There is no rule that says that you need to make your Internal Control program (like SOX, CSOX, ICFR or other boring and academic). This might come as a shock to you after you read what popular guidance is out there! Making your program dry and academic will have the opposite effect on what you want to accomplish. So give your Internal Control program life and dynamism!

Why is it important to keep your Internal Control program interesting and full of life?

  • Attracting the right people. You will scare anyone with a brain or a personality away from your program – and the entire profession for that matter – if you don’t give you program a personality.
  • Engagement. No one will care about Internal Controls if you can’t get them to engage. Engagement is not a nice to have, it is essential for your Internal Control program to be successful.
  • Habits beat theory. Internal Control is like having a good set of habits (like we will describe below), not having a long list of theory. Habits are something great to follow. Theory is not tangible and on its own is impotent.
  • Sounding smart is not the answer. Sounding smart with difficult Internal Control or accounting terms won’t get you very far. You don’t need to confuse people with your terminology. You need common sense not big words.

What are Internal Control programs not about?

  • Rules. Rules are for losers, systems are for winners. You can’t blanket coat statements like “all accounts need to be reconciled quarterly”. This is just not true! Organizations are unique organisms. Understanding these organisms comes from applying good practices unique for the company.
  • Theory. Theory is for even bigger losers. Your program is for a real company! Don’t treat the theory books like gospel!
  • Doing the same thing every year. But Internal Control programs are not about doing the same thing every year. Consistency is good. But there is absolutely no rule that says that you need to have the same program each year.
  • Taking yourself too seriously. This is not nuclear or bridge safety, it is Internal Controls. We apply about a 2-5% error to financial statements. That gives us some wiggle room.

What should Internal Control programs really be about?

  • Good habits. Brushing your teeth, working out, making your bed. We are aware of our habits in our personal lives. Take this practice to your work life as well. They will get you a long way! For example, having someone review your work is just common-sense. We work better when someone is reviewing our work. I have others review my work all the time.
  • Systems. Systems trump goals. Internal Control programs are about establishing great systems for organizations. They are not about one-shot deals. This is similar to habits above, admittedly. A system is an organized way of achieving something and comes from a mix of people, technology, documentation and process steps.
  • Accounting. SOX, CSOX, and ICFR are about accounting skills. We don’t have to be deep technical experts but we need some fundamental accounting skills to make things work the way we want.
  • Documentation. Internal Control programs are effectively documentation exercises. Early in my career, I struggle to see the point of this long documentation exercise. Over time, I realized that the documentation part is the program. What gets documented, gets improved.
  • Best practices. Best practice is admittedly a bit of a loaded term. A best practice is really just about doing the best thing for your organization. It could be aligned with what others in the industry are doing. But this doesn’t have to be the case either.
  • Continuous improvement. Internal Controls exercises are about continuous improvement. If you find yourself buried in templates and testing that no one cares about, you might be doing the wrong thing. Your attention and energy should be on improving things.

I hope that this article helped you to understand what Internal Control programs are about and not about. Do you have a different opinion? Would you like to discuss? I’d love to hear from you! Contact me at adrienne@riskoversight.ca.