Is control signoff the Moon or the finger pointing to the Moon?

OK, so this is a ‘thinking aloud’ blog which could mean I am completely wrong, but here goes…..

Smart organizations will invest in a strong internal control framework and program to run it.

The types of internal controls may vary (e.g. financial, IT application, compliance, HR, project,…..) and the frameworks may vary (COSO, COBIT, NIST), but the focus is on the performance of controls, and the adequacy of those controls.

COSO talks about controls that affect a company’s operations, compliance with laws and regulations, and financial reporting. Controls are typically related to processes, regulations, business entities, and ideally risks too, to contextualise the controls. There are detail controls, there are entity level controls.

And there is typically a process to attest to and sign off on the accuracy of the body of information created as part of the internal control process.

I am a big fan of internal controls. I think it’s essential for the modern agile transparent trustworthy business. But perhaps it can also lead to omissions.

Going all Tao (bear with me) I’m going to quote Buddha who said “I am a finger pointing to the moon. Don’t look at me; look at the moon.” This cautions a student not to look to the teacher, or the teacher’s words, for enlightenment or truth. They are just the finger pointing to the moon. The moon itself is the truth.

So if internal controls are the finger doing the pointing, then I’d suggest the moon (so to speak) is processes. And if we formally, repeatedly, sign off on internal controls, shouldn’t we also do the same for processes?

I know the scope and materiality of internal controls frequently has its origins in a process view of the business. But the process is assumed to be already true. The process itself isn’t necessarily audited.

Processes change over time, sometimes dramatically (for example with mergers, acquisitions, divestments, internal restructuring). And there is the designed process, which is hopefully the same as the process that actually happens in real life. There are the process exceptions, short-cuts, errors to business as usual, too.

If we focus on a control view, which by nature needs to be quite granular, I think there is a risk we miss variations in context and materiality that would be more evident from a process view. And to ensure control over processes and evidence of control over processes, wouldn’t it make sense to have a sign-off on the process for that point in time?

As part of a digital transformation and IT simplification, many organisations are adopting ‘off the shelf’ ERP systems and therefore the off the shelf processes to start with. A lot of the time this includes best of breed and/or industry specialised processes, and a coherent set of operational designs intended to work together (e.g. user interface ‘apps’, workflows, reports, roles, integrations). Changes to processes will impact that coherent operational design and business resilience, and should include a process-centric change management program.

An internal control view can report on the risk at any step of a process pathway. Should a formalised review of the process path itself be instituted in the same vein as internal control, as a useful and relevant tool to report on the risk of the process itself?