Does your control framework have controls?
Every company has processes and every company has controls. Sometimes, good process is confused for controls, and a company going public could fail an audit if they get these wrong. Not every process is fully controlled, and not every control is fully implemented into a process. What’s the difference between good process and good controlled process?
A strong control framework
Every company should be operating under a framework which mitigates corporate, financial, and operational risks. Management, as part of their responsibility to the company, ensure that these risks are mitigated by setting a control framework.
A strong controls framework is comprised of 3 main components:
A clear set of authorities – Who approves what, and how much can the approve?
A strong policy, or lack thereof – What does your company believe, or do you trust your team to make the right choices because they are well trained?
Efficient processes – When and where do your staff perform tasks?
These three components set the framework and tone of how the company will and should be managed. A strong control framework doesn’t have to include controls.
Controls: A check
Controls are separate from the framework. They confirm that the framework remains strong, and the risks associated with it are mitigated. Good controls ensure that every transaction stops for review at key risk areas within the process. There are three types of controls:
Preventative controls ensure mistakes, or fraud, don’t happen. They are checks, performed either by a digital system or a person, confirming the process can continue. For example: The payments system requires a contract reference number before the invoice can be submitted for payment.
Corrective controls stop incorrect or non-compliant processes from continuing and correct them before they have a chance to cause damage. For example: Accounts payable reviews invoices and corrects errors during invoice scan.
Detective controls find incorrect or non-compliance after they’ve occurred and inform management that change might be needed. For example: A review of bank charges to ensure the company isn’t overpaying for banking services.
Good control environments will use a mix of these controls and will split them into the main control and the monitoring control.
The main control is the stage in the process where someone – or a system – performs a check.
The monitoring control confirms that the main control is still working.
In companies where the product, service, or company itself is constantly changing have a control mix ensures that management can rely on the process for operational tasks and use monitoring controls to monitor the corporate strategy implementation.
Choosing the right controls for the right process
A good process includes an assessment of the right risks. The difference between process and control is that processes get something done, while controls make sure that they get done the way intended. Sometimes, processes strengthen control frameworks, but they do not on their own confirm that they were done the way intended nor done correctly. For this reason, most companies who are publicly traded need to implement controls, which can be monitored and proved, to ensure all risks are adequately mitigated.
Not every risk needs a manual, monitoring control. The types of controls implemented, and the processes designed will depend on the risk appetite and the complexity of the business. Costs increase as controls are implemented; therefore, process design and controls should be reviewed from both a risk mitigation perspective and an economic perspective. Advancing to IPO understands how best to integrate controls into processes and how to design processes which promote a good control environment. Contact us today to design agile processes today.