Designing and Implementing Internal Controls in a Virtual Environment

By Justin Ash, CPA, Tier One Services  – March 9, 2023
Designing and Implementing Internal Controls in a Virtual Environment

Nearly every seasoned practitioner has had the conversation in which they, once again, attempt to convince a client that they need to improve their internal controls. Whether the discussion involves inventory counts, sign-off of bank reconciliations or properly authorizing an expense, the reasons clients give for non-compliance can be summed up with some variation of, “I’m too busy.” This repeated conversation highlights a fatal flaw in the traditional perception of designing and implementing internal controls: Internal controls aren’t an annual conversation but a daily one, best suited for clients’ year-round accounting support teams.

Utilize a Workflow Management System

In the past, we would have scheduled meetings, written memos and provided instructions to clients only to have those instructions tabled or simply forgotten about throughout the year. In today’s digitized environment, CPAs have the option of implementing a workflow management system such as Asana (asana.com) or ClickUp (clickup.com) which results in a searchable database of all activity related to a particular process or set of tasks. Combined with a secure cloud storage platform, workflow systems like these can be customized to address an array of internal control weaknesses and can even make clients more efficient in the process. Controls can be further enhanced through the use of secure online bill payment platforms such as BILL (formerly known as Bill.com).

Most practitioners perceive the design of internal controls to be the easy part and the implementation of those controls to be out of scope. Simultaneously, clients perceive the design of internal controls to be nearly incomprehensible and are willing to implement them, if only someone would instruct them as to how. To leverage the strengths of both parties, the practitioner can design the recurring processes in the workflow management system, and the client can use those recurring processes to implement benchmarked internal controls.

Putting it into Action 

Consider a fictitious client, Sam & Ella’s Chicken Palace, which serves all manner of tasty poultry. Since Sam & Ella’s is in a rapid growth phase, they have often succumbed to the tyranny of the present, dropping whatever task they are working on to address the most pressing matter rather than looking at the broader systems. Utilizing the above method, Sam & Ella adopted a workflow management system and a cloud storage platform. Next, their year-round accounting department implemented systematized processes for bill pay in which a bookkeeper queues up bills for payment, Sam & Ella perform the authorization function, a controller reviews bills prior to payment and a treasurer initiates the bill pay via the secure online bill pay platform.

This system results in several strengthened controls including proper segregation of duties, limiting access to bank information via the secure bill pay system and creating rock-solid documentation of the process and the actions taken by those involved. Further, the cloud storage system allows the pasting of hyperlinks within the workflow management system ensuring that the relevant information is up to date and at the CPA’s fingertips. Finally, the searchable database inherent in the workflow management system provides a detective control, in that any failure of the controls can be easily identified and addressed timely. 

Bookkeeper group

Using this approach, any number of preventive, detective and corrective controls can be properly designed and expertly implemented by incorporating them into recurring processes such as:

  • Monthly review of completed bank reconciliations complete with a link to the relevant statements and reconcilia­tion reports.
  • Periodic addition of newly authorized vendors prior to their first payment being due along with a reminder to obtain any Forms W-9 or certificates of insurance proactively.
  • Recurring analysis of vendor contracts and comparison with actual activity to ensure contract compliance.

These improved controls resulted in Sam & Ella’s thwarting vendor fraud when an employee attempted to pay a fake vendor. Due to the vendor not being added to the payable system via the approved process, it stood out as odd and was quickly identified as fraudulent. Likewise, the periodic review of bank reconciliations highlighted duplicate payments to a vendor caused by the vendor accidentally charging a credit card on file and the bookkeeper also initiating payment.

The fictitious examples outlined above are merely a taste of the impact that effective controls can have on organizations. If Sam & Ella’s was able to implement robust controls using off-the-shelf software, then similar procedures are sure to sate many clients’ compliance appetites. 


Justin  Ash

Justin Ash

Justin Ash, CPA, is a controller consultant at Tier One Services, a fractional CFO and outsourced accounting firm.

This article appeared in the Spring 2023 issue of New Jersey CPA magazine. Read the full issue.