Why Proper Transactions Still Lead to Audit Findings

What an SEC enforcement action teaches real estate finance leaders about audit risk — and the one capability that prevents it.

Common Causes of Audit Findings in Real Estate Finance

A large, well-regarded private real estate investment firm had transacted with affiliated service providers for years — loan servicing, property accounting, administrative support. Routine related-party arrangements, expressly permitted by the partnership agreements, and disclosed in the funds’ audited financial statements.

Then an SEC review led to an enforcement action — not because the transactions were improper, but because the firm couldn’t show, in enough detail and on time, that they had been disclosed and approved the way its own agreements required. The substance was fine. The record wasn’t. The uncomfortable takeaway for any CFO: you can be right on every transaction and still be exposed, because what gets tested under scrutiny is the record — not whether the transaction was allowed.

Why Transaction-Level Data Matters for Audit Readiness

Strip the case down and it reduces to one question the firm couldn’t answer in detail: what was allocated to which deal, from which related party, for which period? Captured discretely when the cost entered the books, the answer takes minutes. Commingled into a lump-sum journal entry, it may not exist at all — and you cannot un-blend it after the fact.

That capability has nothing to do with being SEC-registered. Whether the pressure comes from an auditor, a lender, or a limited partner, the test is the same: can you attribute costs to the right deal, entity, party, and period, discretely, at the transaction level? And that capability is built — or lost — upstream, in two layers of everyday process:

• Tier 1 — where misstatements enter (prevention): AP coding, bank reconciliations, related-party transactions.
• Tier 2 — why they go uncaught (detection): workflow design, segregation of duties.

The thread under both layers is the same: discrete, granular detail, captured at the point of entry and actually reviewed. At a few transactions a month, diligence is enough. At thousands of invoices across dozens of entities, it becomes a technology-and-process problem — and the highest-volume entry point of all is accounts payable.

Tier 1: Where Financial Misstatements Happen

Each of these is a point where detail is either captured discretely or quietly commingled — and once it is lost, the financial statements inherit a gap no later control can fully close.

1. Accounts Payable Coding Controls and Best Practices

AP is the largest stream of data flowing into the ledger and the first chance to get each cost right: the right account, entity, property, and period. It is also the most granular, highest-volume step, which is exactly where commingling creeps in:

• Capital expenditures coded as operating expenses, or the reverse
• CAM recovery allocations miscoded
• Prepaids and accruals landing in the wrong period
• Costs lumped at the invoice level instead of split by property or deal
• Coding logic living in one person’s head rather than a documented standard

Repeated across hundreds of invoices and dozens of properties, these stop being clerical slips and become systematic misstatement — patterned, quantifiable, and hard to unwind once commingled into summary balances.

2. Bank Reconciliations Best Practices

A timely reconciliation is the earliest detective control, but only when it is done at the item level. A reconciliation that nets to zero can still hide offsetting errors:

• Unreconciled or missing transactions
• Duplicate payments
• Timing differences between systems
• Backlogs that build up during close

A reconciliation that is not current is a control that is not operating. Small issues then compound across periods until they are material and expensive to unwind.

3. Related-Party Transaction Documentation and Compliance

Legitimate and common in real estate; the risk is traceability. These demand the most granular record of any process — and they are the trap behind the opening case. Each cost has to be tracked discretely:

• Which affiliate provided the service
• The exact amount and the period it landed in
• The specific deal or entity it belongs to
• The basis for treating it as arm’s-length
• The supporting documentation and the disclosure made

Roll several deals’ affiliate costs into one allocation entry and the link between cost, deal, and party is gone. Months later, no one can reconstruct it — which is exactly what the SEC found. An untraceable allocation is a disclosure deficiency, the kind auditors and regulators escalate.

Tier 2: Why Financial Misstatements Go Uncaught

Both of these depend on the same discrete detail — you cannot review or detect what was never captured distinctly — and both fail in deceptive ways, looking strongest right when they are working least.

4. Approval Workflows and Internal Controls

More reviewers feel like more control. Usually they are less: when twenty people touch a transaction, each assumes someone else did the real review, and twenty sign-offs net out to zero. Signs the workflow has become theater, not control:

• Routine and high-risk items follow the same path
• Reviewers approve without context
• No one clearly owns the decision
• Unusual transactions are not escalated automatically

The stronger model is exception management: let routine, in-pattern items flow, and surface only the few that warrant senior judgment — a new vendor, an over-threshold amount, an off-pattern code. But you can only route by exception if the data is granular enough to flag the exceptions in the first place.

5. Segregation of Duties and Financial Oversight

The net beneath the other four: no single person should control every stage of a transaction. The gap is rarely a missing policy — it is erosion as teams change:

• One person initiates and approves
• The same person processes payments and reconciles them
• Temporary coverage during a vacancy becomes permanent
• Over-reliance on a single key individual

Independent review only catches something if the reviewer can see the detail; separation without visibility into the detail is separation in name only. SoD failures are a common contributor to material weaknesses, because when one person controls incompatible steps there is no independent chance to catch an error.

How Control Deficiencies Become Material Weaknesses

The opening case involved a regulator. For most finance teams the equivalent is the external auditor, and the worst outcome is not an SEC order but a material weakness — a combination of deficiencies that creates a reasonable possibility a misstatement will not be prevented or detected. None of the five gaps is fatal alone. But they accumulate in parallel, and the common cause is almost always the same: detail that was commingled instead of tracked discretely, with gaps in both layers at once.

Building Stronger Financial Controls

Strong finance teams do not wait for an audit. They preserve discrete detail by design:

• Code costs discretely at the point of entry, consistently across every entity and property
• Keep reconciliations current and at the item level
• Route by exception, so review lands on what actually matters
• Attribute related-party costs to the specific deal, party, and period as they are booked

Worth asking yourself:

• Could you trace any related-party cost to its deal, party, and period without a research project?
• If an auditor sampled coding across your entities, would it look consistent or improvised?
• Are reviewers focused on exceptions, or rubber-stamping everything equally?
• Have staffing changes quietly merged duties that should be separate?

The hardest and highest-volume of these is AP coding: thousands of invoices a month, across entities, each needing the right account, property, and period. It is also the most automatable — which is exactly what PredictAP does. It captures and codes every invoice discretely and consistently at the point of entry, so the granular detail every downstream control depends on is there from the start, and coding no longer lives in one person’s head. Permitted is not the same as provable — and the record that protects you is built upstream, one discretely coded transaction at a time.