In my many years on the ground (and in the trenches) running internal controls* programs, I can tell you that internal controls programs are a goldmine of opportunity.
But only when you “get” what audit and control concepts are about (and not about).
Unfortunately, many organizations settle for a check-the-box, perfunctory, set-on-autopilot approach, ending up with a proverbial lump of coal for a program (i.e., audit fatigue, wasted resources, trivial documentation) instead.
If your internal controls are designed just to meet minimum requirements rather than the needs and benefits for your organization, you may actually be increasing your risk. You’ll be at risk of thinking that processes and functions are working when they aren’t.
*You might use terms like SOX, CSOX, ICFR (Internal Control Over Financial Reporting), GRC (Governance Risk and Compliance), compliance, regulatory, or internal audit too. Forgive any technicalities here, but I am smooshing these ideas together for the sake of this discussion.
5 Principles to Leverage Value (and Avoid Pitfalls)
Whether your team or program is just getting started, highly developed, or needing a makeover, there are 5 principles that can flip the default approach to one with real value. And of even more benefit, your internal control program may become more efficient, engaging, and fun too.
The principles are simple:
- Think Good Habits (Not Theory)
- Be an Accountability Partner (Not a Cop)
- Focus on Continuous Improvement (Not Pass/Fail)
- Keep It Interesting, Stupid, or “KIIS” (Not Rinse and Repeat)
- Be a Problem-Solver (Not a Box-Checker)
Internal controls are about habits, accountability, continuous improvement, change, and problem-solving. They aren’t about theory, policing, pass/fail, rinse and repeat, or checking the box.
1. Think Good Habits (Not Theory)
In the audit and control world, it’s easy to fall into an abyss of theory. CPAs and other technical professionals can be particularly guilty of this. We typically ask questions like: What assertions do we link this to? What is the risk of management override? What is an outlier for this control?
If you find yourself drowning in frameworks, whitepapers, models, and discussions headed to outer space, STOP. Breathe. Step back. Then think about the practical side of what you are doing.
Just like brushing our teeth, working out, making our bed, and the habits in our personal lives, your internal control program is all about good habits too. Reviews, documentation, approvals, locking the doors, and counting inventory are effectively habits we call “controls.” Like going to the gym 3 times a week, they follow a cycle that keeps our organization strong and healthy.
2. Be an Accountability Partner (Not a Cop)
Can you imagine if someone was assigned to follow you with a clipboard and mark down everything you did wrong in your workday? Now, let’s say you are running a team of 30 people with six high-stakes projects.
I know that this is dramatic. But that’s how audit and internal controls can feel to many.
So, think of your internal controls program more like an accountability partner, less like a cop. I had a personal trainer who would call me each week to check in on my sleeping, eating, drinking (or over drinking), and working out. I recently had my dentist’s office text me reminders to wear my mouthguard.
Accountability partners work for individuals, and they work for teams, departments, and organizations, too. It’s a testament that many of our Risk Oversight clients – governments, charities, private companies, and post-secondaries – with no regulatory requirement for internal control programs, think the same. They use our services to keep them accountable for maintaining their control environments and for following through on their plans year over year.
3. Focus on Continuous Improvement (Not Pass/Fail)
If you are a hammer, everything looks like a nail. This is a problem in the traditional way that audit and compliance programs are taught. There is an overfocus, in my opinion, on deficiencies, issues, errors, and “fails.”
Of course, we need to report on what’s not working (I certainly do this). But issues are only one piece of the puzzle.
Instead, reframe your internal controls program to focus on continuous improvement by telling the story of how processes, teams, and initiatives are evolving. It’s a subtle shift in your approach and perspective that drives more tailored, fit-for-purpose work (and one that is less template-based). For example, mature processes, projects, or companies require a different lens than those getting off the ground.
4. Keep It Interesting, Stupid, or “KIIS” (Not Rinse and Repeat)
Internal control programs are designed for certain consistency and reliability, especially in areas like finance, filings, maintenance, or health and safety.
But nowhere in professional standards does it say that you need to run the same program year over year. The concept of roll-forward is misconstrued and easily becomes roll-laziness.
Like other parts of your life that I won’t get into, keep your internal control program interesting. That means changing the people you assign to processes, the questions you ask, or how you test and attack new areas of focus each year. In my experience, there’s enormous benefit in having new people with different experiences “look under the hood” each year to see what is going on and to bring new ideas to the table.
5. Be a Problem-Solver (Not a Box-Checker)
Lastly, let’s address the elephant in room and the most common and dangerous pitfall I see. Many internal programs have the right superficial aspects in place (e.g., walkthroughs, processes, diagrams, test procedures), but they’re going through the motions, or “checking the box.”
Your internal control program may be good enough to satisfy what your audit committee, auditors, and regulators need to see. But there’s a lack of connection to improving behavior, driving action, and paving the road to success. This is a mindset (or caring) problem more than anything else.
If your internal control program is just going through the motions, it could be hurting more than helping you through a false sense of security.
To avoid this trap, change your mindset to one of problem-solving. It doesn’t mean that you attack everything like an issue. It’s about looking for solutions and improvements more than anything else. This change makes your thinking more active and engaged (i.e., assessing what could go wrong, looking for improvements) and less auto-pilot or auto-brain (i.e., routine testing, rolled-forward templates).
If your internal controls program has fallen into any of these common pitfalls– theory, policing, pass/fail, rinse and repeat, or checking the box – I’d love to speak with you to get you back on track. Please reach out at firstname.lastname@example.org.