Another benefit of that exercise was that the team realized that some of their controls were meaningless, almost silly even. We dropped those activities altogether. From a pure bang-for-the-buck perspective, this may be the most important step toward improving the cost-effectiveness of controls. Control work on low-priority issues may be deemed not only unnecessary, but also a waste of precious resources, especially if management discovers that no controls are in place to evaluate performance around executives' top worries.

Controls Pass or Fail?

While most companies expect controls to achieve a “pass” in all testing, management should actually expect controls failures to occur at the same rate as general operational failures. This makes sense, since most corporations experience continuous change due to mergers, divestment, innovation, market flux, and other transitions in the internal and external business environment.

Such operational failures can be the source of two important sanity checks. First, a management team should be very suspicious if all of the company's financial controls pass testing. In my experience, anytime a dashboard shows every light green, it's indicating that the controls framework is designed to pass testing rather than to test process quality. The classic 80/20 sanity rule applies here; a controls framework that achieves 80 percent green lights seems about right in a typical corporation experiencing the typical level of organizational volatility. Moderate failures, or yellow lights, should make up about 15 percent of the tested controls, whereas serious red-light failures should make up the remaining 5 percent, particularly for new or ever-changing business units.

The words “controls failure” strike fear into the heart of any corporate treasurer dealing with an external auditor. That is why controls testing should be done for the sake of management well before the annual external audit occurs. I have no problem with a finance team achieving all green lights on its controls testing after the team has rigorously tested the controls framework and then fixed any issues that arose. External auditors should only validate what internal staff has already perfected.

The second way in which a finance team may use operations as an inspiration for controls sanity checks is that after any operational failure occurs, the company should engage in a “lessons learned” study that focuses on the role of controls.

A while ago, my team started asking whether or not operational failures were caught by a financial control safety net. For example, our company once experienced a six-figure loss in a complex process in which one department prepared and shared a spreadsheet with another. Upon investigation, we found no basic quality checks, let alone associated financial controls. In a different case, a control actually identified an operational failure, and we looked at whether we should add another new control to detect issues before the point of failure.

If these analyses reveal that a control existed but did not operate as needed, then the controls framework may need a design upgrade. If instead the analysis reveals an actual controls gap, this is the worst of sins, and a new control is in order.

Perform a Controls “Cold-Eye Review”

The amazing thing about financial controls is how abstract they can become during actual testing. External auditors might send their most junior consultants to a company each year, to look for “evidence.” The easiest way to mollify these inexperienced auditors is to give them an abstract checklist of things that should exist in a particular location, then ensure that those things do exist.

The classic passable test is whether a report with the correct date sits in the correct share drive. Any junior auditor can confirm that without having the first clue as to whether the report was produced correctly or is even meaningful. Reliance upon junior-level auditors should generally produce junior-level confidence in one's controls.

Evidence should be the byproduct of good controls work, not the objective. During annual reviews by auditors, one valuable sanity check is to ask whether the finance staff had to do any additional work to prepare for the audit. If they didn't, that's a sign that your controls are functioning properly on an ongoing basis. But if staff did have to take extra steps in order to be ready for the audit, then you likely have a problem.

Ironically, the “cold-eye review” of a non-expert can be the source of terrific value, if the reviewer is not the auditor but a staff member who is relatively unfamiliar with that particular financial control. Another sanity check is on one day of the year—I always prefer April Fool's Day—to require every staff member to trade terminals with another employee and perform all of the other individual's functions for the day. This approach will flush out inadequate procedures and controls, or inadequate documentation, rather quickly. It also helps ensure that the company is prepared for the inevitable turnover in staff. Procedure documents, controls work, and results should not be dependent on the individuals who carry them out; all processes should work seamlessly even if assigned to a brand-new staff member.

Look at Staffing

Finally, when evaluating your list of controls, take into consideration the distribution of staff assigned to controls. Doing so can serve as a sanity check on the finance team's bench strength and personnel allocation. Too much dependence on one person can be a risk unto itself, which may require action.

Detailing which staff members have responsibility for which controls can also reveal important information about the finance function. I have inherited teams in which certain people people did not know they were responsible for certain controls. I have had other situations where I discovered individuals avoiding controls assignments. A good roster of controls can make sure that the “burden” of controls work is fairly distributed amongst the people doing the most important work.

Like any corporate culture issue, developing an effective controls culture takes time. The ultimate sanity check is for staff to feel a direct connection between their day jobs and financial controls. Any list of team activities should have a column that cross-references to relevant controls. Individuals should have specific controls listed in their job descriptions and in their annual objectives. A question about experience with financial controls should be a standard interview question for any finance position.

The goal is to discuss controls during hiring and on an ongoing basis throughout the year—not just the day before the auditors show up. Over time, a management emphasis on sanity checks will help staff realize that annual audits are not senseless exercises, but rather validations of a job well-done. Staff will learn to align their daily work with management objectives through the controls framework, with the focus shifting from a once-a-year hassle to a daily functional and cultural experience.

—————————————-

John Wengler designs, tests, and improves financial controls. After two decades working in Fortune 500 companies, he recently started his own firm, Green Patch, to share his experience with those looking for more cost-effective processes and controls. He can be reached at [email protected].