“Design” is the foundation of internal controls — from how you structure financial processes, controls, testing, and your program. But it is likely the most untapped and misunderstood aspect of your internal controls program too.
Effective design is where your team’s experience, problem-solving, professional judgment, and creativity can shine through, if only you let it. Poor design work, on the other hand, has the opposite effect of making your internal control program more of a “check-the-box” exercise with the risk of misuse of resources, lack of buy-in, and lost opportunities to add value.
In this article, I want to share some of my best advice (which I use with our clients every day) for rethinking your approach to design and bolstering your design work as part of your internal control program (whether you call it SOX, CSOX, ICFR, GRC, compliance, or regulatory, too).
Let’s get to designing.
*Design 2.0* – What Design Is About and What Can It Be Too
Standards such as the PCAOB’s (Public Company Accounting Oversight Board) Auditing Standard No. 5, describe design as the work to ensure controls can prevent or detect errors “that could result in material misstatements in the financial statements.” The guidance lists design procedures that include inquiry, observation, inspection of documentation, and walkthroughs.
You can think of design as the cake of your internal control program and testing as the icing. You can live with just a little icing, but the cake stands on its own.
If your internal control program is in its early stages, or if you are struggling to get “the basics” off the ground, your design work is about “minimum requirements” to ensure your financial statements are accurate or that you are meeting other compliance requirements (if applicable).
But for most companies, especially public companies and those with established internal control programs, your design work needs to reach way beyond the minimum requirements to make your program worth the time and resources you spend on it. Yet, it’s common for internal control programs in established organizations to continue reaching for a “low bar” year over year.
This is where I believe organizations need to embrace a 2.0 approach to design to shift the focus on how internal controls can make your organization better, and not only on compliance or regulatory requirements.
*Design 2.0* is an idea, not a prescriptive way of working. It’s about taking small but deliberate steps to get more leverage out of your internal control work and program.
You can apply the concept of *Design 2.0* immediately by using any one or combination of the following concepts:
- Clarity and Communication – This is about giving your stakeholders a deeper understanding of the internal control program and the part they play in it (e.g., through making process documentation clearer and more usable, through communicating what is working and what isn’t working.)
- Best Practices – Leverage industry best practices to “bring the best of the best” to your organization through learning from comparable organizations or experts (e.g., assessing your vendor management program against best practices).
- Continuous Improvement – Make small but progressive improvements to processes, controls, teams, and your internal control program every year (e.g., focusing on specific areas each year to eradicate boredom and short-sightedness that comes with check-the-box approaches).
- Innovation and Change – Design isn’t only about what your organization has today but also about what your processes, controls, and systems can do in the future (e.g., driving better use of tools and technology every year, thinking of new ways to work, or simple but incremental changes over time).
What Design Is NOT About
Unfortunately, there are common misconceptions about design that can distract or misguide even the most established internal control or finance teams.
Watch out if your design work is about:
- Meeting your external auditor’s requirements. Your external auditors have a different perspective of design than those responsible for internal control or internal audit programs. While external auditors focus on the financial statements and what they need to satisfy your regulators, internal control programs are about helping with the broader interests of the organization. Many internal control practitioners come from a background of external audit which means that they may treat internal control programs as just an extension of a financial audit. This is a misunderstanding that can hinder the effectiveness of your design work.
- Superficial updates to process documents. Updates to your process documents are important. But updates alone – especially trivial details or cosmetic changes – do not mean you are thinking about whether your processes work or not.
- Doing a walkthrough. Performing a walkthrough is a great way to review a process. But on its own, it won’t determine whether you have “caught” the issues appropriately. Considering what the team is not doing can be just as powerful and important.
- Filling in templates. There are a lot of design templates out there in the internal control world. But filling in templates isn’t a way to guarantee that you truly thought about the process, controls, and how they work together and what could be improved.
5 Techniques for Better Design Work Today
The key to amazing design work is to use the right techniques. Specifically, you need to use a variety of techniques that you may rotate through each year to bring fresh eyes and thinking to your business.
1. Interviews and Thought-Provoking Questions
Interviewing is about having a strategic conversation with your process owner, control owner, or stakeholder to pull out the information you need. Even the most basic questions can go a long way in helping to support better design: What is working or not working about your process? What would you like to improve? Are you aware of any issues in the last year? What can the internal control program do to help you?
2. Bird’s Eye Diagrams
Tapping your people for information means more than just their knowledge of technical details, code and configuration, accounting rules, and facts. True human knowledge is about how we “get” the bigger-picture concepts. This brings me to my favorite special diagramming technique called the Bird’s Eye Diagram (which is a term I made up but have applied to my internal control and documentation projects for many years). The Bird’s Eye is about illustrating how a process, system, or function works from a high-level perspective.
3. Workshops
You can use group conversations to support better design. A lively discussion of your processes, how your controls work, and how to make them better this year can unlock new ideas while adding engagement to make your program more effective. You can use workshops to review your control documentation or diagrams at the same time, too.
4. Dynamic Writing Techniques
Strong documentation, including processes and controls, is about writing to benefit your stakeholders and hold their attention. There are loads of tricks for improving your technical writing such as using plain, concise wording, steering clear of verbose terms, and providing clear visuals, headings, and examples.
5. Digital Adoption “Lite”
Digital adoption means helping your organization to better use its systems and tools, or adopt new ones where necessary. Your design work can encompass digital adoption “lite,” meaning you make limited but consistent effort to track, monitor, and improve your use and investment in technology and encode this into your internal control program.
So, there you go! You have the key points for bringing more value, engagement, and even fun to your design work and your internal control program. Use these concepts to complement your existing approach and inject fresh ideas to make your program even better.
***
If you have questions about design work or how to build or improve your internal control program, we’d love to talk to you about the work we do at Risk Oversight. We work with organizations in a range of industries to use effective design techniques to drive efficiency in their processes, leverage their resources better, and bring stronger clarity and understanding across the organization.
Please contact me at adrienne@riskoversight.ca. I’d love to connect with you.