Cash is a vital component of any profit-generating organization. An organization’s assets generate revenue, which in turn generates cash inflows. These cash inflows are used for several purposes: to pay creditors, compensate employees, reward shareholders, provide asset replacement, and provide for growth.
Cash is unique because it’s the single asset that is readily convertible into any other type of asset. Therefore, it’s also the most widely desired asset. However, cash is also the asset that is most susceptible to fraud and abuse. Therefore, management has to ensure that adequate controls and safeguards are in place to eliminate any unauthorized transactions with cash.
Fortunately, there are ways management can safeguard the cash generated by its organization. Each of the following methods will help an organization prevent losses due to human error or theft:
o Monthly bank reconciliation
o Segregation of duties over cash handling
o Accountability for cash shortages
o Authorized cash disbursement
o Internal audits
Monthly Bank Reconciliation. Monthly bank reconciliation will help ensure that the amount of cash generated by an organization is consistent with bank records. In addition, an independent review of the reconciliation by management will provide an additional safeguard. Independent verification of bank reconciliation acts as a check to make sure the reconciliation was done properly and ensures there is no abuse of the organization’s cash.
Segregation of Duties Over Cash Handling. Every organization must make sure that there is adequate segregation of duties over cash handling. Separating the duties of cash receipts and disbursements prevents an individual from committing and concealing embezzlement.
Accountability for Cash Shortages. Management should hold supervisors accountable for cash shortages. If supervisors know that they’ll be held accountable for a cash shortage, they’ll be motivated to keep a close eye on how cash is used within their departments.
Authorized Cash Disbursement. Management should allow cash to be disbursed only through checks issued by authorized signers, which will provide a method for tracking cash usage. In addition, your organization should require signatures on all checks in order for them to be valid.
Internal Audits. Every organization should arrange to have internal audits conducted on a regular basis. Whether the auditors come from an internal audit staff or an outside auditing firm, auditing an organization’s accounting system can identify how effective and accurate the operation is and whether or not any improvements need to be made.
ESTABLISHING A QUICKBOOKS CONTROL ENVIRONMENT
QuickBooks allows more than one user to access company files. (Conceptually, an unlimited number of users may have access to the company’s data files, but only five users may work with the data at the same time.) When multiple users will have access to the company’s QuickBooks data files, it generally is necessary to create a control environment that protects the data from unauthorized use. For example, some users may not need access to sensitive payroll data, while others may not need access to accounts receivable and sales information.
One of the best ways to prevent errors when posting transactions in QuickBooks is to limit access to specified users. If passwords and access permissions are not assigned, users have unlimited access to all areas in QuickBooks. When setting up QuickBooks, one user should be designated as the QuickBooks Administrator.
The QuickBooks Administrator has unlimited access to all areas of QuickBooks and assigns passwords and access permissions to other users. The name and password for the QuickBooks Administrator can be set up by selecting “Set Up Users” from the “Company” menu. The QuickBooks Administrator must be set up before any other users can be set up. Although QuickBooks does not require the use of passwords, the QuickBooks Administrator should set up and use a password since anyone logging in to the company’s QuickBooks files as the administrator has full access to all areas in QuickBooks. After setting up a name and password, the QuickBooks Administrator should click the “Closing Date” button in the “User List” window and enter the date through which books are closed in the “Accounting” preferences dialog box. The administrator can also password-protect the closing date (requires single-user mode). When this feature is enabled, QuickBooks requires users to enter the password before they can make changes to periods that have been closed.
The QuickBooks Administrator is the only user who can:
o Set up other users.
o Change other users’ access permissions.
o Set up a company file using the “EasyStep Interview.”
o Change company information (such as company name, address, fiscal year, tax year, tax form, and federal identification number).
o Change company preferences.
o Condense data.
o Import and export data.
o Apply for QuickBooks Merchant Account Services.
Note: Since the QuickBooks Administrator has the ability to password-protect the entire company’s files, has access to all accounting functions, and assigns access to all other users, the company should carefully consider whom to select as administrator. The person selected should have an understanding of the importance of this position on the internal control of the company. Some companies designate the controller or Chief Financial Officer as the QuickBooks Administrator because those individuals normally do not have direct interaction with the software.
The QuickBooks Administrator can set up additional users and specify the areas to which each person has access. To do so, select “Company” from the menu bar and “Set Up Users.” Then click the “Add User” button in the “User List” window. Assign a user name and password for the new user. Even though QuickBooks does not require the use of passwords, each user should be set up with a password that must be used when logging in to the company’s QuickBooks file. (An unlimited number of users can be added, but only five can have access to the company’s data file at the same time.)
After setting up the user name and password, the administrator then specifies whether the user will have access to selected areas of QuickBooks or all areas of QuickBooks. The user should not be given access to all areas of QuickBooks since that permission essentially establishes a second administrator allowing users to access the following:
o Sales and accounts receivable.
o Purchases and accounts payable.
o Checking and credit cards.
o Time tracking.
o Payroll and employees.
o Sensitive accounting activities such as bank transfers, general journal entries, and online banking.
o Sensitive financial reports.
o Changing or deleting transactions.
o Changing closed transactions.
Note: Even if users need access to most of the preceding areas, they should not be allowed to change closed transactions.
Rather than giving users access to all areas of QuickBooks, the QuickBooks Administrator should give users access to selected areas. In that case, the QuickBooks Administrator specifies whether the user should be given no access, full access, or selective access to each individual area listed in the preceding paragraph. If the user is given selective access in a particular area, the QuickBooks Administrator also must specify whether the user can (a) create transactions only, (b) create and print transactions and forms, or (c) create transactions and create reports.
Sensitive Accounting Activities. Users generally should not be given access to sensitive accounting activities. Such activities include:
o Maintaining the chart of accounts.
o Working in the account register for balance sheet accounts.
o Reconciling accounts.
o Making journal entries.
o Using the “Accountant’s Review.”
o Transferring funds between accounts.
o Using online banking.
o Creating budgets.
o Printing registers.
o Condensing data.
Even if users are given full or selective access to sensitive accounting activities, they cannot create financial reports (with the exception of the “Payroll Report”) or change or delete previously recorded transactions. Those permissions must be assigned separately, as discussed in the following paragraphs. The QuickBooks Administrator generally should be the only user with access to sensitive accounting activities.
Sensitive Financial Reports. Users generally should not be given access to sensitive financial reports (such as the balance sheet, profit and loss reports, budget reports, cash flow reports, income tax reports, and audit trail reports). That access allows users to create all reports and graphs available in QuickBooks. However, even users with access to reports cannot change or delete transactions included in the reports. That permission must be assigned separately, as discussed in the following paragraph. The QuickBooks Administrator generally should be the only user with access to sensitive financial reports.
Changing and Deleting Transactions. Even if QuickBooks users have full access in a particular area, they cannot change or delete transactions in that area unless they are given that permission in the “Changing or Deleting Transactions” window. For example, a user with full access in the sales and accounts receivable area cannot change invoices or sales receipts unless they are given permission to change or delete transactions. However, even if users do not have permission to change or delete transactions, they can change or delete transactions they entered in the current QuickBooks session so that quickly identified data entry errors can be corrected. Users that are given permission to change or delete transactions can alter transactions only in areas in which they have access. For example, users that have access to the inventory area but not to the payroll area cannot alter payroll transactions even if they have permission to change or delete transactions. The QuickBooks Administrator generally should be the only user with permission to change or delete historical transactions.
If a user is given permission to change or delete transactions in areas in which they have access, the “Changing or Deleting Transactions” window also asks whether the user should be able to change or delete transactions recorded before the closing date. The QuickBooks Administrator always should deny users access to such transactions by selecting “No” in response to that question. Even when “No” is selected, users can view prior-period transactions in QuickBooks areas to which they have access. If “Yes” is selected and the administrator sets a password, the user will be required to enter the password.
Viewing Data. QuickBooks allows the QuickBooks Administrator to limit a user’s access to creating sensitive financial reports or creating and printing sensitive reports. Companies can use this feature to allow the Controller, Chief Financial Officer, or another person independent of the accounting function the ability to oversee the accounting operations. Because many companies frequently have small accounting staffs, this increased oversight can mitigate some of the risk to the system of internal control created by having limited segregation of duties.