When it comes to Internal Control programs, organizations are not all equal. Even organizations of comparable size and levels of maturity, and within the same industry, can have very different documentation practices, strengths and weaknesses.
Let me offer you a simple benchmark for evaluating your Internal Control program – the Internal Control “bucket” method.
There are five distinct “buckets” that organizations typically fall into when it comes to their Internal Control programs.
- Bucket 1 – Non-existent
- Bucket 2 – “A bit”
- Bucket 3 – Sporadic or Weak
- Bucket 4 – Optimized
- Bucket 5 – Overkill
Buckets 1 and 2 – Non-Existent or “A bit”
Bucket 1s and 2s are typically new companies that are starting from scratch or else going through an Initial Public Offering (IPO) or are in the process of maturing.
Buckets 1 and 2 have a lot of work – but it is great to start from a clean slate. There are advantages of taking a look at your company with a fresh set of eyes and (figuratively) a blank piece of paper!
What are signs of Buckets 1 and 2?
- No or little documentation.
- No or little process documentation
- No or little scoping materials, risk assessments
- No or little controls defined or basic Control Matrix
Bucket 3—Sporadic or Weak
Most of my clients (at least when I start working with them) are Bucket 3s. Many of you reading this are probably in Bucket 3 too.
Bucket 3s typically “have” an Internal Control program but they are not realizing the benefits from this program.
Bucket 3s are often “going through the motions” when it comes to documentation. Many 3s believe they are really in Bucket 4. “We have lots of documentation around XYZ process!” Bucket 3s are known for taking a checklist approach—those that believe just “having documentation” is enough. Their Internal Control program may even be giving them a false sense of security, while the true objectives of the documentation are not being met.
What are signs of Buckets 3?
- Process documentation and controls in place but little connection to its value
- “Checklist” approach to Internal Controls
- Management does not care or listen to the output from the Internal Control program,
- Internal Control issues that are talked of in circles
- Lack of momentum on Internal Control projects
Bucket 4 is the “ideal” organizations should aspire to. At this level, Management and the Audit Committee and Board garners value from the Internal Control program. Management actively seeks the input from the Internal Control program team.
There are regular reviews of the Internal Control program and established practices around the related documentation; and, most important, the documentation is usable and aligned with the goals of the organization.
Bucket 4s are also very practical. They don’t just “do” testing or Internal Control work for the heck of it. They have simple and reasonable process documentation, controls and supporting templates or systems. They have strong discernment for what matters and what doesn’t matter.
What are signs of Buckets 4?
- Fit for purpose process documentation
- Reasonable controls that are followed (but that aren’t “too easy” either)
- Proactive practices
- Management garners value and seeks input from the program
- Program helps staff members to gain clarity
- Changes and improvements are made as a result of the program
The last Bucket 5 Overkill is common in environments where there is fear of failing regulatory requirements (e.g. such as Sarbanes-Oxley (SOX)) or where there is little understanding or ability to write clearly and sufficiently. This is common in environments that are over-thinking their documentation issues and problems. You could call this bucket the over-educated, over-academic or overkill bucket. Bucket 5 is possibly the most ineffective of all the buckets. It is also the most expensive.
In my experience working in the Oil & Gas sector —where times can be very good and then very bad—5-level projects creep up when times are good and companies have more resources to throw around and therefore too many thinkers. Too much money, too many fancy consultants, too many committees—and too little movement forward.
Ironically, I have found it easier to work with clients on their Internal Control programs when times are leaner, and organizations are more careful and frugal with their documentation resources (both people and systems).
In my experience, Bucket 5s can actually be some of the hardest projects to turn around. You have to weed through lots of documents, many of which need a complete overhaul. Some systems are too complex and should be disbanded. It is hard to tell Management that their expensive Internal Control program is not working for them.
If you are in Bucket 5, it is important to use “lean” thinking to take make your Internal Control program digestible, reasonable and highly cost-effective.
What are signs of Bucket 5?
- Over-thinking and redoing of Internal Control work,
- Documents that are never “good enough” or just never seem to reach completion.
- Overly-complex testing templates.
- Program is too expensive or time-consuming.
- Lack of consensus and difficulty pulling the trigger.
- Excessively long or complex process documents.
- Too many controls.
Which bucket would you say that your Internal Control program falls into? Be honest! If you are a 4, that’s awesome – your thinking is exactly aligned to how we work at Risk Oversight! If you are not in Bucket 4, Risk Oversight is eager to help you to get there. Contact me at firstname.lastname@example.org for more information.