Receivable/Accounts - Information for Credit and Collection Issues

Friday, July 4, 2025

Baking Controls Into Your Company

This week’s blog is a bit of a dry one – kind of.  It doesn’t have to be a dry topic, but let’s talk about audits, logs, and culture – they all tie together, I promise. 

O
ur company just finished our latest SOC-2 Type II audit last month, and the auditors complained we have too many controls.   Not surprising – our Task Log export for the year was 13,388 separate tasks logged.

S
eems crazy, right?  But it was easy to implement, and caused no pain in our team environment.

W
ell, at a previous company, I had a client that demanded all their collection vendors become ISO 27001 certified in 90 days, or they’d stop doing business with us.  As you can imagine, my next 90 days were a challenge, but we did it.  The problem is, you can build a Big Book of Policies, but getting people to follow them consistently can be a challenge.

W
hen I started at this company, I knew that down the road we’d need to be SOC-2 or ISO-27001 certified for the bigger clients we’d eventually represent, so I decided to bake a whole bunch of controls that were required into our environment, our software, and our culture.


Automatic Logging

So you can create automatic logging for collection activity, payments, and whatnot in the background of your CMS software – but there’s no reason you can’t also set up logging for everything else.  Every time you access a credit card, require a password and log the access time, user id, and file number, congratulations, you are now covering a big control for PCI compliance! 

I
f you create an automatic logging system that will capture regular tasks like file assignments, credit reporting, letter batches, well that’s great, your log file is showing the work you are doing, and no one has to do anything extra.  I’d say about two-thirds of our tasks logged were automated.


Record … Everything!

Task logging doesn’t need to be just for IT folks and tickets to be resolved – you can log absences and vacation with HR, you can log new clients coming on board with Sales, you can log any escalations or complaints with an individual collection file.  All this tells the story of what’s happening in your company when you export the Big Task Log List, it’s going to be huge, which makes for happy auditors, and happy clients.

On the IT side, of course you have to log exceptions (when things go wrong), but you can also log maintenance tasks (when things are going right) or improvements (when they make things better).  IT folks often get blamed for not doing enough when things aren’t broken, but you can show all the stuff they do on a pro-active basis – data backups, log reviews, system updates.  That’s valid work too.

People overseeing HR can log staff activity, managers overseeing operations can log staff reviews, escalated file issues, training sessions – the list can go on and on.


Building Task Logging Into Culture

Here’s the secret, tricky part that’s the most important thing to consider.

So imagine, you have a process to log a client meeting, and share it with the entire company.  You can kill three birds with one stone here – you can share information with your entire team, so they know what’s happening, you can log a control (client audit, client performance review, client requests), which meets a SOC-2/ISO 27001 requirement, and lastly, you can reward the staff member for logging the task, building it into their staff review – everyone wants to log their tasks, everyone wants to read and hear what’s happening, and your auditors get a healthy list of what’s happening.

G
ive everyone in your company the ability to log things – not just debtor complaints, but suggestions for improvements, meeting results, project reports.  Many hands make light work, and everyone can share what they are doing.  Admin work for the sake of admin work is drudgery, sharing results, giving kudos to fellow team members, and being rewarded for the time spent writing these things out is a positive reinforcement for the good work they are doing.

As a specific example, we’ve got an task function that helps culture – we let staff give each other commendations, up to three every 30 days, that thanks their team members for helping, covering for them, being good co-workers, whatever – and it affects their monthly staff reviews.   It gives folks the ability to not just say thank you, but to put some weight behind it.  Way better than a middle-management supervisor giving some sort of ‘teamwork review’ score.  Our team is encouraged to thank each other, and it’s baked into our culture, even across branches, where some team members haven’t even met each other in person.

I
f your team isn’t motivated to log tasks, everything falls apart, and is left on the shoulders of a few key people – that’s not going to work in the long run to create a comprehensive picture.  Get everyone on board, motivate them to log things, and reward them for doing so in a meaningful way.


Managing Recurring Tasks and Cross-Training

Some tasks are one and done – a server crash, a new client onboarded, etc.  But some tasks happen on a weekly or monthly basis, and you can create a list of upcoming tasks to be completed.

H
ere’s the insidious part – if you have a task (say, a Project Report) due every Wednesday, and someone is off on vacation, they’ll think about having someone covering that task while they are gone.  You could even have basic instructions on that task.  A task is missed, someone will notice.  A new task needs to be created, into the mix it goes.  Someone has too many tasks, it’s time for cross-training and delegation.


So, How Is This Not A Boring Subject?

Auditors and compliance can be dull and dreary now, when everything is going right – but if you aren’t logging tasks and something breaks or a report is missed, will you notice?  If a key person in your company has an emergency leave, will someone have a list of what they need to cover while they are away?   It might be dull now, but wait until something breaks, you’ll be thankful you thought of this sooner rather than later.

Our Big Book of Policies is maybe 200 pages adding up all our high level manuals and policies, for a national company – that’s not terrible at all.  We try to keep bureaucracy to a minimum – but those 13,388 tasks, that’s where we can cover the small day-to-day tasks, deadlines, and functions.

G
ot a question about SOC-2 compliance, controls, or company culture?  Happy to chat about it!

B
lair DeMarco-Wettlaufer
K
INGSTON Data & Credit
C
ambridge, Ontario
2
26-946-1730
bwettlaufer@kingstondc.com 


No comments:

Post a Comment