By Ryan Godbey, CPA

Many internal control environments, including those designed for SOX 404 compliance, struggle with inefficiency and frustration. Too often, testing becomes a painful exercise in retracing steps, piecing together evidence weeks or months later, and hoping it aligns with the control’s intent. Evidence is incomplete, documentation is missing — and teams are left guessing what really happened.

Many controls exist on paper, but lack clarity in two crucial areas:

-- Exactly what steps the control owner should follow.

-- Exactly what evidence they need to leave behind

The result? Wasted time, unnecessary cost, and a reactive process riddled with confusion. It doesn’t have to be this way. Clear expectations, documented steps, and evidence standards transform controls from guesswork into reliable processes. Let’s see what that looks like.

Laying the Foundation for Specificity in Controls

Let this sink in—if a control isn’t designed correctly, it cannot operate effectively. Although corporate regulations and standards don’t explicitly define control design, we can look to COSO 2013, one of the more widely-used governance frameworks in the world, for guidance. Principle 12 states:

''The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.''

In practice, the degree to which Principle 12 is implemented varies widely. To illustrate, let’s compare how two hypothetical companies - Company A and Company B - design a control to mitigate risk of misstatement in the prepaid insurance account.

A Tale of Two Approaches to Control Design

Company A’s Internal Control Design:

The monthly prepaid insurance account reconciliation is reviewed for accuracy.

At first glance, this may seem adequate. However, it leaves several critical questions unanswered:

Who? Who is responsible for performing the review?

When? When should the review be completed?

What? What specific steps must the control operator perform, and what evidence should they retain?

Where? Where should the evidence be documented and stored?

This vagueness creates confusion not only for the control operator but also for the preparer of the prepaid insurance reconciliation and those responsible for its oversight and testing. The result? Inefficiency, inconsistent execution, and increased risk of error.

Company B’s Internal Control Design:

The accounting supervisor reviews the monthly prepaid insurance account reconciliation by Day 10 for accuracy at a precision level of $50,000 and performs the following control steps, with evidence documented in the reconciliation workbook:

Control Attribute: Confirm prior period balance roll-forward
Evidence: Reviewer comment or checkmark verifying opening balance ties to prior month’s closing balance.

Control Attribute: Confirm insurance premium amount and coverage period
Evidence: Reviewer comment or checkmark verifying consistency of premium amount and coverage period with policy.

Control Attribute: Verify accuracy of prepaid amortization
Evidence: Reviewer notes confirming recalculations of amortization schedules.

Control Attribute: Ensure all adjustments are supported
Evidence: Comments or review marks confirming adjusting entries are properly documented.

Control Attribute: Validate reconciliation to GL
Evidence: Notation in the reconciliation tab confirming the ending balance matches the general ledger.

Control Attribute: Review variance explanations
Evidence: Approval mark indicating acceptance of material variance explanations.

Control Attribute: Check for proper classification
Evidence: Reviewer annotations confirming correct classification (e.g., current vs. non-current).

Analysis of the Two Approaches

At this point, it should be clear why specificity matters. Company B’s approach:

-- Cuts risk of misstatement

-- Speeds up prep, review, and testing

-- Saves hours in evidence collection — every single year

I already know the objection: "This sounds like extra work. What’s the ROI?" Let’s break it down.

Suppose Company A enhances the specificity of its prepaid insurance control. The impact might look something like this:

-- A one-time investment of approximately two hours to redesign the control, ensuring clearer expectations and a more structured approach to documentation.

-- A perpetual reduction in effort needed to reconstruct evidence during testing, saving three to four hours annually—primarily due to improved clarity between the preparer and reviewer and fewer inefficiencies in gathering support after the fact. This estimate assumes two to three instances of testing this control every year, which is common for controls that operate monthly.

With time savings that continue year after year, the redesign effort quickly pays for itself. More importantly, it reduces the risk of misstatement and fosters a well-structured, efficient environment. To me, the value proposition is clear, and I would adopt the Company B approach.

The other (unadvised) option is to do this: “The monthly prepaid insurance account reconciliation is reviewed for accuracy.”

What about your controls?  

Take a hard look at the controls you rely on today. Are they clear enough for someone new to follow — with no explanation? If not, you’re already losing time and adding risk. I’d love to hear how your team approaches control design. Drop a comment in the DataSnipper Community, message me directly, or share your own control success stories below.

Follow Ryan Godbey, CPA, and DataSnipper on LinkedIn for more insights on governance and technology.

‍

‍

‍

‍

‍