As a CFO, you might often get recommendations for improving your company’s internal controls — from auditors, managers and others. And to be sure, the consequences of not having adequate internal controls in place to address the threats to your organization are extensive. But adding new processes that aren’t well thought out or properly administered can often provide more cost than benefit.

Rather than taking a reactive approach, more and more companies are proactively addressing internal controls. They’re doing this through organization-wide programs that identify the top risks to the company and the safeguards needed to respond.

Larger companies use an internal audit or other separate function to address internal controls, but even if your budget doesn’t allow for that expense, with a bit of planning you can still perform an organization-wide risk assessment. The key is to bring management and staff together to discuss threats that might affect your company. The result will not only provide a thoughtful discussion that could evoke change, but also identify inefficiencies that erode the security of your company’s finances.

Let’s look at a few things you can do to start the process. Consider what events would be most detrimental to your organization. These could be:

• External and internal theft;

• Reductions in critical revenues;

• Computer viruses and server crashes;

• Misuse of company funds;

• Natural disasters; or

• Sudden turnover in key positions.

Many organizations that don’t proactively discuss risk often end up dealing with more audit findings. Do you have monthly or quarterly meetings that are conducive to discussing risks and controls on a regular basis? Open up the discussion for each manager and staff member to address this one question about risk: “What could go wrong in your department?” Then brainstorm the results and prioritize the risks to determine which are most critical.

Once you’ve identified top risk factors, discuss what safeguards are in place that best respond to each risk and ensure that solid controls are established for the most critical ones. To improve efficiency, consider eliminating existing processes and controls that just add red tape.

It’s also a good idea to encourage discussion among departments to consider centralized processes that address common risk factors. For example, perhaps some departments get invoices from vendors directly and send them to your accounting department weekly. In such cases it might be beneficial to have vendors submit invoices and correspondence directly to the accounting department. This will reduce the risk of lost invoices and invoices paid more than once while also reducing administrative tasks for the departments.

Once the top risk factors and associated processes and controls are determined, you’re ready to establish monitoring processes to ensure the controls are operating effectively. The monitoring should be frequent and well documented to serve as a trail and a formal record of progress. If budgets permit, an internal audit function should take the lead. Otherwise, the monitoring should be overseen by an experienced member of top management.

The key to performing the exercises above is to encourage an environment that constantly addresses risk and effectively adapts to change. If your organization typically makes changes to internal controls solely in reaction to audit findings, you’ll constantly be adding new processes on top of others that may no longer contribute to your company’s security.

However, by proactively and continually assessing the risks facing your company — and establishing and evaluating controls designed to address them — you can not only reduce the risks to your company but also gain efficiency.

Dan Fowler and Ryan Luetkemeyer provide assurance services to middle-market companies. Fowler can be reached at 425-317-3052 or dan.fowler@mossadams.com. Luetkemeyer can be reached at 360-685-2203 or ryan.luetkemeyer@mossadams.com.