This article was updated on July 4, 2018.
If you want your internal controls to remain effective, you have to review and update them every year. Otherwise, problems could develop in your system that you won't catch until they've already led to a reporting mistake, compliance issue or even fraud.
Reevaluating internal controls can be a fairly straightforward process, so long as you follow a precise method for testing your controls and your staff.
Review Why Controls Are Actually in Place
Every internal control should have a clear reason for being in place. Often, organizations put up controls, and then they go on autopilot. They blindly follow the same system because it's always been there. As a result, employees follow the steps without really appreciating why they are doing so.
At the same time, having too many controls doesn't improve protections either, because your staff cannot focus on the few that are truly important. As you begin reevaluating internal controls, start by asking why each one is in place. If you can't find a justification, perhaps that's one that has outlived its usefulness.
Check for Control Weaknesses
Some weaknesses that contribute to control failure include:
- A lack of managerial oversight of the employees running the control
- Insufficient resources in place to run the control
- Turnover, particularly when new employees running the control do not understand the responsibility or the functionality
Every financial control should be checked to ensure these common problems are alleviated.
You should also watch out for risks that evolve over time. Cybersecurity is a good example. The right financial control for protecting your financial data from even just two years ago is likely not appropriate for today's latest cyberthreats.
Confirm Employee Responsibilities
During the review of your financial controls, verify that each responsibility has been tasked to a specific employee. Each employee should be formally contacted and reminded of their specific responsibility in the process. Over time, employees might not realize that they are in charge of certain controls, especially after they change roles. Everyone, even your most trusted employees, can benefit from a regular reminder and duties refresher.
Test Your Control System
Throughout the year, you should run tests of different financial controls to see if they are working properly. Naturally, a high failure rate is a problem because it shows that the control is not working properly. However, too high of a success rate can also be an issue. No organization should ever expect to be perfect; some problems will naturally slip through the first round of controls. Most controls should have a failure rate of 10 to 20 percent, according to Treasury & Risk. If a control is showing near-perfect results, there is a good chance that the control parameters are too loose and not doing enough to protect your financial security.
Do Not Overly Rely on Audit Results
Government auditors will, of course, also evaluate your internal controls to make sure they are working properly for financial reporting. While the information from audits can be helpful, you should not completely rely on these results. The government evaluation process is fairly formulaic and can overlook issues with your control system. A system good enough to pass the government inspection might not be enough to prevent fraud or financial waste. Instead, perform your own review every year on top of the government audits to be fully confident there are no gaps in the system.
Have Employees Swap Roles
A good way to see if a financial control is set up properly is to have employees switch responsibilities for a day. Someone with a fresh perspective is more likely to notice any problems or deficiencies with how the existing employee conducts the process. At the same time, this will also serve as a test to show whether the financial control is built effectively enough so that someone new could take it over if and when necessary. You do not want a system where a control only works because one key employee can manage it. This could lead to serious problems when that employee leaves the position or the organization.
Reevaluating internal controls regularly is key to keeping your system effective and your organization safe. By routinely testing processes and employees alike, you can maintain the best system for protecting your financial security.