Financial controls are a necessary component of running apublic company. Finance staff must use a set of predeterminedcontrols to demonstrate to internal and external auditors that theprocesses associated with generating accurate financial statementsare being performed, and are passing routine testingprocedures.

However, in large organizations, especially those that aregeographically dispersed, the infrastructure of financial controlscan get very complex, very quickly. And when finance managers orauditors take a closer look at the controls framework, they mayfind staff are performing tasks that they call “controls,” but thatare really not much more than busy work. The secret to developing aset of effective and efficient financial controls is to put inplace an assortment of “sanity checks,” through which theorganization constantly re-evaluates why it's taking the actions inthe first place.

In my experience, finance staff often recommend controls thatare easy to pass—such as demonstrating that a report is beingproduced daily—rather than those that could uncover real issuesthat might impact the business's financial statements. The purposeof inserting sanity checks into the controls process is to ensurethat control activities align with the company's operationalobjectives, to avoid the wasteful “check the box” controlsmentality.

Thesesanity checks should also remind staff that the shareholder—and notthe auditor—is the ultimate customer for financial controls. Forexample, the first question a sanity check asks should be “How doesthis particular financial control map to our company's list of toprisk concerns?” You may be surprised by the reaction if you simplyask your staff for a list of controls mapped against riskpriorities. I was once shocked when a team responded to thisrequest with glazed-over eyes. My next order of business at thatpoint was to gather them in a conference room to start an informalgap analysis. Our controls framework improved in just two hours. Myteam quickly saw how their key work to manage top risks could beconverted into quality controls.

Another benefit of that exercise was that the team realized thatsome of their controls were meaningless, almost silly even. Wedropped those activities altogether. From a pure bang-for-the-buckperspective, this may be the most important step toward improvingthe cost-effectiveness of controls. Control work on low-priorityissues may be deemed not only unnecessary, but also a waste ofprecious resources, especially if management discovers that nocontrols are in place to evaluate performance around executives'top worries.

Controls Pass or Fail?

While most companies expect controls to achieve a “pass” in alltesting, management should actually expect controls failures tooccur at the same rate as general operational failures. This makessense, since most corporations experience continuous change due tomergers, divestment, innovation, market flux, and other transitionsin the internal and external business environment.

Such operational failures can be the source of two importantsanity checks. First, a management team should be very suspiciousif all of the company's financial controls pass testing. In myexperience, anytime a dashboard shows every light green, it'sindicating that the controls framework is designed to pass testingrather than to test process quality. The classic 80/20 sanity ruleapplies here; a controls framework that achieves 80 percent greenlights seems about right in a typical corporation experiencing thetypical level of organizational volatility. Moderate failures, oryellow lights, should make up about 15 percent of the testedcontrols, whereas serious red-light failures should make up theremaining 5 percent, particularly for new or ever-changing businessunits.

The words“controls failure” strike fear into the heart of any corporatetreasurer dealing with an external auditor. That is why controlstesting should be done for the sake of management well before theannual external audit occurs. I have no problem with a finance teamachieving all green lights on its controls testing after the teamhas rigorously tested the controls framework and then fixed anyissues that arose. External auditors should only validate whatinternal staff has already perfected.

The second way in which a finance team may use operations as aninspiration for controls sanity checks is that after anyoperational failure occurs, the company should engage in a “lessonslearned” study that focuses on the role of controls.

A while ago, my team started asking whether or not operationalfailures were caught by a financial control safety net. Forexample, our company once experienced a six-figure loss in acomplex process in which one department prepared and shared aspreadsheet with another. Upon investigation, we found no basicquality checks, let alone associated financial controls. In adifferent case, a control actually identified an operationalfailure, and we looked at whether we should add another new controlto detect issues before the point of failure.

If these analyses reveal that a control existed but did notoperate as needed, then the controls framework may need a designupgrade. If instead the analysis reveals an actual controls gap,this is the worst of sins, and a new control is in order.

Perform a Controls “Cold-Eye Review”

The amazing thing about financial controls is how abstract theycan become during actual testing. External auditors mightsend their most junior consultants to a company each year, to lookfor “evidence.” The easiest way to mollify these inexperiencedauditors is to give them an abstract checklist of things thatshould exist in a particular location, then ensure that thosethings do exist.

The classic passable test is whether a report with the correctdate sits in the correct share drive. Any junior auditor canconfirm that without having the first clue as to whether the reportwas produced correctly or is even meaningful. Reliance uponjunior-level auditors should generally produce junior-levelconfidence in one's controls.

Evidence should be the byproduct of good controls work, not theobjective. During annual reviews by auditors, one valuable sanitycheck is to ask whether the finance staff had to do any additionalwork to prepare for the audit. If they didn't, that's a sign thatyour controls are functioning properly on an ongoing basis. But ifstaff did have to take extra steps in order to be ready for theaudit, then you likely have a problem.

Ironically, the “cold-eye review” of a non-expert can be thesource of terrific value, if the reviewer is not the auditor but astaff member who is relatively unfamiliar with that particularfinancial control. Another sanity check is on one day of the year—Ialways prefer April Fool's Day—to require every staff member totrade terminals with another employee and perform all of the otherindividual's functions for the day. This approach will flush outinadequate procedures and controls, or inadequate documentation,rather quickly. It also helps ensure that the company is preparedfor the inevitable turnover in staff. Procedure documents, controlswork, and results should not be dependent on the individuals whocarry them out; all processes should work seamlessly even ifassigned to a brand-new staff member.

Look at Staffing

Finally, when evaluating your list of controls, take intoconsideration the distribution of staff assigned to controls. Doingso can serve as a sanity check on the finance team's bench strengthand personnel allocation. Too much dependence on one person can bea risk unto itself, which may require action.

Detailingwhich staff members have responsibility for which controls can alsoreveal important information about the finance function. I haveinherited teams in which certain people people did not know theywere responsible for certain controls. I have had other situationswhere I discovered individuals avoiding controls assignments. Agood roster of controls can make sure that the “burden” of controlswork is fairly distributed amongst the people doing the mostimportant work.

Like any corporate culture issue, developing an effectivecontrols culture takes time. The ultimate sanity check is for staffto feel a direct connection between their day jobs and financialcontrols. Any list of team activities should have a column thatcross-references to relevant controls. Individuals should havespecific controls listed in their job descriptions and in theirannual objectives. A question about experience with financialcontrols should be a standard interview question for any financeposition.

The goal is to discuss controls during hiring and on an ongoingbasis throughout the year—not just the day before the auditors showup. Over time, a management emphasis on sanity checks will helpstaff realize that annual audits are not senseless exercises, butrather validations of a job well-done. Staff will learn to aligntheir daily work with management objectives through the controlsframework, with the focus shifting from a once-a-year hassle to adaily functional and cultural experience.

—————————————-

John Wengler designs, tests, and improvesfinancial controls. After two decades working in Fortune 500companies, he recently started his own firm, Green Patch, to sharehis experience with those looking for more cost-effective processesand controls. He can be reached at [email protected].