Internal Control Lessons We Can Learn from Software Developers

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Internal Control Lessons We Can Learn from Software Developers

Steps you can take to improve efficiencies within your organization

Internal controls are a critical component of any organization’s risk management. They provide assurance that operations are conducted efficiently, financial statements are accurate, and compliance obligations (e.g., SOX, SOC 1, SOC 2, etc.) are met. However, many internal controls, whether focused on IT processes, financial processes, or operational processes often create inconsistent outputs because of imprecisely defined procedures and excessive reliance on institutional knowledge. 

When thinking about business processes and internal controls, there are some key lessons we can learn from the field of software development. 

Most software engineers prefer deterministic code. That is, code that will always produce the same output given the same inputs. This is sometimes referred to as functional programming. Let’s look at an example. 

This JavaScript function declaration takes two arguments, num1 and num2, adds them together, and returns the result. 


Every time we call our function with the same arguments, the result will be the same. Every. Single. Time. 

Most software developers prefer this type of code wherever possible. It’s predictable, which makes it more testable and less prone to bugs. 

By contrast, the function expression below also takes two numbers and adds them together. However, it also adds those two numbers to whatever the output of the function was the last time it was called. The function remembers and applies that remembered knowledge each time the function is called. 

This type of function can produce bugs when two different parts of an application call the same function for different reasons. It‘s an easy mistake to make, which is why this type of code should be avoided unless necessary. The common use case in software development is when the application needs to know the ’state’ of the application, such as tracking the state of value that can be toggled, e.g., dark mode or light mode. This is such a challenge for software developers that an ecosystem of open-source state management tools exist for the express purpose of helping developers safely manage application state. 

For the morbidly curious among you, some examples include: Redux, Zustand, RxJs, MobX. Amazingly, these only scratch the surface. 

How does coding relate to your company’s internal controls? 

With the virtues of deterministic code in mind, let’s look at an example of a user access request process. Then let’s think about what problems could arise and how the process could be improved. 

Example 1

Jane Doe has worked at ABC Company for 15 years as an IT Technician. She grants access to the company network and all systems. Over time, she has developed, but not documented, a process whereby managers need to send her an email requesting user access. When she receives the request, she looks at who sent it and leverages her institutional knowledge of reporting lines to determine if the request is appropriate. The manager requesting the access doesn’t know the detailed system permissions, so the requests usually just include a job title. Again, Jane uses her institutional knowledge that she has accrued over time to grant the user the correct role. For example, she knows exactly what permissions to grant to an Accounts Payable Clerk; however, this mapping of job title to system permission is not documented anywhere.

Potential Problems 

  • Nobody has the mental overhead to remember all reporting lines, all employees, all system roles, and all network permissions for every job title across an organization. 
  • If Jane leaves ABC Company, they will be without critical knowledge, and her replacement will not have a documented procedure to effectively perform the control. 
  • Requests are sent via email, not a structured form. Accordingly, two requests for the same access might look substantially different and elevate the risk of inconsistent performance. 
  • Without a documented procedure she is required to follow, she is at a higher risk of granting excessive access at the behest of highly influential company personnel. 

Improvements 

  • Document a detailed procedure that formalizes the practice Jane has developed over time. This will reduce the impact of turnover in her position. 
  • Document a formal mapping of job titles to system roles. This will ensure the access request process results are the same given the same inputs, i.e., it will be more deterministic. 
  • Organize the requests into a form that must be completed by an authorized requestor. Electronic forms that capture the identity of the requestor and enforce standards, such as a drop-down list with allowable job titles help ensure consistent inputs into the control process. 
  • Document a formal policy that requires approval and limits access by job function. This will empower Jane to turn away inappropriate requests. 

However, just as there are perfectly appropriate uses cases for state management in software development, there are appropriate use cases for institutional knowledge in the application of internal controls. Just as state management tools help protect developers from making mistakes, safeguards can be used to ensure institutional knowledge is carefully applied in the application of internal controls. 

Example 2

John Doe is the Manager of Financial Reporting. Every month, he analyzes the trial balance, compares it to the prior month, to the same month in the prior year, and to expected results. His goal is to identify balances that have changed significantly. Significant and unexpected variances may be a sign of errors in the trial balance or fraud that need to be investigated. When John reviews the trial balance, he applies his knowledge of the business, his awareness of operating results, and his strong finance and accounting acumen. He investigates balances that are unusual and annotates the result. When he’s complete, he signs the trial balance, indicating he completed the review and files it away for storage.

Potential Problems 

  • There are no formal thresholds for determining the minimum balance or variance that John must investigate. As a result, his decisions to investigate or not investigate appear arbitrary. 
  • There is no secondary review or approval, increasing the potential impact of mistakes in judgement.  

Improvements 

  • Document a formal procedure for the review control. The procedure should indicate the minimum threshold for balances and variances that must be documented. In documenting the threshold, the organization will have formal justification for the threshold being used, and John can focus his application of institutional knowledge and expertise on the investigation of the variances. 
  • Require a secondary review or approval of John’s analysis, preferably someone to whom John reports, such as a Director of Financial Reporting or the CFO. This review will ensure all variances above threshold were adequately investigated, properly analyzed, and documented and prevent the organization from relying solely on the judgement of one individual. This also builds redundancy to reduce the impact of turnover and improper judgements. 

But wait, there’s more! 

The benefits of deterministic processes do not stop there. To identify more organizational efficiencies which drive profit and make the business more competitive, companies are implementing robotic process automation (RPA) to automate many processes. However, the ability to automate a process depends entirely on how deterministic the process is. Poorly defined and highly variable processes cannot be automated until they are standardized to the point where the same inputs produce the same outputs. For example, once Jane Doe’s process of granting access is fully defined, there should be little variability. If there is little variability, then an electronic form integrated into the company systems could automatically provision access from authorized requestors. This would allow Jane to address outlier scenarios and focus her time on higher-value activities. John Doe’s process, once standardized, could be improved with an automation that prepares the trial balance by highlighting the specific balances that require investigation. Eventually, the application of machine learning and AI could suggest potential explanations for John to consider in his analysis. 

Conclusion

Organizational efficiencies can drive profitability 

Business and IT processes and controls share important characteristics with computer operations executed by code. They take inputs and produce outputs. To the degree they can be made deterministic (the same inputs produce the same outputs), they are far less likely to produce undesirable side effects. In addition to enhanced compliance and auditability, organizations that implement these concepts have laid the groundwork to implement process automations that drive profitability. 

If you’re interested in learning more about how we can help your organization improve internal controls processes, contact our Keiter Technologies team today. We are here to provide innovative solutions to help your business improve processes and drive growth.

Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us