How to Facilitate a Culture of Controls Compliance

How to Facilitate a Culture of Controls Compliance

Internal controls are sometimes seen as an activity that occurs after the monthly close. Accountants and IT professionals will perform their work and then complete internal control tasks once everything else is done. I have found that developing a culture of controls compliance — one that embeds control processes into the relevant daily work — is a more efficient and effective approach. When standing up internal audit programs as the Director of Internal Audit at Q2 Holdings, Inc. and in prior audit roles, I have focused on three main areas to drive a culture of controls compliance: ownership, timeliness, and visibility. 

1. Define Proper Control Ownership

Management owns controls – this is a basic tenant of internal audit and internal controls. But, we all know that some managers take this responsibility more or less seriously than others. Sometimes we find ourselves “assisting” with the control process, taking on tasks like facilitating control language updates or updating process narratives. Before long, we are doing the work instead of the control owners. 

If you find yourself in this situation, there are steps you can take to put the responsibility back where it belongs:

  1. Centralize the controls and documentation into a software platform like AuditBoard.
  2. Clearly articulate the roles and responsibilities.
  3. Set firm deadlines with explanations for the dates (e.g., working back from major events such as financial close periods, quarterly attestations, etc.).

Following these steps takes the burden off the oversight teams and reinforces the need for control owners to take responsibility for their control process. Using a compliance software solution has its own added benefits. First, you can make direct assignments within the software to facilitate ownership. Second, you can set deadlines with automated reminders, slowly moving the audit teams out of the role as default control owners. Leveraging software institutionalizes control work by delivering repetitive tasks on a regular cadence. 

2. Set Expectations for Timeliness

Sometimes control compliance can feel chaotic. I have found that unclear expectations often cause confusion and delay. In the end, we are working with many people who approach work differently. Some want to get the control work done quickly, while others will procrastinate. 

If you are facing timing issues and late submissions, here are steps you can take to bring order to the control work: 

  1. Create process workflows so everyone can see where they fit in the process and anticipate the next step.
  2. Add due dates using input from the control performer to maximize engagement. 
  3. Automate communications and escalations for tardiness.

As audit and control professionals, we can ensure clear workflows, due dates, and communication to prompt control owners to meet the deadlines. The tasks should include documentation updates, control review/editing, and certifications. 

3. Increase Visibility with Dashboards

In my experience, the vast majority of control owners get their work done on time, but when progress and the current status are not visible, it can take hours to track down the right person to understand what is going on when there is a delay. Use compliance management software to increase the level of visibility and create a culture of accountability and ownership. 

To increase visibility in an internal controls program, I have found the following dashboard best practices to help:

  1. Create sub-process dashboards that roll up to a global view.
  2. Include status markers for each of the people in the workflow with completion rates versus due dates so you can identify bottlenecks needing escalation.
  3. Make all dashboards visible to control owners and to the members of management over the controls (such as accounting management, Chief Accounting Officer, etc.).

From a cultural perspective, publishing real-time status encourages timeliness for control compliance programs. People want to avoid showing up as delinquent on a dashboard that their peers or manager sees. The level of ownership also increases as we hold individuals responsible for their control and documentation in a way that includes a measure of peer pressure. 

The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates

Facilitate a Cultural Shift

Changing a culture takes persistence and consistency because the goal is to change the way people think and act. In our case, we want control owners to treat controls as part of their daily routine. I highly recommend leveraging software to facilitate the change since it incorporates the ownership, timeliness, and visibility goals. Once the shift begins, you will see improvement in the controls compliance program as the quality and timeliness of the work improves, and ownership moves back to management where it belongs.


Colin Meier is Head of Internal Audit at Q2 Holdings, Inc. Colin has 29 years of Finance and Internal Audit experience at a variety of large and mid-sized companies; prior to joining Q2, he was with BlueStem Brands, Mosaic, Tennant, and Cargill. Connect with Colin on LinkedIn.