Maintaining a highly effective control environment is integral to any good compliance program. When controls or other safety measures falter, they can expose your organization to risk. The repercussions go beyond poor audit results. You may succumb to a costly data breach, disruption in the supply chain, reputational damage, revenue loss and more. However, with careful management and the right monitoring tools most control failures are entirely preventable.
Only 34% of companies surveyed by EY say they have a mature internal control program in place, indicating many have failed to keep up with the times and have been unsuccessful in evolving their controls approach since the implementation of Sarbanes-Oxley (SOX). While this survey took place in a pre COVID-19 era, the statistic is worrying considering how fragile an organization’s reputation really is – increasing regulatory and social media scrutiny being the main culprits and true giant killer.
A review of your control environment will not only identify areas of improvement but will highlight efficiencies, opportunities and ensure any future disruption is accounted for. Once your organization commits to better controls management, it will shed light on how important effective controls truly are. Whether Detective, Preventive or Corrective, better controls management is the answer to protecting against catastrophe. NASA heartbreakingly witnessed this in 1986 with the explosion of the Space Shuttle Challenger. An error in decision-making during the o-ring manufacturing process was not accounted for, causing the shuttle to break apart 73 seconds after lift off, killing all seven crew members; it was the first fatal accident involving an American spacecraft in flight, costing the nation US$3.4 billion.
We’ve discussed the why, let’s get into the how; Amy Brachio, EY Global Deputy Vice Chair, Sustainability recommends the following questions to ask during a review of your control environment:
1. Does your governance structure maximize risk coverage and resources? While it might seem like an unimportant task after 10 years of complying with SOX requirements, many companies are taking a step back and documenting their ICFR program charter and rolling this out as part of their training programs.
2. Do you regularly update your ICFR program to respond to changes in the business and regulatory requirements? Leading-practice organizations have established a sustainable process to periodically refresh their ICFR program to respond to changes in the marketplace, and even use it as a platform to make more holistic changes and improvements.
3. Are changes to accounting standards identified and implications to the business addressed on a timely basis? A well-documented and well-understood ongoing process is critical to staying abreast of accounting standards changes.
4. Is your SOX Section 302 certification process conducted with the appropriate level of diligence? While many companies may feel they have a good SOX Section 302 certification process, some may have become complacent, going as far as rubber-stamping certifications, introducing even more risk to their organization.
5. How do you select and monitor the right scope and mix of controls? Control optimization should not be a one-time exercise – it should be done periodically to keep pace with changes in the business and regulatory environments.
6. Are management review controls designed and executed appropriately? Typical areas include higher-risk estimation processes, fraud or other significant risks, unusual or non-routine classes of transactions, group wide controls and compensating controls that are being relied on to mitigate deficiencies.
7. Are you considering the completeness and accuracy of IPE in your controls? When companies internally gather evidence of the design and operating effectiveness of controls, they should consider and document the completeness and accuracy of the evidence.
8. When is population completeness important? Reports used as population in the testing of IT and business process controls should be accompanied by evidence that the reported data completely reflects the information contained in the system and that it was not inappropriately modified when the reports were generated.
9. Are your controls precise enough to detect significant issues? The overall goal of management estimate testing is to validate that the issuer’s assumptions and estimates underlying the valuation of assets and liabilities are reasonable.
10. Do you know who your related parties are? Companies should revisit the controls they have in place to identify, account for and disclose transactions with related parties and executives, as well as significant unusual transactions.
11. Does your organization conduct an impact analysis once a deficiency is identified? When deficiencies related to business processes or key financial systems and controls are identified, performing additional procedures to determine whether anything “bad” happened is the next step.
12. Can delaying remediation of deficiencies today turn into significant deficiencies in the future? Management should define and implement specific remediation plans for all deficiencies. If the plans are in place but span multiple years, temporary compensating controls may need to be implemented to mitigate risks.
13. How do system implementations affect the internal control environment? IT application implementations often introduce new control capabilities but also new risks which affect the application’s ability to support effective internal control that enables accurate financial reporting.
14. Where does responsibility and oversight for outsourced systems and business processes reside in your organization? Outsourcing systems and business processes does not absolve user entities of their responsibility for an effective internal control environment.
15. What can you do if a SOC report is not available? If sufficient controls do not exist at the user entity then management, with assistance from compliance teams and internal auditors, may need to perform tests of controls or substantive procedures at the service organization.
16. When systems move into the cloud, can you expect controls to follow? Buyer beware: when entire systems or their components are moved into vendor-managed solutions, due diligence related to controls will pay off.
17. Why is segregation of duties a ticking time bomb? Without an automated GRC tool, major enterprise resource planning systems may not have adequate controls over SOD conflicts.
18. Is cyber risk given enough consideration in your risk management program? When it comes to cyber risk, waiting is generally not a good answer under any circumstances.
19. Have you considered how data analytics can help your organization evaluate controls and assess risks more efficiently? Common areas of implementation are continuous controls monitoring in conjunction with systems; audit scoping to identify the highest-risk areas; and impact analysis in the case of identified control deficiencies.
20. Does your organization leverage technology and tools to more effectively manage internal controls? Source code repository and release management tools can enable proper controls over changes to production systems and segregation of support vs. development duties. Also, commercial testing software enables implementation of a disciplined approach to financial system change testing.
Simplifying Internal Control Work With AuditComply
Of course, choosing the right solution is the first step. At many progressive organizations, AuditComply is a proven leader at delivering results, improving efficiency, reducing chaos, and helping organizations run smoother and with better focus. We set the standard for increasing engagement across the three lines of defense by centralizing and automating control testing and workflows. Ask yourself, is it time you introduce AuditComply to your Risk & Internal Audit function?
By introducing automation you can free up resources to be put to better use. Automated control management is the future, driving down manual touch-points, providing peace of mind for executives, identifying costly non-compliance penalties before they occur and reducing risk of control failures. With real-time analytics and actionable insights your Risk, Compliance and Internal Audit functions can expect to yield better results, experiencing true visibility into SOX or UK SOX compliance status at any given moment.
If you would like to learn more about how AuditComply can help manage and maintain your SOX or UK SOX environment, schedule a demo here.