Dealership organizations do not typically think about identifying and testing internal controls. With the volume of transactions in a dealership organization, strong internal controls are a must to reduce vulnerabilit
Dealership organizations are processing more transactions than ever, including service and parts sales. While this typically is positive news, the growth creates greater risk for dealers. With expansion, for example, many dealers find themselves facing personnel shortages, which increases the odds of critical practices and procedures falling through the cracks – including those related to internal controls.
Potential Internal Control Problem Areas
With dealership organizations acquiring new stores and increasing volumes, internal controls are perhaps more vital than ever. They play an essential role in preventing fraud, encouraging proper accounting, and improving profitability. But it’s not enough for a dealer to put internal controls in place. Those controls also must be tested to confirm that they are working as expected.
The following areas in particular should be regularly tested.
- Terminated employees’ computer user access: Every dealer should have a policy that stops all terminated employees’ access to the organization’s network immediately. Without such a policy, former employees potentially can access the computer systems to transfer funds, destroy files, plant malware, or pull customers’ and employees’ confidential information. Even when policies are in place, dealers can’t assume they are being executed, though. For example, one dealer had such a policy in place, but annual testing revealed that the employee responsible for terminating access was unaware of this responsibility. As a result, approximately 20 former employees continued to have access to the dealer’s systems.
- Off-hours access to systems: When systems are being accessed late at night, on weekends, or on holidays, this activity might be an indication of mischievous behavior. Dealers should generate reports of off-hour access and follow up with any individuals who are accessing the system at unusual times.
- General journal entries: General journal entries are a common vehicle for hiding fraud. To reduce their risk, dealers should establish formal general journal entry policies to:
- Limit general journal entries to corrections, write-offs, and unusual items.
- Properly document general journal entries on a journal voucher.
- Number general journal entries using a journal entry log sheet or some similar control process.
- Segregate the preparation, review, and recording of general journal entries among different employees, and limit the number of employees with access to the general journal.
- Review the general journal monthly to confirm that each entry is supported by a journal voucher and that each journal voucher is accounted for in the general journal. This should be performed and documented by someone who cannot generate journal entries – even the CFO. It is that important.
- Limit access to the general journal to only those individuals approved to record general journal entries.
- Prohibit the recording of corrections and write-offs through nonadjusting journal entry sources such as cash disbursements, cash receipts, or vehicle sales.
- Regularly review and adjust the list of users with access to the general journal.
- Generate reports to facilitate review of the general journal.
- Finance and insurance (F&I) chargebacks: Dealers should not make the mistake of assuming that all of their F&I chargebacks are accurate. The organization should have a policy to verify that the associated contracts are indeed theirs and that the amounts charged are properly calculated, particularly for larger amounts.
- Repair order discounts: Service writers can give customers discounts without proper approval or documentation, which cuts into dealers’ margins. The organization should have a policy to monitor discounts by generating reports of repair orders (ROs) with discounts from their dealer management systems, selecting a sample, and checking for coupons or manager approval.
- Open ROs: Lingering open repair orders are another troubling sign. Organizations should establish processes to pull their open RO lists and examine the oldest repair orders to determine why they remain open. Once the reasons are determined, the company should address any process issues.
- Policy adjustments: Policy adjustments can eat into a dealer’s bottom line. Managers should be responsible for making sure policy adjustments are approved, and organizations should have processes in place to select samples of policy adjustments to verify manager approval, determine the reason, and make any necessary changes. For example, if several policy adjustments are made for work by the same technician, it could be an indication that the technician requires more training to efficiently and effectively provide specific services.
- Warranty claim rejections: Even if eventually reversed, warranty claim rejections can impede cash flow and require additional administrative time. Processes should be in place to ensure that the fewest possible rejections happen – but we all know some will. Rejections should be reviewed in detail to determine what went wrong. Then, the process should be fixed. Coding errors often are to blame, signaling the need for greater care or training.
- Overtime: Overtime compensation adds up quickly, so organizations should have a policy to review any overtime pay for documentation of manager approval and justification. Some dealers have implemented a 37.5-hour workweek. Every employee could work an extra 2.5 hours without the dealer incurring any overtime obligations (note that wage and overtime laws vary by state).
- Voided cash receipts: Cash receipts are a higher-risk area, and proper segregation of duties in the cashier function or any function involving cash is very important. A cashier could receive a cash deposit, for example, void the receipt, and keep the cash. The organization should have a policy to generate a voided cash receipts list each month to determine the reason for voiding and verify manager approval.
- Purchase orders: Purchase orders are basically blank checks if not properly completed. To prevent misappropriation, they should be completed with a dollar amount and manager approval. Organizations should have a policy to pull samples to review for completeness and approval. Also, access to purchase orders should be restricted.
- Vendor payments: Dealers should establish an approved vendor list for all purchases and review payments to see if any are being made to unapproved vendors. Unapproved vendors could be fictitious, be in collusion with a fraudster employee, or have uncompetitive pricing.
- Parts testing: If a dealership uses a perpetual inventory system – and all dealerships should – the quantity in the system should match exactly with the quantity on the shelf. The organization should not rely on just an annual physical inventory to confirm quantities. Someone independent of the parts department should conduct periodic spot checks on high-dollar items that can easily disappear, such as sound systems and tire rims.
Inspect What You Expect
Dealerships are becoming ever more complex, and they cannot afford to assume that their internal controls are working as expected. To protect their investments, dealers must verify their controls’ effectiveness by inspecting them on a regular basis. Some dealers perform these inspections internally. Other dealers choose to outsource the testing to a third-party vendor such as a CPA firm to assure it is properly completed in a timely manner. Every dealership organization is different, and the best approach to testing internal controls varies by organization based on internal personnel, controls in place, and commitment to independent testing.
Author: Ed Reinhard
Ed Reinhard, CPA, is an audit partner in the retail dealer group at Crowe Horwath LLP, one of the largest public accounting, consulting and technology firms in the U.S. With more than 30 years of experience, he provides a variety of services to his clients, including assurance, internal controls, tax, financial advisory, budgeting, profitability analysis, due diligence and benefit plan audits.