Controls are an integral part of any management system – whether security management, quality management, risk management or compliance management. They ensure that you achieve the goals you have set and comply with external requirements.

However, internal control steps are not only useful in an environment characterized by constant change. They also ensure that you achieve your process goals efficiently.

Typical use cases for the use of controls in processes are:

  • Controls at incoming goods
  • Release of invoices
  • Assignment of rights and permissions
  • Random checks in production processes

When using controls, it is important that they are deeply anchored within your business processes. But how can this be achieved? And how long does it take to set up a trustworthy internal control system (ICS) for your process area (for example, for a department) or a process topic? Read this blog post to find out for what you should plan sufficient time for.

Process documentation as the basis for setting up an internal control system

The basis for the successful introduction of an internal control system is the detailed documentation of your processes. This starts at the level of the process map. Record each process in the form of a process map, taking particular account of the following aspects:

  • Goal and purpose
  • Regulatory requirements
  • Interfaces to other process areas
  • Necessary technical resources
  • Applicable documents
  • Definition of responsibilities, e.g. process owner and process manager

Experience shows that the initial documentation of a single process requires a cycle time of a few hours to a few weeks – depending on the complexity of the process, the number of people involved and their availability.

The following criteria can be used to assess which processes require urgent action or benefit from controls in particular:

  • Complexity of processes
  • Number of process executions
  • Number of complaints received in the last fiscal year
  • Number of registered loss events in the last quarter
  • Number and quality of internally submitted suggestions for improvement

Once you have identified the processes that require action, it is necessary to map them in the form of a detailed process model in order to introduce effective controls.

Haben Sie die Prozesse mit Handlungsbedarf identifiziert, so ist es für die Einführung effektiver Kontrollen erforderlich, diese in Form eines detailliertes Ablaufmodells abzubilden.

Place process controls at the level of the process flow model

The process model is a detailed description of all work steps and serves as a guide and checklist for your employees in the effective and efficient implementation of your processes. You can now define control steps in these workflows. This form of control is often referred to as “process controls” because they are an integral part of any process execution.

In terms of process modeling, process controls represent tasks described in detail. The description includes, among other things, the explicit definition of responsibilities, the technical resources used, and applicable documents. In order to be able to trace and prove the correct execution of your controls, we recommend that you define exactly how the confirmation is to be documented. This can be done, for example, in the form of a log, by email or as a confirmation in a system such as ADOGRC.

Proof of control is an essential quality criterion to enable downstream reviews by internal auditors or external certification bodies. In addition, good control documentation also allows conclusions to be drawn in terms of the continuous improvement process (CIP). This means that you as process owner are responsible for ensuring that proof is provided for each execution of a process control and that this can be viewed at a later date.

The documentation of a business process including the definition of process controls usually takes up to 2 working days per business process.

The newly created process controls must then find their way into the actual real-life process through training. The effort required for this depends on the number of employees to be trained and the number and complexity of the process changes.

The periodic review of the process controls

In addition to the specification of process controls, another essential aspect of an internal control system is the regular review of controls for adequacy and effectiveness. This task is also the responsibility of the process owner. In the course of the process-compliant execution of the work processes, you should also ensure that the controls used are implemented properly.

In practice, this review of process controls (also referred to as a control test) is often performed by means of random sampling on a quarterly or semi-annual basis. Within the scope of these control tests, all process controls of a business process are analyzed and reviewed in particular with regard to the following questions:

  • Was the control evidence provided during the period under observation?
  • Were the process objectives achieved with the help of the controls?

It is recommended to keep a verifiable record of the considerations and results of these control tests!

The definition of these control tests typically takes place in the course of the process documentation and the definition of the process controls. This makes it easier for you to estimate the frequency at which the control tests should be performed.  As a rule of thumb, the more frequently the process is performed, the shorter the interval of the control tests should be set.

If you discover any control gaps or potential for improvement in the course of the control tests, you can initiate measures to improve them. By doing so, the processes of the area under consideration advance from documentation to a continuous improvement process. From this point on, the process, including the process controls, is regularly evaluated and improved.

Conclusion

In summary, the implementation and execution of an internal control system depends on various factors. Based on the complexity of your processes, the number of people involved and the resources available, you should expect a cycle time of around 4 weeks to 6 months.

Of course, this is still quite a wide range and might not give you the detailed answer you are currently seeking. So, if you would like to get a more accurate estimate on what effort to expect in your particular case, get in touch with us!

Learn more about how our tool can support you:

ADOGRC
Governance, Risk & Compliance

Learn more about how
our tool can support you:

ADOGRC
Governance, Risk & Compliance

Stay up to date on GRC

Expert articles on trending topics, monthly information on our free webinars,
events & announcements of new product versions.

Expert articles on trending topics, monthly information on our free webinars, events & announcements of new product versions.