Before you get excited, I’m not talking about cutting corners on your work or how results are reported. I’m talking about putting a little variety back into your Internal Control program (be it SOX, CSOX, ICFR or other). New people. New ideas. New activities. Don’t get stuck in a rut in your relationship with your Internal Control program.
You might be thinking that now, in today’s horrendous economy when your budget has been slashed, is not the time to think about variety (especially for your Internal Control program).
Let’s face it. 2020 has been unprecedented. For us here in Alberta, the events have been particularly devastating: a severely depressed energy sector battling five years of low commodity prices, hostile government policies, media demonization of the Oil & Gas industry, blockades on our pipeline projects, a Russia-Saudi price war, and (I almost forgot) an economy-killing pandemic. And those are just a few things.
I get it, your Internal Control or compliance program is not top priority right now. But, like many other areas of your company, your Internal Control program is one place where your company needs to cut costs. It will be the culmination of a series of unsexy cost-savings moves that will position your company to weather this tsunami.
From the thousands of hours that I have spent running SOX, CSOX, ICFR, and other Internal Control programs, I am going to cut right to the chase. This article is not an academic mumbo-jumbo about rationalizing controls or using fancy frameworks. These are no-nonsense tips for saving you money in your Internal Control program while adding meaningful value back to your company.
1. Keep things spicy.
Nowhere in professional standards does it say that you need to run the same Internal Control program year over year. The concept of roll-forward is often misconstrued into roll-laziness.
Like other parts of your life that I won’t get into, you need to keep your Internal Control program spicy.
- Change the people you assign to each process. You don’t need to fire all your staff, just switch around their processes.
- Change up your test procedures. Challenge even the most airtight processes.
- Change your design approach. Don’t need to stick with the same design techniques year-over-year – try new things interviews, walkthroughs, surveys, diagramming, questionnaires, risk assessments, etc. to look at processes in new ways.
- Attack new Areas of Focus. Delve into areas that matter to your Management, Board, and staff.
Internal Control programs are designed for a certain consistency and reliability following the cadence of predictable Accounting and Finance functions. While this consistency has its benefits, it can also be a value-killer.
When your dime is cut, it can be tempting the push the Internal Control repeat button. Do the opposite.
These days you need to be more creative, more risk-taking, and more value-seeking. Economic crisis puts new pressures on your people and processes and your Internal Control program should adapt like the rest of your company.
2. Don’t pay too much for your people.
Do you really need to spend $200 an hour for ticking invoices? No, you don’t.
Pay rates that are fit for purpose. As per the adage “you get what you pay for” goes, I am not saying that you should hire “cheap” people. But you need to be reasonable in assessing the resources that you need and how to hire or contract them.
The most common resourcing mistakes that I see are:
- Obscene consulting rates. You don’t need to pay hundreds of dollars per hour for Internal Control work. Now is not the time to spend on fancy firms that give you Flames tickets (BTW – you can’t go anyways). Put your ego aside. Pay reasonable rates.
- Hiring people full-time, all year. Unless you are a large SOX-404 filer, most companies do not need to be paying for staff (or limited staff) for the entire year. Audit and Internal Control fatigue are real issues. You will literally burn out your stakeholders if you review them all year. Internal Control work is more like the 800-meter dash and less like the ultra-marathon. Bring in people when you need them and take a strong “spurt” to get what you need done for a concentrated part of the year.
- Not contracting for deliverables-based work. Internal Control programs are by nature defined by clear deliverables. In my experience, the Internal Control programs with the best cost control are contracted on deliverables-based models. Even if you don’t use external resources, the concept is the same for your internal staff.
Structure your Internal Control program to meet the deliverables you need and then find the right fit-for-purpose resources to make this happen. In today’s tough market, there are a lot of great options out there for you.
3. Think carefully about your documentation standards.
I have been writing about effective documentation practices for over 10 years, and I wake up and think about documentation every day. I am a believer in documentation as a valuable part of your organization’s fibre.
But documentation comes at a cost.
One of the reasons that documentation costs get out of hand is that documentation standards are not well understood. Those of you from a Chartered Professional Accountant background appreciate the “reperformance standard” as the de facto standard for documentation. (This standard is where a user could “reperform” the steps using the standalone document.) While the standard provides an excellent benchmark, it is also often horrendously abused and twisted into an excuse for bloating Internal Control programs.
The reperformance standard does not mean that you need:
- 20-page walkthroughs that no one reads.
- A complex compliance system when a simple Control Matrix will do.
- Scans of every single supporting test document.
- Cumbersome templates for every control.
- Glossy presentations for status update meetings.
I have seen all the above many times. Unfortunately, Internal Control team members tend to believe that these standards are “required”, and the fat gets baked into the program over-time.
In today’s lean times, you need to think very carefully about the documentation standards that you set for your program. Internal Control programs need documentation standards that add value but do not cross anywhere into the territory of overkill.
So, shed the fat through reasonable and diligent documentation standards.
4. Let your stakeholders give you the answers.
Let me share with you a dirty secret about Internal Control programs.
Sampling, testing, and complex analysis are great – but you don’t always need to work all that hard. The answers are often right in front of you in your stakeholders. You just need to ask them. And then listen (and that’s the part that’s often missed).
It’s this easy.
- Ask your stakeholders their thoughts, ideas, and feedback.
- Write down their answers.
For some of your stakeholders, the Internal Control program is one of their few opportunities for being heard in the company. Let these people be a source of great information (and gossip). Playing Therapist should not be out of your wheelhouse.
For other stakeholders, you will have to work harder to pull out the information. Channel your inner Barbara Walters. There is magic in interviewing people about their area of work (even if it doesn’t seem overly exciting on the surface).
There is no substitute for data to back your results and I am by no means advocating that your program can rest on anecdotal evidence alone. However, you can save literally hundreds of hours of analysis, data mining and testing through just asking the right questions and getting your stakeholders to point you in the right direction. If you don’t have huge budgets to perform the complex spreadsheets that you used to, try this technique to bring valuable information and analyses back to your program even in tight times.
They say that times of crisis bring out the best in creativity and innovation. Your Internal Control program deserves this kind of thinking too.
It is my sincere hope that these no-nonsense tips will help you to save money and add value through your Internal Control program in these trying times.
If you are looking for any help in understanding how to cut your costs while maintaining strong value in your program, I would be happy to help you. Risk Oversight consistently outperforms other Internal Control models through high-quality work at a reasonable cost. Please contact me at email@example.com. I’d love to speak with you!