The dynamic world of compliance is continually evolving. New regulations, emerging technologies, and changing market conditions demand that organizations remain vigilant and proactive in their compliance efforts. One crucial aspect of this ongoing vigilance is the design and implementation of internal controls. Recently, I had the pleasure of discussing this topic with Adrienne Bellehumeur. In this blog post, we will explore the key insights from our conversation and delve into the importance of design-centric internal controls.
Adrienne is a chartered accountant and entrepreneur in Canada who has advocated for a design-first approach to internal controls for many years. Adrienne says design-centric internal controls are essential because they lay the foundation for effective compliance. She likens this approach to baking a cake: the design is the cake itself, while testing and other compliance activities are the icing. Without a solid foundation, no amount of testing can ensure the effectiveness of internal controls.
The necessity of robust internal controls has never been more critical. With the increasing complexity of regulatory requirements (on both sides of the border) and the rapid advancement of technology, organizations must continuously assess and improve their internal control systems. Adrienne points out that while internal controls have existed for over two decades, many organizations have become complacent. This complacency can lead to outdated processes that may not adequately address current risks and regulatory expectations.
Adrienne outlined five principles to improve and energize control design work:
- Think of Design as the Cake and Testing as the Icing: Focus on building solid and well-thought-out processes before jumping into testing. This approach ensures that the foundation is solid and can withstand scrutiny.
- Assess the Organization’s Level of Maturity: Tailor the internal control program to the organization’s stage of development. A one-size-fits-all approach is ineffective, as different organizations have varying needs and challenges.
- Focus on Habits, Not Theory: Practical, habitual practices are more effective than theoretical concepts. Encourage habits like regular access control reviews and inventory management to embed compliance into the organizational culture.
- Support Continuous Improvement: Internal controls should not be static. Regularly review and update controls to ensure they remain effective and relevant. Continuous improvement helps organizations stay ahead of emerging risks and regulatory changes.
- Keep It Interesting: Vary the techniques used in internal control assessments to maintain engagement and effectiveness. Workshops, interviews, and creative diagramming can provide fresh perspectives and uncover new insights.
One of the most intriguing aspects of Adrienne’s approach is her use of workshops to discuss and improve internal controls. These workshops involve stakeholders, including internal auditors, compliance officers, and business unit leaders. By fostering open dialogue and collaboration, these sessions can identify inefficiencies, propose improvements, and build stronger relationships between auditors and the internal team.
Adrienne emphasizes that these workshops should occur before external audits. This pre-audit preparation allows organizations to address issues internally, reducing the likelihood of negative findings during the audit. Moreover, involving the internal team in the design process helps build a sense of ownership and commitment to maintaining robust controls.
For the internal auditor, leveraging technology is crucial for adequate internal controls. Adrienne highlighted the decreasing reliance on transactional testing, thanks to automation and data analytics advancements. Modern internal controls must adapt to these changes by incorporating technology that enhances efficiency and accuracy.
AI and data analytics can provide deeper insights into organizational processes, helping identify potential risks and areas for improvement. By integrating these technologies into the internal control framework, organizations can achieve higher precision and responsiveness.
Adrienne’s expertise in documentation is particularly relevant to internal controls. I wholeheartedly agree that good documentation practices are the backbone of any effective compliance program and form the basis of information management. Clear, accurate, accessible documentation supports transparency, accountability, and continuous improvement.
Companies must establish simple rules for naming, classifying, and managing documents. This foundational step ensures that all relevant information is readily available for internal reviews, audits, and regulatory inspections.
The compliance landscape continually evolves, with new challenges like ESG and AI gaining prominence. Adrienne articulated that a back-to-basics approach can help organizations navigate these new areas. Organizations can build a solid foundation that supports emerging compliance requirements by focusing on fundamental principles of good information management and documentation.
For instance, effective ESG reporting relies on accurate and comprehensive data. Similarly, AI systems must be underpinned by robust data management practices to ensure transparency and accountability. By strengthening these foundational elements, organizations can more easily adapt to new regulatory expectations and technological advancements.
Adrienne and I also discussed the role of internal controls in supporting whistleblower programs. With the Department of Justice (DOJ) formulating new rules for financial incentives in whistleblower programs, organizations must ensure their internal controls can detect and address issues before they escalate. Adequate internal controls can help prevent whistleblower claims by identifying and mitigating risks early. For example, strong documentation practices provide a clear audit trail that can validate the organization’s actions and decisions. Additionally, fostering a culture of transparency and accountability encourages employees to report concerns internally, allowing the organization to address them proactively.
Design-centric internal controls are essential for building a robust and effective compliance program. By focusing on the principles outlined by Adrienne Bellehumeur, organizations can enhance their internal control frameworks, support continuous improvement, and stay ahead of emerging compliance challenges. A proactive approach to internal controls is crucial for long-term compliance success, whether through innovative workshops, leveraging technology, or strengthening documentation practices.