls is system access, which should support segregation of duties. Strong passwords should be required, should be limited to use in one system only, and should be changed on a regular schedule. Password sharing must not be allowed, and there should be a lockout process when a computer is not in use. { If this policy is broken, it must be dealt with immediately and in line with the consequences specified in the organization’s policies. Many companies are now tying compensation to system access to prevent password sharing or leaving a computer unattended.
18
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
2. Processing Controls can mean that certain documents with specific information are required, and only when these are provided is the action authorized. Example: the Customer Master file specialist cannot add a customer to the file without verification of OFAC status or a Credit Manager Authorization form. 3. Signature Authority provides only those who need to complete certain tasks with the authority to do so. Many organizations establish formal signature-of-authority documents that outline exactly who can do what, up to what dollar amount, and for what departments or areas of the organization. Other organizations may be less formal in assigning authority and instead make use of understood rules and norms. Examples include the extension of credit, adding/changing the customer file, and signing contracts on behalf of the company. If an action exceeds your level of authority, it will require a second (or more) signature(s). DETECTIVE CONTROLS Detective controls attempt to uncover mistakes and irregularities—whether intentional or not. Detective controls often reveal gaps in the preventive controls or record when controls have been overridden. These controls will find an error or irregularity after the fact, but preferably before the financial data is reported to internal or external stakeholders.
Examples of detective controls are:
Analysis control: budget review, audit review Reconciliation control: comparing data Physical asset control: inventory counts Quality control: inspection
CORRECTIVE CONTROLS The errors and irregularities that are uncovered using detective controls should, of course, be fixed. However, how the error occurred in the first place should then be analyzed to see how it could have been prevented. A new process should then be designed, documented, and implemented to ensure compliance. COMPENSATING OR COMPENSATORY CONTROLS In some circumstances, organizations are not able to implement specific controls (such as segregation of duties) due to financial, administrative, operational, or other constraints—or even due to a temporary condition. In these cases, other measures must be put in place that, although not as efficient or as effective as the intended control, can still reduce risk. These substitutes are referred to as compensating or compensatory controls. Compensating controls should document the situation, including identifying the potential risk, determine what measures have been put in place, and—if possible—put in writing an estimate or goal for when a true control will be implemented. The P&Ps should keep a record of these situations because this will be beneficial during an audit; it documents that you are aware of the situation and what process has been implemented to reduce the potential risk.
19
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
1.6 AR Internal Controls
The following list of controls are sorted by functional area.
Credit:
Credit applications must be received against government Blocked and Denied Party lists. If the potential customer is on a list, no business shall take place between your organization and that customer. In determining lines of credit, all laws and regulations should be followed – especially antitrust/anticompetitive law. Customer Master File: Customer and product master data must be accurate and timely, with the appropriate safeguards to ensure that the data is secure. Controls include approval of data before entry, segregation of duties to prevent data tampering, and audits to ensure that data is accurately entered into the system. Customer information must be safeguarded from unauthorized access. Compliance with government regulations such as Blocked and Denied Party lists. Compliance with Payment Card Industry Data Security Standard (PCI DSS). Cash application must be segregated from billing, customer master file, credit, collections, and accounts payable. All payments should be posted to the customer’s accounts and the ledger within 24 hours. The collections department must regularly review the customer’s outstanding balances, both debits and credits, and initiate collection efforts on all accounts outstanding. The collection efforts must be documented and easily retrievable.
1.7 Policies and Procedures (P&P)
Policies are necessary to establish boundaries and baselines related to the organization’s mission and objectives. In the absence of well-established policies, an organization risks a much greater likelihood of mistakes, inefficiencies, and potential for fraud. A policy specifies what management wants employees to do, whereas a procedure includes a considerable amount of detail describing how it should be done—and is often presented as a step-by-step guide. Policies and procedures should be clear, simple, detailed at the ctivity level, and enforced consistently. Compliance is enhanced when the company or department gives employees an explanation of why a policy is in place by highlighting the internal control. In addition, it is important to define what level of authority a person has when carrying out a procedure and what needs to be escalated.
20
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Once the policies and procedures are written, a schedule should be created to make sure they are reviewed periodically to ensure that they remain optimum. Regulations, acceptable common practices, the needs of the organization, and especially technology all undergo change, and the policy manual should reflect those changes. For example, in the U.S., the Sarbanes-Oxley Act mandates audits of organizations to ensure that what is actually taking place within the organization is accurately reflected in its written policies and procedures. But whether an audit is on the horizon or not, it is a good idea to periodically compare written policies and procedures to what is actually taking place so that either the policies and procedures can be modified to reflect reality or activities that are not in line with the guidelines can be identified and corrected. When sales, billing, and AR reside in separate silos and—as is the case in many organizations— maintain a somewhat adversarial relationship, small problems can quickly escalate into larger problems and increase risk. Rather than point fingers at the other departments, pulling the procedure and making recommendations to improve the process is a much more productive and less stressful way to handle these situations.
1.8 Audit and Key Terms
Internal and external audits are important to the well-being of companies and in many countries are mandated by law. We can no longer wait for the Internal Audit Department or outside auditors to tell us where there might be inadequate controls. With the help of technology, fraudsters have the ability to stela from organizations by procuring realistic documents or by determining where controls are weak or lacking – and taking advantage. Today it is every employee’s job to protect the assets of the company. Be aware of mundane and tedious audit tasks that need to be reviewed to find irregularities, since these tasks may have lost their true value and are sometimes dropped from review or are just approved without review. Anytime your name is signed to a document, especially an audit, you are certifying that you personally have validated the information, and your signature is an approval that the data is, in fact, accurate. To keep internal controls tight and maintain a compliant process, it is critical to ensure that staff policies and procedures are up to date. It is also essential to educate staff on: the importance of auditing their own work before moving to the next step; common fraud schemes; and what to look out for (“red flags”) that might signal irregularities.
21
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Irregularities, in audit terms, can fall into the following three categories.
1. Reportable Condition: A reportable condition is an internal control with a deficiency in the design or implementation that is deemed significant enough to adversely impact the reliability and accuracy of the control activity. Several reportable conditions together can result in a material weakness. 2. Significant Deficiency or Finding: A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the registrant’s financial reporting. It is a deficiency that adversely affects the company’s ability to initiate, record, process, or report external financial data reliably in accordance with government financial standards. It could be a single deficiency or a combination of deficiencies that result in the likelihood that a misstatement of financial statements that is not inconsequential in amount will not be prevented or detected. 3. Material Weakness: A material weakness is a condition in which the design or operation of an internal control does not reduce, to an acceptable level, the risk of an error or irregularity from occurring in an organization’s financial reporting. There is not a hard and fast, quantifiable rule regarding what constitutes a material weakness since it depends on the size and complexity of the organization. However, auditors generally consider there to be a material weakness when the lack of an internal control leads to deficient financial reporting that would cause a reader of the financial reports to draw a different conclusion than if the control worked properly. It is an “adverse opinion”—a red flag based on the auditor’s conclusion – that a company’s financial statements inaccurately reflect the actual financial standing based on government regulations and accounting standards. In the case of a reportable condition, significant deficiency or finding, or material weakness, it may be necessary to implement a compensating control until a solution can be designed, tested, and implemented. It is important to make a note in the P&P as to why a compensating control was initiated and when the actual solution will be implemented. Caveat: Internal controls do not provide an absolute assurance that an organization’s financial reporting will be error-free. Organizations do their best to design and implement their internal control systems to achieve their goals and minimize financial reporting risks. The effectiveness of their design is dependent on internal and external resources and general macro events not controlled by the organization.
1.9 Fraud
Fraud is a big business, so prevention should be on everyone’s mind. It is hard to keep up with the inventiveness of the fraudsters, and as more and more processes and communications are moved online the risks seem to not only keep pace but to increase in variation and creativity. An organization can become a victim of fraud committed by those within the organization or those outside of the organization—and sometimes by a combination in the form of collusion between an employee and an outsider.
22
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Fraud has four characteristics that are present in nearly all fraud situations: 1. Perceived Opportunity (allows) 2. Perceived Pressure (motive) 3. Rationalization (justification) 4. Capability
Many monumental fraud cases have involved this fourth element—the capability of the person(s) involved in the fraud. The degree of capability affects the size of the fraud. for example, fraud by a corporate officer is generally of greater magnitude than that by a cash receipt specialist. But all fraud is costly and can occur as a result of the combination of the right person in the right place. INTERNAL FRAUD Employee fraud can be the most difficult to deal with since those committing the fraud are known and often trusted fellow employees. The ACFE studies occupational fraud extensively and has developed the “Fraud Tree,” which identifies and classifies the types of occupational fraud.
The three main branches of the tree are: 1. Asset misappropriation 2. Corruption 3. Financial statements
ACFE further indicates that asset misappropriation is, by far, the most common type of occupational fraud. Losses due to collusion – whether among employees or between employees and outsiders – tend to be higher in terms of dollar value than losses perpetrated by a single employee. Remember also that while cash is the most frequently targeted asset, non-cash assets are also at risk. The existence and enforcement of internal controls, particularly those controls aimed at deterring fraud, is likely to result in smaller losses and frauds of shorter duration. This is because the fraudulent activities will be prevented or discovered sooner. Other employees uncover the majority of frauds, and the implementation of an anonymous tip line increases the number of alerts the organization is likely to receive since concern about backlash is alleviated by anonymity. The whistleblower protection included in Sarbanes-Oxley is designed to protect lower-level employees from repercussions of reporting misconduct. WHAT TYPES OF FRAUD MIGHT EMPLOYEES INVOLVED WITH AR COMMIT OR UNCOVER? Customer Involved: At certain times, companies might motivate sales representatives by offering bonuses or exotic trips for two to the top sales reps of the month, quarter, or year. Unscrupulous sales reps will ask customers to place orders so they can win the prize and then tell them to cancel the order. This can overstate projected revenue and cause excess inventory to fill those orders, not to mention the cost of processing fake orders. The customer may alert the AR department of these circumstances and AR should report these findings.
23
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
CHAPTER 1: INTERNAL CONTROLS
Misappropriation/Embezzlement: This can happen in two different scenarios—skimming and cash larceny. Skimming occurs when cash is stolen from a corporation prior to its entry into the accounting system. According to ACFE, nearly 1 in 5 of all asset misappropriation cases involved skimming. By contrast, cash larceny is theft that takes place after the revenue has been recorded in the company’s books. Case studies by the ACFE show 1 in 10 frauds was a result of cash larceny. Here is an example of skimming: A controller for a beverage company had become disillusioned with his job and his employer. Cash from customer payments, direct sales to customers, and vending machine collections all came to his desk—and he was the last person to see the money before it was deposited in the bank. One day, a deposit came in with $1,000 more in cash than indicated on the deposit slip. Rather than correct the error, the controller instead pocketed $1,000 from the deposit and submitted it as is. Noting how simple it had been to take the $1,000, the controller then began a process of skimming money off incoming route deposits. Using blank deposit forms, the controller would remove cash from an incoming deposit and simply write a new deposit form using a lower amount. This continued for two years and resulted in the theft of $475,000. The scheme was only uncovered after the controller was fired for poor conduct, which included missing work and filing late financial statements and tax returns. A CPA, brought in temporarily to help the company in the interim, immediately identified discrepancies between the cost of sales and inventory, and the controller was arrested shortly thereafter. Segregation of duties and audits could have prevented this fraud. IDENTITY THEFT The AR process requires that a significant amount of data be collected from customers. There are both internal and external challenges to be met in terms of protecting personal and business data, and these challenges call for effective management and controls. Access to Personally Identifiable Information (PII) should be limited to those who need it—and be carefully controlled. Controls must be in place to protect the data. for instance, if your system stores customers’ bank data or credit card information, it must be protected from possible fraudulent misuse both internally and externally. With the introduction of new global PCI Compliance regulations, known as PCI DSS (Payment Card Industry Data Security Standard), many companies no longer store credit card information— customers must provide credit card information when each order is taken. By simply blocking all but the last digits, this can serve as a stronger protection feature. If the thief can’t steal the information because it is guarded with the highest priority, you prevent identity theft.
24
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147Made with FlippingBook - Online catalogs