As we gear up for a strong Q4, everywhere we go we hear people talking about interest rates, inflation, layoffs, and the economic risks ahead. We’re seeing delays and even decreases in spending on projects, training, and benefits. People are trying to figure out how they can do more with the people and resources they have.
Well, the good news is, it’s possible. With the right thinking and techniques, you can stretch your GRC budgets farther while getting the same (if not more!) value out of your programs. Let us share 8 of our favorite ways to approach “doing more with less” in your GRC program (whether you call it internal control, SOX, CSOX, ICFR, or internal audit), specifically in lean times.
(Plus, stick around for a BONUS tip at the end which I share in a short video.)
1. Do more design, and less testing.
You can think of design as the cake of your internal control program and testing as the icing. You can live with just a little icing, but the cake stands on its own. Many internal control programs pour countless hours into testing but shortchange their work on design. That is a mistake.
Thoughtful design work can add the maximum value to your GRC program. Poor design work, on the other hand, makes your program more of a “check-the-box” exercise with the risk of misused resources, lack of buy-in, and lost opportunities to add value. For more information on how to improve your design work, check out this article here.
2. Revisit the reperformance standard.
The reperformance standard is the de facto standard for internal control programs and the audit profession. If you are rusty on the definition, let’s revisit it:
REPERFORMANCE STANDARD: The ability of a stand-alone document or system to allow a user to perform the related task or process.
“Reperformance” means your document has enough detail for your reviewer or other competent GRC professional to understand what you did without assistance (aka, without asking for help). In practice, this means being able to retrace the underlying transactions reviewed, the work performed (at a moderate, not detailed level), the analysis and thinking that informed the work, and the conclusions drawn.
The standard doesn’t mean:
- 20-page walkthroughs.
- Scans of every single supporting document.
- Step-by-step of all steps of a process.
- Recording every detail with respect to the transaction.
(And yes, I have seen these interpretations!)
If your team doesn’t understand the essence of reperformance, they may be wasting time and resources going into the overkill zone. If so, educate them on what reperformance means, and what it doesn’t mean
3. Tame your templates (or, avoid Template Hell).
One of the biggest (and often hidden) time-sucks in GRC programs is unwieldy templates. Our firm has inherited testing templates from preexisting programs that are elaborate, even gorgeous. (We have received templates that are over 60 columns across on several occasions.)
But documentation isn’t cheap. Complex, fancy templates have a high cost in terms of the time for filling in data and maintaining them, and an even higher potential cost of time and brainpower that could be better spent elsewhere. Watch out for overly cumbersome templates and allow flexibility where relevant.
Team members shouldn’t need to fill out every field every time. The philosophy of avoiding Template Hell, as I call it, will go a long way in helping your GRC team to combine the best of structure and creativity to grow their professional judgment and common sense.
4. Pay the “right” amount for the “right” talent.
Think about where you need to spend money on people and where you don’t. As per the adage “You get what you pay for,” I do not believe or recommend hiring “cheap” people. But you can be thoughtful and reasonable in assessing the resources you need and how to hire or contract them (.i.e., you don’t need to spend $300/hour to tick and tie invoices).
A common resourcing mistake I see in internal control work is hiring people full-time, all year, especially for smaller or mid-sized companies. GRC projects are more like the 800-meter dash and less like the ultra-marathon. Bring in people when you need them and take a strong “spurt” to get what you need done for a concentrated part of the year.
(Besides, audit and internal control fatigue are real issues. You will burn out your stakeholders if you are bugging them all year.)
5. Understand when to use a system, or not.
Like your templates, your systems can improve the efficiency of your internal control program, or they can hurt it. I have watched companies pour tons of resources into fancy workflows and tools for audits and internal control programs only to realize that their spreadsheets and folders systems were much easier and effective with zero configuration.
I have worked with all the major internal control, audit, and SOX software on the market. While I don’t recommend one over the other, I will say that where clients tend to get the most value from these systems is through centralizing their controls or risks, monitoring the status of their work, assigning responsibility, and tracking issues and recommendations. (Many of the other benefits sold, in my experience, aren’t as slick as the demo.)
Technology solutions don’t (unfortunately) just happen by magic little elves. Access, configuration, settings, changes, training, testing, troubleshooting, and support are not to be taken lightly. Before you buy a new GRC or audit tool, weigh the heavy costs of managing them. Internal control software or systems aren’t right for every organization or for every internal control program. For example, I typically don’t recommend that you use a system if you have fewer than 5 people involved in your internal control program. Instead, you could use a lower-tech option like SharePoint.
6. Learn to love ELCs, and revisit COSO-2013.
Entity Level Controls (or ELCs) are about a lot more than just evaluating the “tone from the top.” They are the foundation that allows all other controls, processes, and programs to function effectively. COSO 2013 is the standard model used by SOX and CSOX filers (amongst others) to evaluate their ELCs through a collection of governance “best practices” in risk management, human resources, board oversight, management reporting, and other areas.
When implementing COSO 2013, one of the most common pitfalls is the tendency to take a laundry-list approach. But unwieldy COSO 2013 templates will cost your company unnecessary time and resources. Rather than attacking all the concepts in the model, adopt a lean template that helps you focus on bigger core concepts and important questions, such as, “Is our management reporting effective?” or “Are our HR practices meeting our business needs?” At Risk Oversight we use a 13-point approach (though there are 17 principles in COSO 2013) as a starting point for ELCs, which I encourage you to check out.
7. Don’t let planning take over— just get going.
As accountants, auditors and risk professionals, we are natural planners. It’s in our blood. But planning, in my humble opinion, can get out of control if you let it.
Reporting — both during and at the end of a project or compliance year — is an area that you shouldn’t scrimp on. Reporting is where you make sure your findings, conclusions, and recommendations are understood and communicated and can be actioned on. (Though this can be time-consuming, it is worth the effort.)
Planning, on the other hand, while it is important to the internal control team, is less important to your stakeholders. Unlike reporting, it isn’t what your work is remembered for. Internal control programs that are well-scoped and planned with an according budget are the most efficient and cost-effective. But, as they say, “We plan and God laughs.” So don’t go overboard in planning every detail.
The elements of an effective internal control plan are:
- Risk assessment by financial line item.
- Areas of focus for the year.
- In-scope processes.
- Budget, resources, and timing.
VOILA! You have a plan and can get started. In the famed words of Nike, “Just Do It”.
8. Shorten your SOD reviews and look at core access areas.
Segregation of duties (“SOD”) reviews, which are reviews of conflicting roles and access rights in your ERP or across systems, are a good “best practice” exercise. But they are also time-consuming and often expensive.
If you don’t have the time or resources to do a full segregation of duties review, there is another approach, which can get you 80% of the way there (or more) with minimal effort. Put your effort into testing access and compensating controls around a few core functions including the vendor masterfile, customer masterfile, cash receipts, super user accounts, changes to the chart of accounts, and posting journal entries. While there can be a tendency to complicate SOD and access reviews, in reality, most of your risk is concentrated in a handful of core access points.
If you focus on reviewing access, controls, and compensating controls around these core high-risk areas, you will achieve the proverbial 80/20 in your work. (If you are looking for a summary of what we’d recommend you focus on, contact me and we’d be happy to share.)