Several years ago, I asked a co-worker about what he understood about financial internal controls. He looked at me for a moment and then provided a few internal control metaphors that spoke to driver safety.
“Internal controls are analogous to speed bumps, guardrails and stop signs”, he replied.
I responded, “That is an interesting take! Tell me more about what you mean by those examples”. He proceeded to equate each driver safety traffic control to internal controls within the financial system and his explanations went something like this:
Speed Bumps – These are accounting policies and procedures that govern access, authority to enter, review and posting of financial transactions. For example, your timekeeping/labor recording policies are there to prevent - or at least slow down - fraudulent labor charges. From a software perspective, a “soft error” message is invoked to alert the user that the Period of Performance currently defined in the financial system has expired or is about to expire.
Guardrails – These include independent outside reviews and/or audits to ensure compliance with and adherence to your company’s policies and procedures and the testing of financial activities. This also includes management oversight; those charged with ensuring compliance and governance within your organization. For example, your written timekeeping policies should be a vital component of your on-boarding process that is presented to, and acknowledged by, all new hires.
Stop Signs – These are mechanisms (visual or otherwise) that control whether a transaction should be entered and processes that can be associated with regulations that result in penalties when violated. For example, the pass through of expressly unallowable costs contained within your contract invoice burdens could result in a fine much like running a stop sign could result in a fine. From a software perspective, this could be a “hard error” message that indicates time entered in your timekeeping system is not allowed due to the expiration of a work assignment.
When you develop your financial systems’ internal controls, think of the flow of traffic. The traffic controls you encounter are comparable to the management of financial transactions processed through your automated IT or manual systems.
So how does this understanding of internal controls relate to internal controls promulgated by the Defense Contract Audit Agency?
There are various internal controls in a given company, but the DCAA is primarily interested in the financial controls over performance on federal governments contracts by its contractors.
The DCAA audits and evaluates a contractors’ internal controls capability with respect to its business systems. These business systems include your accounting system, estimating system, and material management system. Business 'systems' are more than just your business 'software’.
Your business system internal controls that are audited and evaluated include:
- Information Technology (software)
- The accounting system and cost data are reliable
- Misallocations and mischarges are minimized
- Contract allocations and charges are consistent with billing procedures
- Compliance with applicable laws and regulations.
It is imperative for all contractors to develop, maintain, and monitor internal business system controls for compliance with all government contract requirements, including FAR and DFARS business system requirements. These internal controls are your speed bumps, guardrails and stop signs.