Assuming you made it through Part I of this two-part posting about internal controls, we need to consider a new approach to the design and implementation of internal controls.

The first hurdle to overcome, as always, is acknowledgement that a new approach is needed. The CFO and the financial team will inevitable resist because this has long been an area where they are the experts, they are the keepers of sword of truth, and they have to be convinced to come down from Mt. Olympus to collaborate with other key stakeholders. A new committee is needed. I know you are rolling your eyes about the new committee but hear me out.

The stakeholders include specific functions responsible for operating within the internal controls: finance, operations, procurement, compliance and legal (yes, legal). Each of these players have to be involved in the new approach to design and implementation of effective internal controls.

The second step in this process is the collection of every internal control maintained by the company. This will take time because some will be hard to find and others may be rarely used or even unknown to many employees.

The third step is the assignment of primary responsibility for the internal controls. Each function should take responsibility where it is the natural lead – compliance for compliance-related controls; finance for financial controls; operations for operation-related controls and procurement for procurement-related controls.

The fourth step is to create a review matrix or a set of key questions for each internal control. These questions include:

• What is the purpose of the control?
• How does it align with current operations in the company?
• Does the control accurately reflect existing corporate policy governing the task?
• What key terms are used in the control and need to be defined?

With this frame of reference, the stakeholders should develop revisions or at least recommended changes to an existing control, or adoption of a new control, or combination of existing controls into a single control. The review process is intended to identify potential problems with the existing control in practice and develop proposed solutions.

The fifth step is to assign responsibility to a few individuals as the scriveners of the new set of internal controls. A member of the legal team should be involved in this process, preferably one who is known for their writing ability. A group effort should be made to bring together the final review, revision and re-organization of the internal controls.

The objective of this final step is to create a concise and thoughtful set of internal controls that adequately addresses specific requirements, and uses consistent terminology and defined terms. It is critical that the internal controls are properly crafted to avoid overbroad requirements and terminology that can be used against the company by government prosecutors in situations that were never intended. On the other hand, the internal controls need to accurately capture the intended conduct and applicable requirements that need to be internally regulated.

The entire process is a balancing act that requires a collaborative approach built on a common understanding of the company’s operations and policy purposes. It is key to balance internal regulation against external risks from government enforcement agencies. To be sure, the crafting of internal controls means there may be disagreements among stakeholders on specific terms (e.g. the meaning of “is”), but it is better to hash out these issues in the internal stakeholder context.