Reviewing and assessing internal controls in your organization can be a daunting task, usually due to the fact that you find way too many controls exist or none at all. Controls are essential to the success of your Q2C business processes, not only for Audit and Compliance purposes, but also to ensure the accuracy and timeliness of each part of the process.
Here we will review a few simple steps that you can take to review and map your business processes, identify points of need for control, and implement those controls. By keeping a few of these simple ideas and even key words in mind, you should be able to quickly and easily look at your business process and know just where to add in these controls.
Adding Internal Controls to Your Quote-to-Cash Business Process
Here is a graphic of the whiteboard content:
And remember, we consider control a good thing, but too much of a good thing is not always a good thing. Too many controls can bog down your business process and your organization to the point where it becomes inefficient and unmanageable. The idea here is to have the right people in your cross-functional organization involved in this exercise so that the true goal of each control is defined, understood, and deemed necessary.
Too little control, of course, is an issue as well, but if you follow some of the main points in this guide, you shouldn’t have to miss much; that is, only if you have true awareness of your end-to-end business processes, in a cross-functional sense. If that last, bold sentence made you stop in your tracks, I’d suggest a pre-requisite to this course by viewing our latest webinar on this topic: 10 Common Pitfalls in Quote-to-Cash Business Processes for Life Sciences Organizations. Here, you’ll find a more introductory, comprehensive guide to the true E2E business process in your Q2C organization.
Look for Points of Decision Making in your Business Process
Decision-making can be disguised as words or phrases such as ‘approval,’ ‘sign-off,’ ‘agreement,’ etc. If your organization is really up on their business process mapping, these parts in the process are even typically indicated by a different type of shape in the process flow. Find those first, and mark a spot next to each for an added control. Me personally, I like to add a control right before and right after the approval process, especially when the post-process consists of a system change, like a price or contract update, or even an accrual rate change.
Take the below example. Here, we have an approval process occurring on some new indirect pricing with implications on chargeback processing systems and related accrual rates. We’ve inserted a control before the decision-making process which could consist of the decision-making logic itself, as well as the forms and paper trail that go along with the approval. Then, we have two controls after the approval. Both consider loads of pricing or accruals into various systems, and it is here that forms and documentation, as well as separation of duties, should be stressed in each control.
Highlight Processes with Hot Words such as ‘Validation’ or ‘Reconciliation’
Here’s an easy one. Look for those processes that are actual validating in nature or providing some sort of reconciliation or data or systems, etc., and you can mark that process itself as a control. Here, where you already have the control process in place, all you are left to do is to document. And don’t leave this part out! Without the documentation of the control, there is no control.
As you’ll find, with the internal control process, the heavy lifting is really in the documentation. Yes, it’s time-intensive and painful; just remember that it’s necessary. A little hint: don’t try to re-invent the wheel. If system reports are used for some of these validations, look to the report or even system business requirements or SOPs. These documents will most likely have all the information you need about the report, what its purpose is, and how to interpret the results.
Ask Yourself, “What Could Go Wrong?”
List out your business processes and what type of financial account they may affect, and then simply ask the question: “What’s the risk? What could go wrong?” Ask the right people, and not just one person. Get insight from those who live in the process every day, as well as those affected by it daily. Get the cross-functional picture as well.
Go ahead and do some regression testing within your own business process organization. To tell you the truth, it becomes quite the delightful task, especially to those closely involved in the operations themselves. It’s a break from the norm. Plus, it encourages team members to really think outside the box and assess the world they live in, theoretically. See a quick example below.
All-in-all, don’t let the idea of internal controls intimidate you. With the right people and a general awareness of your Q2C organization and business processes, you’ll find that you are most likely doing much more identifying, confirming, and pointing out than creating from scratch. I like to think of this exercise as one of awareness and documentation…and one that will ease the audit headache later on.