Sarbanes Oxley, ISO certification, audit control deficiencies, and IPOs are all driving companies through the pain of developing extensive policies and procedures (P&Ps). Most efforts to develop P&Ps are rushed and insufficiently budgeted.
Companies overlook critical processes that require P&P documentation, or worse, create unnecessary P&Ps. Steps are often added to fix controls without considering the negative impact on process efficiency. Over time, these band-aids create an inefficient, spaghetti-like mess that makes day-to-day activities laborious.
Organizations can take the opportunity to improve processes and controls while creating P&Ps using the following steps:
Process decompositions can be used to identify and map out individual steps. The steps should highlight important day-to-day activities so companies can correctly align P&Ps with processes, not vice versa.
An inventory of processes should be maintained to prioritize how future-state processes and P&Ps are addressed. Those with the highest priority typically fall within the order-to-cash, procure-to-pay, and record-to-report mega processes. Lower priority processes might not need to be addressed before the next audit cycle if controls are monitored via reporting.
Create a process improvement vision to determine the desired future state process environment. Create a team of cross-functional process owners and subject matter experts to develop the vision while considering the impact on organizational structures and systems configurations. Get signoff on the improvement vision by senior management.
Finally, facilitate future-state process development sessions and map out projected flows. An initial comparison to the COSO 2013 principles and the weaknesses report can help the team ensure all critical control needs will be addressed. Confirm with auditors and senior management. Refine as necessary.
It's important to assign ownership to processes to avoid duplicate efforts, unnecessary steps, and control issues. Recommending changes that reduce an employee’s level of responsibility often elicits strong emotional resistance. Reassigning a function, task, or employee can be equally challenging. However, a RACI (responsible, accountable, consulted, and informed) matrix is a helpful tool to define roles and responsibilities for each process.
Creating a RACI diagram is simple. List all the process steps and map the RACI to each process owner or functional area. Only one person can be responsible (one “R” on a line) for a process to comply with Segregation of Duties. If there is more than one “R” across functional areas, either eliminate one or break the process down further.
There can be more than one “A” (person accountable) for a process, but assignments should reflect sound delegation of authority. Any duplicates should be discussed and confirmed using the COSO 2013 principles. Picking roles or individuals to be “C” consulted or “I” informed helps the team finalize realistic delegation of authority.
Once completed, the RACI will often drive organizational changes ranging from reassignment of tasks and duties, to movement of personnel and functions. A clearly defined organization chart with the new roles and accountabilities may need to be developed.
A combination of process flows and RACI diagrams can be used to determine the best way to configure systems to support the new day-to-day activities while providing the right level of controls. The configuration changes to support the new processes and organizational structure should be prioritized based on implementation complexity and P&P rollout schedule.
Many systems provide powerful workflow functionality that can be configured to support the new processes and controls without creating unnecessary burden. However, each workflow should be evaluated to determine the impact on day-to-day activities. Consider using reports to monitor transactions instead of implementing workflows that create unnecessary steps or slow down critical processes.
P&Ps are the glue connecting controls, processes, and roles and responsibilities. This step is easy when done correctly and all previous steps are followed. Procedures should reflect policies and policies should be tied to controls. Old policies should be modified to reflect the new processes. If gaps are identified, new policies should be developed.
A cross-functional team should test and refine the policies and procedures before final review with the auditors. The testing team should work hard to determine how to break or violate the P&Ps without getting caught. Consider using more timely monitoring tools before making significant changes to the process unless the breach would result in material weaknesses.
Once completed, the new fit-for-purpose processes, policies, and procedures should be shared across the new organization.
Trenegy recognizes the importance of regulatory compliance. Companies often struggle to comply with basic controls issues without incurring significant cost or process inefficiencies. We help our clients balance the need for strong controls without losing efficiency. Read how to properly roll out new policies and procedures to ensure they stick in Seven Tips for Effective Training.
