Updated: Feb 20
Controls are the activities you perform as a company, that address risks and help you achieve compliance criteria.
Internal controls can create more work, drain resources, and restrict business activities. Why would you want controls?
In reality, well-designed controls can simplify work, optimise resource allocation and enable new opportunities that would otherwise be too risky.
For those not familiar with "internal controls"; a control is any process, practice, configuration, document, design feature or other means of managing a risk. A "risk" is the potential for an unintended outcome; which can be positive or negative. Putting that together; controls are simply the broad methods for ensuring (or at least attempting) to get the outcome you want.
Internal controls provide the structure for scaling and streamlining processes. They can provide valuable oversight to management and ultimately provide all stakeholders with clarity and certainty around the way things are done.
So why do controls get such a bad rap?
How can they be an enabler rather than a barrier?
Controls are an unpopular idea among tech businesses and start ups in particular. Part of the problem lies in perceptions. Controls are associated with regulated, slow-paced, traditional enterprise companies that tech businesses and start ups are aiming to disrupt.
Over the years, controls have evolved to be onerous and impractical. It’s easy to justify that every process has risks, and implementing extra checks will limit those risks. That’s why banks now operate with a seemingly infinite level of independent checks and sign offs referred to as the “three lines of defense”.
Auditors and consultants who work with the banks and enterprise businesses, generate revenue from finding issues and advising them on implementing additional controls. This all fuels the cycle of increased control — to the point that many people hate “controls” because they don’t make sense in practice. They become so impractical that it incentivises employees to circumvent or avoid them, to the point that organisations need further controls to control the controls!
A Fresh Perspective on Controls
Working with tech businesses and start ups brings a fresh perspective to controls. I had an interesting debate with a VP of Engineering in a past role. He claimed no controls provided better outcomes from his Engineering team. His team were achieving and exceeding their goals through their agile practices and using real-time collaboration and communication instead of "controls".
After we delved into that further, it became clear that there were controls in place. But they weren’t viewed as controls — most of the development team previously worked for a big bank and thought of “controls" as barriers, documentation and additional steps. The team was following the Agile methodology, focused on Behaviour-Driven Development. The controls were embedded into the behaviours, culture and standard practices of their Engineering team.
For example, they used:
Criteria and a product owner to decide what change requests to prioritise, rather than formal management approval of each change request;
Meetings with the developer, product manager and QA tester to work through the requirements, rather than preparing a formal 'Business Requirements Document'; and
Automated test cases and static code vulnerability scans to check the quality of code, rather than detailed senior developer reviews.
These controls were effectively designed to support the company objectives. As an innovative software company, they required a fast speed to market, the ability to adapt from customer feedback, and making the most of limited funds and employees.
The 4 Key Control Concepts further explores the control concepts to support a pragmatic and fit-for-purpose approach to controls.
But Why All the Documentation?
The other unpopular aspect of controls is the "documentation". The standard auditor phrase is, “If you can’t evidence it, it didn’t happen”. That’s not about the control itself; it’s about how to demonstrate the controls to an independent auditor.
Maintaining control evidence can also support positive business outcomes. A trail of documentation with transparency of practices can enable autonomy. Keeping a system of record can form the basis of empowering metrics and KPIs. It can tell a story to management to help make effective business decisions. For example logging service desk tickets helps build a business case for further funding and resources, developing better approaches to common issues or requests, and demonstrating the business value of the service desk function.
What is the Purpose of Controls?
People assume that the point of controls is to prevent any adverse events. Well, yes that's true to an extent but it's not the underlying purpose. The purpose of controls is to support the organisations objectives.
Controls should be designed according to the company's risk profile and appetite for risk to align to the strategic objectives. For a seed or early stage start-up, the main risk is being unviable as a business. Adding costly controls to guarantee full system availability like redundant load balancing servers and outsourcing 24/7 operating support, doesn't align to that. In contrast, for a company like Amazon where reputation and reliability are most important, no expenses are spared on ensuring maximum system availability. What it really comes down to, is what is fit-for-purpose for the company?
Enabling Performance With Controls
Controls should be guided by common sense. How do we maximise business performance while minimising adverse events and issues? How do we protect our clients and the future of the company?
Simple, fit-for-purpose approaches to controls can enable improved business performance. Monitoring, measuring and improving the business processes to optimise outcomes for customers and the company. Putting structures in place that ensure the employees know their roles and responsibilities and are confident in aligning their actions to the company's goals.
The most common gaps in controls are where a certain requirement, potential event or adverse outcome just haven't been considered. Or where it has been considered but seems to remote to worry about in lieu of the other more pressing matters. In any case, taking a rational and structured approach helps ensure these decisions are being made in a conscious and deliberate way.