Managing, documenting or auditing internal controls is a detailed endeavor. Normally we have to be attentive to many aspects of the controls: Preventive vs. detective, manual vs automated, etc. Often times professionals are focused on the many details and miss the forest for the trees. When it comes to internal controls, journal postings, are an Amazon-like forest that can be overlooked.
An important distinction here is that we are talking about manual journal entries. Most accounting systems automatically record the business transactions into the general ledger accounts as a result of processing the transaction through the system. There are a few areas, however; such as estimates, complex revenue recognitions and judgmental accruals where a manual journal entry is still necessary.
The scary fact is that no matter how good your other controls are, one can easily misstate your entire set of financial statements (or commit fraud) with a single journal posting. By their very nature, journal postings (or journal entries as some people call them) are “hotwired” right into the account balances. In other words, it might take a series of faulty transactions (customer invoices for example) running over a long time to materially misstate an account balance, whereas one could misstate the entire set of financials in 30 seconds with one errant journal entry! Some examples include:
- Improperly transferring funds
- Record adjustments to increase revenue fraudulently
- Record fabricated reserves to use for future income smoothing
- Understating liabilities by under accruing expenses
Many people think that controls over journal entries are straightforward e.g. a preparer, a reviewer and adequate supporting documentation…sounds reasonable…and they are right! As with most things in life; however, the devil is in the details. Who is exactly is reviewing? Should they have authority to make ANY entry they deem necessary? Is a snapshot of a complex spreadsheet ok for supporting documentation?
There are more sophisticated ways to de-risk the journal entry process. Most of them depend on automating the process to a certain degree. The standard manual process of paper cover sheets with signatures and support that are scanned into a share drive, simply provides a false sense of security. Improvement considerations in this area include: prior electronic approval of journal entries of a certain dollar amount, higher approval for entries that affect certain GL Accounts and shared online storage of backup. In addition, policies and procedures involving journal entries and other adjustments should be documented and distributed to personnel involved in the process.
The bottom line is that journal entries present a unique risk to internal controls over financial reporting and deserve special attention. Solutions can come from redesigning the process to include more automation and a more custom approach to journal entry approval based on risk.
