How to Fine Tune Your Control System (#135)
/In this podcast episode, we cover a number of options for altering your control system to yield better results. Key points made are noted below.
The Range of Controls
Control systems tend to be at either end of a continuum, which is practically no controls at one end, or so many controls at the other end that you choke on them. Most companies begin with too few controls, because the founders are just trying to start the business, and having the right controls is about number 500 on their priority list.
You usually get too many controls when a company hires in a controls consultant to upgrade the whole system, and they go wild. The same thing happens when a company hires in a controller who used to be an auditor, and the same thing happens – they go nuts and add controls everywhere.
In that latter case, they may be using a standard list of controls, which you might think is acceptable, especially if it comes from some well-known organization. The trouble is, that kind of a list is designed to be comprehensive, so it contains every bloody last control on the planet. And another problem is that it’s designed for some generic company in a generic industry – not for your company in your industry.
So those are the two extremes. Being in between those extremes doesn’t necessarily mean that you have a nice, balanced control system. It may mean that somebody added a few controls here and there in response to a problem, like a case of fraud, or a customer not being billed.
So, what I’m saying is that you might be at either end of the control continuum, or in the middle, and the system still may not work. You may have too few controls, or too many controls, or not the right controls.
A lot of this mess comes from the attitude that people have about controls. They think of it as an annoyance. So they only deal with it when they have to, which usually means when something breaks down or the outside auditors complain about it.
How to Improve Your System of Controls
How do you turn this around and arrive at the right set of fine-tuned controls? It helps to look at your controls from a series of different perspectives, and tweak the system based on each one of those viewpoints.
Now believe it or not, it helps to think of a control system as sort of a profit center. This may sound odd, because controls clearly cost money. So where’s the profit?
Well – first of all, please keep in mind that I’m not advocating actually creating an income statement for your control system – good luck with that. But you can quantify some of the risk that you’re trying to mitigate.
For example, let’s say that you think buddy punching is going on. This is when an employee doesn’t come to work, but his buddies punch his timecard for him. There’s a pretty clear cost associated with that, since you’re paying someone who isn’t there. So in this case, you can offset the cost of installing a biometric timekeeping system, which eliminates buddy punching, against the presumed losses from buddy punching.
So the profit center approach is going to account for some of the controls that you need.
Now let’s view this from a different perspective, which is the concept of the cost per occurrence. What if someone could get into the treasury system and wire all of the company’s cash to a foreign bank? It might only happen once every hundred years, but when it happens, the company is toast. So because the cost per occurrence is so massive, you have to add a bunch of controls involving wire transfers.
Let’s take the other extreme of that concept. What if the cost per occurrence is just a few dollars? For example, the office manager locks up the office supply cabinet to keep pilferage down. Do you really need that, or is it just irritating? If you look at controls from this perspective, there’s not much point in annoying people by protecting against a low cost per occurrence. Instead, skip the control and accept those piddly little losses.
So we’ve now viewed controls from two perspectives – profit center and cost per occurrence. Let’s view them from a few more angles.
Next up is repetitiveness. If you have certain transactions that happen every single day, then you should spend a lot of time thinking about the right controls for them. If a transaction only happens once a year, it’s quite all right to wing it and not prepare some complex system of controls for it. Though, that’s also subject to the concept of cost per occurrence. So if you only do one wire transfer per year, you still want some good controls.
You might look at repetitiveness from the perspective of a Pareto analysis. That’s the concept where 80% of the transaction volume of a business probably comes from 20% of the transaction types. What you want to do is concentrate on having goods controls for that high-volume group of transactions, and not be so concerned about the rest.
OK, let’s look at a fourth perspective. This one is about creating accurate financial statements. You want just enough controls to make it likely that the financial statements you produce contain no material errors. Some controllers really have a problem here, because they want the financials to be perfect, and that requires a preposterous number of controls. But the more controls you add to the accounting system, the more time – and money - it takes to create financial statements.
So those are four perspectives you should take when reviewing controls. But you’re not done yet. Because there might very well be overlapping controls. You might have installed one control to make the financials more accurate, and a separate control to handle a high-volume transaction, and it turns out that one control could cover both areas. So you need to look at overlaps and very selectively prune out those controls that are redundant.
Let’s bring all this together. I just pointed out five ways to view controls. And you need to use all of them to figure out which controls you need. But doesn’t that seem a little discombobulated? How do you organize this?
The first step is to document the highest volume processes you have, and the result should be a good, clean set of flowcharts. Then adopt a layering approach, where you go over those flowcharts based on each of the perspectives I just talked about. So, for example, go over the entire system from the profit center viewpoint, and then go over it again and view it from the perspective of cost per occurrence. And so on. And after you’re done, then go back and look for overlaps.
Are you done yet? No. Have the auditors look at what you’ve developed, or hire a controls consultant. You don’t want them to design your system, only to review what you’ve done. If you have them design it, they always install too many controls, without really understanding your business. So you just want them to look for holes in the system.
All of that work covers your first pass at the control system, and it might start out as a good system. The trouble is that any system starts to degrade immediately, because the underlying processes change all the time. So you need to address two more items.
The first is to arrange to be notified when any business process is altered. This usually means staying in touch with the IT staff, since they do the programming changes, or it might mean staying in close touch with all of the department managers. Whatever the case may be, you need to know when the system changes, so that you can change the controls to match the system.
And the second item is creating an error reporting database. Whenever any screw up occurs, employees have to log them into the system. And then you keep reviewing the database to see what’s happening that might be fixable by tweaking the controls.
And that covers how to fine-tune your control system. But that’s only the mechanics of how to do it. There’s also a mindset issue to consider. If you treat the control system as an annoyance, then you may go through the steps I just described, but you’ll only grudgingly do it. That’s not the way to look at it. Controls really are important. While they may seem to interfere with a lot of short-term work, they can keep a company out of a lot of trouble, and they can save money, too.
So the proper controls mindset is to block out a good chunk of time to close your door, put your feet up on the desk, and think about controls – and do it every couple of months. Even if you don’t change anything, you’ll at least get in some good meditation time.