Implementing controls implies a robust and structured environment. However, simply having controls in place is not enough. Some organizations have controls that are only partially effective and require remediation or are ineffective and require a complete overhaul. There are reasons why controls fail. The most common control failures are caused by inadequate company policies, lack of documentation, and unenforced segregation of duties.
Poorly structured policies are one of the most common deficiencies when it comes to controls. Policies are often overdone or written to cover everything that shouldn’t be done. The extensive list of exceptions becomes overly complicated and can cause employees to become overwhelmed and lose track of their own job responsibilities. Compare it to the U.S. Constitution: the amendments are overarching policies for Americans to abide by, but they don’t dictate every single exception of the law.
Policies should be written with a focus on what staff should do. Don't overcomplicate it. Clearly and concisely state the policy to ensure a consistent understanding of the company’s expectations and provide legal protection when necessary. With well-established policies in place, the confusion is removed and business processes are consistent and more effective.
If it's not written down, it didn't happen. Companies often grow complacent with documenting activities to support established controls and fail to recognize missing information. Required approvals or receipts are not enforced or documented. Performance metrics are difficult to track without historic data for comparison. Onboarding new employees is more difficult without documentation to reference during training.
Creating accountability for adopting a new documentation process is critical to mitigate controls. When preparing a documentation plan for the business, clarify the documentation requirements of staff and communicate the expectations to each function of the organization. Companies should develop a policy around managing documentation to clearly define which documents to retain and the appropriate storage location. For instance, companies should allocate a single location on Dropbox instead of storing approvals in a desk drawer or journal entries in multiple folders.
With policies and documentation plans in place, segregation of duties can be established. Segregation of duties (SOD) is essential to having an adequate control framework and is implemented to ensure separation of processing tasks, preventing opportunities for fraudulent behavior. To ensure a clear understanding of each job position, align the organization based on future controls. Define process owners and establish a clear separation of owners for conflicting duties. If the same employee tasked with setting up new vendors in the system can also process invoices and print checks, the SOD is ineffective and remediation is necessary.
To get employees on board with new processes and duties, clearly communicate why the duties are necessary to segregate rather than presenting the SOD as restrictions or rules. Ensuring employees understand why a SOD is required is beneficial to maintaining controls and providing a foundation for auditors to test.
Implementing effective controls throughout an organization ensures security in the system and protection against fraud. Develop strong internal controls around policies, documentation, and segregation of duties to get the most value out of your business.
Trenegy is a non-traditional consulting firm with a long history of documenting and implementing the proper controls for clients. Find out more about Trenegy’s expertise: info@trenegy.com.
