When it comes to Internal Control programs, organizations are not all equal. Even organizations of comparable size and levels of maturity, and within the same industry, can have very different documentation practices, strengths and weaknesses.

Let me offer you a simple benchmark for evaluating your Internal Control program – the Internal Control “bucket” method.

There are five distinct “buckets” that organizations typically fall into when it comes to their Internal Control programs.

  • Bucket 1 – Non-existent
  • Bucket 2 – “A bit”
  • Bucket 3 – Sporadic or Weak
  • Bucket 4 – Optimized
  • Bucket 5 – Overkill

Buckets 1 and 2 – Non-Existent or “A bit”

Bucket 1s and 2s are typically new companies that are starting from scratch or else going through an Initial Public Offering (IPO) or are in the process of maturing.

Buckets 1 and 2 have a lot of work – but it is great to start from a clean slate. There are advantages of taking a look at your organization with a fresh set of eyes and (figuratively) a blank piece of paper!

What are signs of Buckets 1 and 2?

  • No or little documentation
  • No or little processes
  • No or little scoping materials, risk assessments
  • No or little controls
  • Weak understanding of Internal Controls across the organization

Bucket 3—Sporadic or Weak

Most of my clients (at least when I start working with them) are Bucket 3s. Many of you reading this are probably in Bucket 3 too.

Bucket 3s typically “have” an Internal Control program but they are not realizing the full benefits from this program.

Bucket 3s are often “going through the motions” when it comes to their Internal Control program. This includes their scoping, documentation, control definition, test of design, and test of operating effectiveness. Many 3s believe they are really in Bucket 4. “We have lots of documentation around XYZ process!” or “We are testing 25 samples across all companies!” or “We have completed 35 out of 50 walkthrough this year!”.

Bucket 3s are known for taking a checklist approach—those that believe just having documentation or doing testing is enough. The problem is that Bucket 3s are often missing the boat. They are focusing on the status of their controls and not on the true underlying risks and issues facing their organization. Often times, the Internal Control program may even be giving these organizations a false sense of security, while the true objectives of the Internal Control program are not being met.

What are signs of Buckets 3?

  • Process documentation and controls in place but little connection to its value
  • “Checklist” approach to Internal Controls
  • Focus on status of controls but not on adding value
  • Management does not care or listen to the output from the Internal Control program,
  • Internal Control issues that are talked of in circles
  • Lack of momentum on Internal Control projects or findings
  • Organization that doesn’t listen or take recommendations from the Internal Control team

Bucket 4—Optimized

Bucket 4 is the “ideal” organizations should aspire to. At this level, Management and the Audit Committee and Board garners value from the Internal Control program. Management actively seeks the input from the Internal Control program team.

There are regular reviews of the Internal Control program and established practices around the related documentation; and, most important, the documentation is usable and aligned with the goals of the organization.

Bucket 4s are also very practical. They don’t just “do” testing or Internal Control work for the heck of it. They have simple and reasonable process documentation, controls and supporting templates or systems. They have strong discernment for what matters and what doesn’t matter.

What are signs of Buckets 4?

  • Fit for purpose process documentation
  • Reasonable controls that are followed (but that aren’t “too easy” either)
  • Proactive practices
  • Management garners value and seeks input from the program
  • Program helps staff members to gain clarity
  • Changes and improvements are made as a result of the program
  • Strong reporting process not just focused on status of controls

Bucket 5—Overkill

The last Bucket 5 Overkill is common in environments where there is fear of failing or little understanding of regulatory requirements (e.g. such as Sarbanes-Oxley (SOX)) or. This is common in environments that are prone to over-thinking their Internal Control issues and problems. You could call this bucket the over-educated, over-academic or overkill bucket.

Bucket 5 is possibly the most ineffective of all the buckets. It is also the most expensive.

In my experience working in the Oil & Gas sector —where times can be very good and then very bad—5-level projects creep up when times are good and companies have more resources to throw around and therefore too many thinkers. Too much money, too many fancy consultants, too many committees—and too little movement forward.

Ironically, I have found it easier to work with clients on their Internal Control programs when times are leaner, and organizations are more careful and frugal with their documentation resources (both people and systems).

In my experience, Bucket 5s can actually be some of the hardest SOX or Internal Control programs to turn around. You have to weed through lots of documents, many of which need a complete overhaul. Some systems are too complex and should be disbanded. It is hard to tell Management that their expensive Internal Control program is not working for them and needs to be figuratively “blown up”.

If you are in Bucket 5, it is important to use “lean” thinking to take make your Internal Control program digestible, reasonable and highly cost-effective.

What are signs of Bucket 5?

  • Constant over-thinking and redoing of Internal Control work
  • Documents that are never “good enough” or just never seem to reach completion.
  • Overly-complex or overkill testing templates
  • Program is too expensive or time-consuming
  • Constant runaround with the external auditors
  • Lack of consensus on Internal Control issues
  • Excessively long or complex process documents
  • Too many controls to manage
  • Lengthy walkthroughs or tests
  • Complaints from the business units on the amount of work required

Which bucket would you say that your Internal Control program falls into? Be honest! If you are a 4, that’s awesome. If you are not in Bucket 4, I hope to speak with you! Contact me at adrienne@riskoversight.ca for more information.