Government Contractors’ Accounting System Risks and Internal Controls

Allowing unauthorized access into your accounting system could lead to a manipulation of your accounting data or even fraud.  Unauthorized access is defined as a security breach by an unauthorized individual.   Users of your financial statements rely on the information that is contained within them, banks rely on the financial statements for approval of credit lines, and contracting officers rely on the financial statements to show the health of a company and the company’s financial capability to support new contracts.  A person could commit fraud or data manipulation if he or she is able to gain unauthorized access to your accounting software.  If the breach were to go on undetected, the users of the financial statements would no longer be able to rely on the information within the financial statements.  This breach could lead to a loss of new work or loss of credit facilities.

Most accounting software packages today have controls built into them, but DCAA does not approve job cost accounting software packages; they approve job cost accounting practices. This is why it is important to consider accounting system risks while you are developing internal controls. Polices that are the most effective include:

• Someone in management, typically the CFO, should be responsible for granting and monitoring access rights to the accounting system. This person is considered the administrator.
• The administrator should set up a unique user name for each person in the organization who will be accessing the accounting software.
• User names should be assigned access rights to individual applications within the accounting software.  Access rights are based on each employee’s responsibilities.
• Some accounting software packages allow the administrator to print an application rights by user name report. This gives the administrator a snapshot of the current access rights and allows them to make the necessary changes to the user access rights, delete usernames, modify usernames’ rights, or add new usernames based on each employee’s responsibilities.
• On a periodic basis, print the access rights report and test it.

Once you develop these controls, don’t stop there. You should also consider access rights to other software and electronic data, such as online banking and payroll, and consider developing an internal policy for monitoring all of your software.

Schedule a consultation with an experienced Aprio advisor to discuss your Government Contracting needs.