10 Apr, 2016
One of the pain points of larger organizations that are externally regulated often lies into the volume of policies and procedures they have in place. Some managers may call it necessary evil, but work alongside employees that are targeted by those documents and you will quickly realize that often, less is more. To understand the best way to address statutory compliance, we must first understand the meaning and purpose of an internal control. If you “Google” it, you will come across a variety of definitions that are more or less complex. To keep it simple, think of an internal control as a specific point in a process where evidence is captured to demonstrate that a validation was performed to ensure the integrity of the information or the process itself. For example, the signature of the approver on a document or computed totals on reconciled numbers. In the context of regulations, the expectation is that the business must make the demonstration that it meets its regulatory obligations; that is the job of the inspector. Most of this evidence comes from your internal controls. But why are we not meeting those expectations if we have all these procedures? Here are some insights into the situations that may compromise your compliance profile. Generally, the internal controls the organization has implemented are documented in its policies and procedures. One of the main issues is that different people often add to those document as regulations are introduced and updated. However, we seldom remove anything. As a result, the content of those documents may become clogged with information, tedious to read … let alone to understand … that is if the employee takes the time to read them (as opposed to cheat them). One of the dangers of those documents is to set false expectations when it comes to external compliance. The policies and procedures tell the story of your internal controls and how you ensure they are followed. Is your business telling the right story? The inspector will examine two aspects of your controls, as presented in those documents:
- Are you doing what you say you are doing?
- Are you doing everything we say you should do?