How to Leverage Internal Controls in Corporate Governance, Cash and Investments

Internal controls can help your organization’s operations run  efficiently and safeguard against errors and fraud.

Building on the basics of creating effective internal controls, James Moore CPA Ken Kurdziel explains how to establish procedures that address risks in your corporate governance and cash and investment management. Ken is a key member of the James Moore Higher Education Services Team and a noted thought leader in the industry.

Evaluating risk and implementing controls in corporate governance

To ensure problems are caught and corrected before they’re discovered in an audit, consider these aspects of your corporate governance.

Record retention policy: Under laws such as the Sarbanes-Oxley Act, your organization may be required legally to keep certain records for a set period of time – and could be liable to penalties for noncompliance. Outside of these regulatory requirements, however, think about a reasonable amount of time for maintaining data. Unnecessarily keeping past records could leave you vulnerable to security breaches that expose sensitive information.

For records you do choose to retain, have a protection plan or policy in place. Segregate information in secure areas on your server, and pay special attention to protecting personally identifying and financial data.

Completeness of general ledger/closing of the books: Closing your organization’s books on a regular basis helps ensure financial statements are provided to your board in a timely manner. To help you maintain accurate statements, consider creating a standardized checklist that will help you catch errors or omissions. Designate a team member to verify your closing entries at the end of the month and/or year, and examine statements before they are published, sent to the board or submitted to an external auditor.

“You want to make sure that statements are in good shape and that nothing is missing,” Ken said. “Take a close look at the procedures and the controls you have in place for exporting data into systems such as Excel.”

Entity level risk assessments: These assessments help identify risks that threaten your organization and determine whether your internal controls are keeping you on track to meet goals. Your organization should have a plan for carrying out these assessments. Identify who is responsible for them and how often they should occur.

Code of ethics/ethics policy: Integrity and ethical values provide the foundation for effective controls. Leaders should set the tone from the top by emphasizing the importance of the corporate ethics policy. This helps promote an organizational culture of ethical conduct and compliance. Ensure your ethics policy is clear, up to date, accessible to everyone and stored in an easy-to-find location.

Strategic plan: While internal controls are often associated with preventing errors or fraud, they can also help illuminate a path for realizing your organization’s strategic goals. “Look forward five or ten years in the future,” Ken said. “What are you hoping to accomplish? How do you hope to get there? How are you going to change your environment, the way you work or what you emphasize to achieve your goals?”

Related party transactions: Make sure your internal control system includes processes for identifying all related party transactions. These should receive careful scrutiny (such as approval from a designated authority) since they can be sources of higher risk. Your controls should also include steps for verifying whether outside entity transactions are recorded correctly in both parties’ books.

“If you have two entities that you’re working with (or working on the books for), make sure the due to/from accounts match,” Ken said. “If you have a university and a DSO, for example, make sure that those amounts agree between the two entities.”

Applying controls to cash management and investments

Can your internal control system guard your organization’s cash and investments from the increasingly sophisticated tactics of hackers and thieves? Take a close look at these areas.

Physical cash and bank accounts: Implement procedures for protecting petty cash and bank accounts. This includes segregating duties among staff, storing cash in secure locations and making regular bank deposits. Limit the availability of account information to reduce the risk of unauthorized access. Regularly monitor bank account activities for any suspicious transactions, and maintain an incident response plan in case of a breach.

Enhanced cybersecurity measures: Develop a comprehensive cybersecurity strategy to protect sensitive financial data from breaches. This may include measures such as firewalls, intrusion detection systems, regular security audits, and employee training on cybersecurity best practices.

Electronic fund transfers: Establish strict controls over access to your bank and investment accounts, and monitor the authority to make fund transfers. Regularly update account passwords, enforce strong password policies, and implement multi-factor authentication. This frontline protection against hackers and fraudulent employees requires multiple identity verification methods to access restricted information. (For example, your bank account’s online portal could require a password and a verification PIN sent to that person’s cellphone.)

Additionally, ensure communication channels between parties involved in fund transfers are secure and encrypted to prevent man-in-the-middle attacks.

Transaction monitoring and anomaly detection: Utilize advanced fraud detection tools that monitor transactions in real time and identify anomalies like unusual transaction amounts, frequencies or patterns. Implement alerts and automated response mechanisms to take prompt action when suspicious activity is detected.

Investments policy on allowable/unallowable/target returns: Internal controls can also prevent your organization from making investments deemed too risky. If you invest in private equities or other items not publicly traded (such as cryptocurrencies, NFTs and hedge funds), you must report these at fair value. Consider how you will determine net asset value.

“Are we relying on that private equity having an audit every year by an outside firm? Is that going to help us understand that this is a fair value?” Ken said.

Proactively addressing these risks is one of many steps down the path of compliance and smoother financial operations. That said, the list of risks (and measures to mitigate them) can get long and complicated. A higher education CPA can guide you through the steps to help you better protect your institution.


All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.