Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Internal controls: Best practices for contractors

Mar 17, 2021

How necessary are internal controls for contractors? Think of it as the difference between black and red. 

Companies that rely on proven internal controls best practices are more likely to operate in the black. Construction companies that have ineffective or limited controls are ripe for fraud, inefficiencies and noncompliance – and are more inclined to bleed red.

Internal controls can safeguard your organization from theft, misappropriated funds and even cyberattacks. They can help ensure you are operating in compliance with local, state and federal regulations. And they can streamline operations by ensuring everyone on the team is working from the same plan using the same procedures in support of the same goal.

But it’s not enough to simply implement internal controls. Unless they are documented, reviewed and understood by all members of the team, even the most well-intentioned controls can be overlooked or, worse, ignored. Uncovering internal theft or preparing for litigation is the wrong time to discover your internal controls were not as effective as you thought.

The following internal controls best practices highlight key areas in the construction project lifecycle where you can reduce financial and legal risk and keep projects on track.

Information technology

The construction industry has been traditionally slow to adopt digital technologies. That is changing fast, and contractors need to make sure their internal controls keep pace.

At the very least, the IT team should conduct regularly scheduled reviews of user access rights. Whenever possible, there should be a digital wall between those who handle cash and those who oversee billing or invoice processing. Processes and procedures should also protect against business interruption from system failure or cyber criminals. A layered security approach, combined with business continuity solutions, will reduce the risk of stolen or lost data and unplanned downtime due to cyberattack or a disaster.

Estimating and bidding

The initial estimate is often used to establish expectations on a project. For that reason, mistakes made in the preconstruction phase will have a cascading effect on the entire project.

Adding a quality control check is one the easiest controls to implement at this stage. Establishing an independent review of the initial bid package — including contract costs, indirect cost allocations and plan drawings — will reduce the chance for surprises down the road.  

When subcontractors are required, internal controls should assure that the prequalification process takes financial fitness and bonding capacity into account. Items such as insurance requirements, payment terms, retainage clauses and liquidated damages should be carefully reviewed. The onboarding process should also include a step to check consistency between the master and subcontractor contracts.

Contract costs

Any processes that involve contract costs should be protected by guardrails. Ensuring that ordering, purchasing, receiving and approval processes are segregated among multiple people is key to preventing fraud and other loss. 

In addition, processes should ensure that project managers confirm that subcontractor, labor and indirect costs are properly reviewed, approved and accounted for to the correct contract and in accordance with contract terms. Extra attention should be directed at change orders, retention terms, bonding requirements and lien waivers. Company leadership should also mandate that any changes to pay-rate authorizations be reviewed and approved by multiple people and properly documented.

Project administration

Internal controls for project administration should support consistent communication and management oversight in addition to fraud detection and prevention. For example, a review of change orders, estimated costs to date, balance over/under billed and percent complete should be part of the agenda for every monthly team meeting.

Internal controls can also curtail decision-making without proper authorization or oversight. Processes and procedures for handling change orders should at a minimum require prior approval and documentation. Likewise, requiring management approval on a close-out checklist can certify that lien releases have been obtained, all change orders have been authorized and signed, and all retention has been billed.

Billings and collections

Separation between functions is a critical component to billing and collections controls. Simply segregating invoicing from cash disbursement and billing from cash receipt processes can reduce the risk of cash-type fraud.

Internal controls can also help keep the billing cycle turning. Ensuring that billings are completed consistent with the terms of the contract and that they are billed on a timely basis will keep cash flow predictable. Established procedures should also include processes for documenting management approval of all work. This reduces the chance for inadvertent payment of unauthorized bills. It also provides guidance for good documentation and retention practices.

Revenue recognition and general accounting

Detailed controls over the accounting function can promote the consistent and on-time reconciliation and close of project books. For example, controls can be established to update the job schedule based on incurred costs, contract value, estimated margins and other outliers. Further, a month-end close should include a step to verify that no costs get posted back to the incorrect period. All of this information should be documented to help inform future estimates on similar projects.

How Wipfli can help

Implementing internal controls doesn’t guarantee that a project will be free of problems or unusual job margin fades. However, they will support regular communication, mitigate surprises and reduce the risk of a catastrophic breakdown in operations.

Not sure where to get started, or how effective your controls really are? Wipfli’s team brings demonstrated experience with supporting construction firms of all sizes. Our team can assist with everything from internal audits to enterprise risk management to cybersecurity. Contact us or learn more about us on these web pages:

Services for construction firms, contractors

Internal audits

You can also learn more about internal controls in these resources:

Internal controls can strengthen construction firms 

Internal controls can flag fraud

Internal control in virtual office

5 myths about internal controls

Internal controls: Back to basics


Curtis R. Olson, CPA, CCIFP
View Profile