ri sk MANAGEMENT

The past four years of economic challenges have taken a toll

on the construction industry, and many contractors have
either failed or felt an increased risk of failure. Even though
contractors are reporting improved conditions, many surety
experts say that failures hit their peak during a recovery.
With cash constraints caused by sudden growth, balance
sheets are depleted to anemic levels and the first sign of
pressure can cause a collapse.
Now more than ever, it is important to look at the risk facing
each party in a subcontract arrangement and ensure that
subcontracts serve as risk management tools. A subcontract
can only mitigate risk for a GC when a subcontractor is viable
and able to complete the work; alternatively, the GC must
able to complete the project, and both the owner and GC
must be able to pay their bills so that the agreement is profit-
able for subcontractors.
To help protect themselves in practical, effective, and
efficient ways, all contractors must have strong internal
controls. Often, the most significant change is a cultural
shift from the leadership level that flows throughout the
organization.
This article will discuss the key elements of an effective
internal control system with a focus on the risks surrounding
subcontract relationships.
History Lessons
Only a decade ago, the failures of Enron, WorldCom, and
Tyco were some of the largest internal control and corporate
failures in history. However, these breakdowns were not
caused by a lack of internal control knowledge; it was a lack
of commitment to a culture of internal controls that brought
on these failures.
The downfall of these organizations led to sweeping changes
in the regulation of internal controls for public companies
with the Sarbanes-Oxley Act of 2002 (SOX), which man-
dated that some publicly traded companies be held to a
prescribed method of internal controls and the implemen-
tation and operation of these controls be audited, publicly
reported, and subject to regulatory inspection by the Public
Company Accounting Oversight Board (PCAOB).
The internal control environment required by SOX is similar to
the framework outlined in the 1992 report by the Committee
of Sponsoring Organizations of the Treadway Commission
(COSO), Internal Control Integrated Framework. The
COSO report found that breakdowns in internal controls are
rarely caused by a lack of available or known controls, but
that they occur in the system surrounding and supporting an
overall control environment.
1
Five Components of an Effective
Internal Control System
While not all GCs and subcontractors need to adopt the
onerous standards required by SOX, there is merit in looking
into the five key components of an effective internal control
system as prescribed by the COSO report.
Over the past two decades, these characteristics have been
integrated into current auditing standards. In addition to being
helpful to auditors, this framework can help GCs and sub-
contractors develop an effective risk management process.

Control Environment
The control environment is the foundation upon which all
other control activities are built. When auditors assess an
organizations overall control environment, they are often
trying to determine how control-minded it is by examining
its systems and procedures that mitigate risks.
A control-minded contractor quickly adopts and imple-
ments controls with an understanding of their purposes.
Conversely, an entrepreneurial-minded organization often
treats sales as mandatory and controls as optional. As time
passes, the original intent of these controls is forgotten and
the business relies solely on individual talents and the trust
of key people to protect it.
To be effective, a control-minded attitude must begin at
the top. The phrase actions speak louder than words has
never been truer than in the creation of an effective control
BY SHANE E. BROWN
An Auditors Perspective: Internal
Controls & Subcontract Risk
47 July-August 2012 CFMA BP
environment, and the actions of organizational leaders
whether good or bad will flow down. When owners and man-
agers champion the internal control structure and embrace the
execution of a control environment, there is a better chance
of building and sustaining a control-minded organization.
Subcontractor Prequalification Example
A GC has chosen a desired subcontractor for a particular
piece of work either through hard-bid cost selection or a
negotiated situation. The subcontractor completed a basic
prequalification statement, but it is more than a year old.
The GCs owner has preached a common message internally
that an old prequalification statement or paid financial analy-
sis only captures historical data and should only be relied on
as an initial filter. For any subcontract of a material amount,
further due diligence should be conducted, including obtain-
ing current financial statements and making calls to vendors,
bonding agents, and references.
Although he wants to choose the subcontractor, the owner
instructs his preconstruction and finance teams to complete
a prequalification process. The due diligence results make
it clear that some caution and protection measures are
needed, but risks can be addressed.
Both preconstruction and the owner agree upon an accept-
able risk mitigation plan, including the following items:
s Joint checking will be used on all disbursements
s Sub-tier lien releases will be required prior to all
final vendor payments
s Periodic vendor calls will be made
s No payments will be allowed beyond performance
Risk Assessment
Next, conduct a risk assessment of both internal and exter-
nal factors. This is an opportunity for contractors not
auditors to examine and understand how to proactively
identify, analyze, and manage risks.
A contractor that proactively conducts risk assessments has
a heightened awareness to prevalent risks and believes that
adherence to a risk management plan is critical to its long-
term success. This type of organization has confidence in its
ability to control outcomes through intentional efforts.
Conversely, organizations that do not conduct risk assess-
ments or implement risk mitigation plans tend to be reactive.
These types of organizations see themselves as immune to
what the rest of the industry is experiencing, and although
they can typically survive during good times, they can eas-
ily become victims of the bad times. They rely only on their
talents and leadership to survive potentially rough waters.
When conducting a risk assessment, play devils advocate.
Take a close look at your company and ask what could go
wrong. Pull in key advisors to compile a comprehensive list
of risks the organization may face.
There shouldnt be any bad ideas during this brainstorming
session; owners and managers must allow team members to
express concerns. Do not attempt to immediately answer or
diminish any risks; instead, initially embrace them as poten-
tial downfalls.
After creating a list of potential risks, identify which ones
are not being addressed or handled sufficiently. Again, solicit
input from team members at all levels of the organization,
as different areas of the company might have unique insight
into each of the identified risks.
At this point in the process, involve such key advisors as
insurance brokers, surety underwriters, attorneys, and CPAs
that have relevant expertise. Then, for each risk that is cur-
rently unaddressed or under-addressed, make a detailed
plan for mitigation.
You should also consider identifying current activities that
dont provide any value to the organization. Whenever an
organization reflects on how it does business and how it can
do business better, good things happen.
Lets look at two contrasting risk assessment examples.
Ineffective Scenario
Periodic risk meetings are set with key leaders. Owners and
managers may or may not be in attendance. The sessions
typically cover an update of changes needed to make the
organization more profitable.
Risks or concerns are brought up organically and are
answered rather than explored, and the directives are not
linked to the risks. Participants usually leave these meetings
feeling frustrated and lacking a sense of ownership in the
directives given.
Ideal Scenario
A leadership risk assessment meeting is held on a regular
48 CFMA BP July-August 2012
basis. Key advisors are asked to join the meeting, and the
agenda is kept open for the creation of new risk ideas. In
addition, participants are expected to perform their own
due diligence on risks in their areas of expertise and in their
circle of relationships.
Owners and managers are always in attendance and take
suggestions seriously, and action items are put in place fol-
lowing the meetings. Leaders and stakeholders feel heard
and know they must follow through on agreed-upon control
enhancements.
Control Activities
In this next step, the actual policies, procedures, and prac-
tices of an internal control system are carried out.
With a proper system in place, here are some effective inter-
nal controls for GCs:
s Prequalify subcontractors even if you are required to
work together. This can be done with a standard pre-
qualification form or by making reference calls and
obtaining financial statements.
At a minimum, this will provide more information about
whom you are working with and perhaps help avoid prob-
lems. While this is an important control, it should not
be over-relied upon, as prequalifications can contain
old information and subcontractor failures can happen
quickly.
lso a suloortraot. \itlout a suloortraot, tlo orly riglts
a 0C las aro tloso availallo tlrougl tlo lrilorm Com
moroial Codo (lCC,. Lvor a simjlo, slortlorm sul
contract can help ensure performance and delivery
standards meet expected requirements.
loous or sultior vordors. Vary 0Cs loous irtortly or
the prequalification and lien releases from their subcon-
tractors. However, many lien issues come from sub-tier
vendors that were not paid. When appropriate, GCs
should implement:
- Joint checks
- Sub-tier lien releases
- Calls to vendors before, during, and after
work is completed
Jack Callahan, Co-Director,
Construction Industry Practice Joe Torre
A team of experts dedicated to the construction industry.
Partners that deliver insights to help fortify working
capital and improve protability. The reputation and
long-standing relationships to strengthen your banking
and surety programs. If thats what youre looking for
in an accounting rm, talk to J.H. Cohn.
We t u r n e x p e r t i s e i n t o r e s u l t s .
Lets talk
construction.
New Jersey
.
New York
.
Connecticut
.
Massachusetts
.
California
Steve Harrison, Co-Director,
Construction Industry Practice
jhcohn.com
877.704.3500
49 July-August 2012 CFMA BP
ri sk MANAGEMENT
s Do not create excess cost situations by carrying a sub-
contractor to help it along on a job. If you must pay in
advance for contract requirements, make payments to
the vendors. Sureties have denied coverage in situations
where a GC paid ahead of performance.
s Train employees particularly those in the field on
signs of a troubled subcontractor. Common red flags
might include subcontractor employees noting trouble
receiving paychecks, difficulty getting fuel, or outright
statements of large layoffs. These are prime indicators
of problems that would never show up in a dated
prequalification.
s Call references, and be bold about who you call. Some
GCs ask for A/P listings to ensure they can reach signifi-
cant vendors.
s Obtain performance bonds or subcontractor insurance.
Although this is the most expensive approach, it can be
an effective tool.
Now, lets take a look at some examples of effective internal
controls for subcontractors:
s Avoid onerous contract clauses (e.g., pay-if-paid or pay-
when-paid). This is one of the most important controls
available to subcontractors. Subcontractors should not
accept payment terms different than the prime contract.
s Request proof of funding, escrow accounts, payment
bonds, or materials deposits if in a preferred provider
position. If proof of funding or advance payments are
not available but the job is still desirable, then consider
using a payment bond.
s Request a joint check agreement with the owner, with
protective clauses for all parties. In the case of a finan-
cially sound owner and a weaker GC, this can be an
effective alternative to payment bonds.
In joint check situations, the subcontractor should never
endorse a joint check before the GC. The subcontractor
should always endorse last and be the depositor of the
funds.
Once endorsed, the payment is considered complete.
Whether or not the subcontractor has deposited the
funds, the lien rights are often released.
s Take advantage of the same options available to GCs,
as previously outlined. All contractors should have a
short-form subcontract template available to ensure
the necessary protections are in place.
Payment terms can be extended to match the prime
contract. Performance and delivery standards can be
defined. Expectations beyond implied warranties under
the UCC can be obtained.
Information & Communication
Information and communication systems capture, calculate,
and convey the intelligence necessary to make good risk
assessments and decisions. A successful information and
communication system is directly connected to a contrac-
tors vital processes, success factors, and KPIs.
In some companies, this is as simple as a G/L system, while
others may have elaborate, integrated systems that include
estimating, project management, financial accounting, and
more.
In control-minded organizations, the focus is not on the
number of systems but on the quality and timeliness of
information included in the systems. The key is ensuring
the information is relevant and meaningful to a contractors
unique situation through a well-planned, systematic process
that is adopted throughout the company.
Entrepreneurial-minded organizations may have a high-
powered system that was put in place by management to
simply check a box not to meet the specific risks that the
organization faces.
When owners and managers champion
the internal control structure and embrace
the execution of a control environment, there
is a better chance of building and sustaining
a control-minded organization.
ri sk MANAGEMENT
51 July-August 2012 CFMA BP
In recent years, robust technology solutions have been
made available to help manage subcontract risk. These often
include features that facilitate the application of consistent
processes, benchmarking, and the management of delivery
to key users. These tools can be valuable if thoughtfully and
properly implemented to match an organizations needs.
The systems utilized should integrate all aspects of the key
risk areas to ensure that subcontract risk can be appropri-
ately mitigated. A component of the system should include
real-time financial metrics to help monitor the risks relevant
to the subcontract arrangement.
Monitoring
Monitoring is perhaps the easiest and most important com-
ponent for the programs longevity. An effective, control-
minded contractor knows that monitoring does far more
than double-check employees work; it brings a sense of
validation and importance to an activity.
If monitoring takes place at the higher reaches of the organi-
zational chart, then activities will be carried out with a higher
degree of importance. For example, if a PM or engineer
knows that the CEO will review the quality of a decision,
then there is a good chance that proper controls are followed
in the process leading up to that decision.
Without the expectation that the use of controls will be
reviewed, there will be a growing perception that no one
cares, and programs often become random and end with
non-use.
An organization can put a stamp of importance on any activ-
ity through its use of monitoring. A consistent pattern of
monitoring brings out the best in team members and drives
individuals to follow the trusted protocol that has made the
organization successful.
Why, then, is it so common to see little or no monitoring of
the subcontracting risk mitigation process? I believe that
most organizations have not been hit with a major loss from a
subcontract failure. Stories are nothing more than that, even
if they are frequently becoming more local.
Most sureties, banks, and auditors expect this trend to
increase when growth in construction occurs and balance
sheets are not able to recover as fast as the economy. I
believe that contractors will be well served in treating the
subcontract risk mitigation process with the same diligence
as their most important processes.
Conclusion
Long discussions and pages of notes can be wasted on stand-
alone control actions. When contractors take into account
their own environment, risks, and existing systems, they cre-
ate control activities that matter, that work, and that stick.
If a contractor is going to experience a subcontract-related
loss, then it is likely to occur now during economic recovery.
Contractors that embrace a strong control environment and
the processes discussed in this article can help prevent a loss
from a subcontract arrangement. Q
Endnote:
1. Visit www.coso.org for information on the COSO report or internal
control studies.
SHANE E. BROWN, CPA, CCIFP, is a Partner in the
audit service area at EKS&H in Denver, CO, where he
leads the construction services group. Shane also has
extensive experience in employee benefit plan audits,
compliance, and corrections.
A previous author for CFMA Building Profits, Shane is a
member of CFMAs Colorado Chapter and belongs to its
Board of Directors. He is also a member of AGC, ABC,
and AICPA. He received a BS in Accounting from Mesa
State College in Grand Junction, CO.
Phone: 303-740-9400
E-Mail: [email protected]
Website: www.eksh.com
52 CFMA BP July-August 2012