No one likes to deal with control exceptions. Certainly, process owners are not fond of having an auditor identify some controls in their process that are not working as they should. In addition, internal auditors are also not fond of reporting on the same control exceptions time after time.
While the ultimate stretch goal may be to eliminate control exceptions entirely, this may be elusive for a number of reasons. The primary reason is that many controls are manual and therefore subject to an inevitable rate of human error that will occur over a period of time. A more realizable goal, and one that many successful process owners seek, is to reduce the number and the severity of control exceptions. There are a number of successful ways to accomplish this. In this short blog post let’s take a look at three of the most common ways.
Maintaining great documentation
Maintaining great documentation helps management to identify control exceptions sooner rather than later. For example, documenting the logic, assumptions and calculations for all estimates gives them a solid grounding. It becomes difficult to say later that the estimate was without support or was arbitrary or was based on incorrect data.
In addition to maintaining documentation for individual transactions, documenting the control process itself has shown over time to be a key way to reduce the number and severity of control exceptions. Many control exceptions arise simply because a good process existed, but it was not well understood or followed consistently.
Automation of controls
Most internal controls are manual, meaning they rely on the review or sign off of a person in order to operate effectively. Many have found success by automating some of these controls where it makes sense. For example, the classic automated control is that of the three-way match for Accounts Payable. Many software systems will systematically prevent the processing of a disbursement without the invoice, PO and receiver being entered into the system by the respective responsible parties.
There are also ways to make manual controls more automated. Some great examples here are using electronic signatures, workflow tools and system alerts. While we need to be careful not see control automation as a panacea, it certainly does significantly help to reduce control exceptions.
Cross training of control owners
Many control exceptions occur simply because the main person involved with that control was out of the office. There is certainly nothing wrong with having one or more members of your team specialize in a certain area. This can be extremely beneficial in terms of efficiency and expertise. What you should be wary of, however; is having one person be the only person that is able to process a transaction properly and with the correct control procedures being followed. After decades of performing internal audits, we can definitely say that some big control exceptions have occurred due to the need to get things done while the main person was out of the office.
At the end of the day, the overall goal should not be to eliminate control exceptions per se, but to reduce the number and severity of control exceptions. You can do this by putting into place some simple and common-sense approaches such as the ones outlined above.