Compare the differences: rationalization, optimization and redesign
- Create formal criteria for assessing whether controls should be considered critical
- Challenge existing key controls for design effectiveness
- Benchmark key controls with peer companies or standard control templates to identify potential efficiencies
- Identify and leverage “power controls,” which are key controls that may mitigate multiple risks
- Review process documentation with process owners and IT staff to understand control structure within applications supporting specific processes and other potential controls that may be available
- Standardize business and IT processes
- Challenge existing manual key controls to determine if alternative application or automated controls exist
- Challenge the number of controls identified that address the same risk
- Review of industry-leading practices and available options including new, proven approaches such as continuous monitoring
- Process design sessions with process owners and other stakeholders
- Cost/benefit analysis and assessment of residual risks
- Implementation and change management
Control environment improvements add ongoing benefit.
Summary: Improve your internal control systems and those improvements can drive competitive advantage. Like other functions, internal control must build its value proposition by increasing efficiency and/or by generating large cost savings.
Historically, the controls environment has had a bad reputation. Some find the time and costs associated with control improvement programs prohibitive and not justifiable.
Such perceptions take away from the benefits of control improvement efforts that are focused on three key elements:
- Focusing on risks that really matter to the business, particularly those that align with key business and overall corporate strategies
- Improvements that provide both risk coverage and improved business processes
Getting tangible benefits from the investment in control and optimal use of automation.
Small investment can yield big results
It is not necessary for control environment improvements to require major investments in time and resources to generate positive impact.
There is a high correlation between complexity and difficulty in control environment improvements and their resulting rewards (cost savings, improved efficiencies, etc.).
Even at the lower end of the cost/investment scale, companies can still generate significant improvements in operational and compliance process efficiencies, as well as a variety of cost savings.
Substantial rewards with an investment in improving the control environment
The potential benefits arising from a control rationalization, optimization and improvement program include:
- Fewer controls; lower costs
- Better aligned risk coverage, including the identification of stronger, more pervasive controls
- The identification and standardization of efficient and effective controls
- More effective and efficient risk-based assessment process
- Better use of technology through the use of applications controls rather than manual controls
- A reduction in the internal compliance effort
- A more sustainable compliance process
- Improved alignment between the IT, business and internal audit functions
- Coordinated IT risk management activities
Different roads, same destination
There are three main routes companies can take to reach increased control efficiency:
- Rationalization: the removal of unnecessary, insignificant or redundant controls or processes
This option requires the least amount of resources and overall effort.
- Optimization: the potential replacement of certain controls in exchange for others that are more efficient
Replacing a manual control with automation is an ideal optimization. Or standardizing controls across business units and geographies.
- Redesign: modifying, redesigning or re-engineering a process and its underlying control structure to drive operational efficiency
This is the option that requires the most resources and effort. It usually requires redefining organizational design such as tasks, roles and responsibilities. However, it also provides the greatest potential for impact and return.
Removing unnecessary controls
Correctly identifying controls that are central to enterprise business processes is critical in creating increased benefit. For the right testing impact, companies need to target the right controls.
Many companies rationalize all of their controls using a “bottom-up” approach and may find significant opportunity to reduce their total population. Companies that are diligent in their focus on internal control and used a “top-down” approach may find fewer opportunities to reduce their control population.
The following steps should be considered during the rationalization process:
- Identify and reduce risks that are not relevant to internal control over financial reporting
- Review financial assertions for each significant account to determine relevance
- Review key application end-user information security controls, particularly as they relate to user authentication, access and auditing
- Review significant accounts and related components to determine if insignificant components are included in scope
- Review population to identify redundant or insignificant controls
- Identify opportunities to centralize activities that are currently done at multiple locations
- Review adjusted control population with external auditors
Controls optimization is the process of standardizing and centralizing controls and selecting controls that are more efficient to test than others that potentially reduce the same risk. To do this, it is important to have an understanding of the different classes of controls:
- Manual controls depend on a person to perform without reliance on IT tools or the company's overall IT environment.
- IT-dependent manual controls have both manual and automated aspects.
- Application controls are processed by the entity's IT applications without input from a person and are focused on procedures used in the critical path of transactions or other financial data. Application controls help ensure that transactions are authorized and accurately recorded and processed. When operating properly, IT application controls typically provide more effective risk reduction and are more efficient to test (sample size and leverage).
Application controls can typically be classified as:
- Edit checks, which limit the risk of inappropriate input, processing or output of data due to field format.
- Validations, which limit the risk of inappropriate input, processing or output of data due to the confirmation of a test. Examples include tolerances, duplicate checks and matching.
- Calculations, which ensure that a computation is occurring accurately.
- Interfaces, which limit the risk of inappropriate input, processing or output of data being exchanged from one application to another.
- Authorizations, which limit the risk of inappropriate input, processing or output of key financial data due to unauthorized access to key financial functions or data and include segregation of incompatible duties, authorization checks, limits and hierarchies.
The use of application controls rather than manual controls allows for more sensitivity and reliability in the processing of transactions and activities. Also, greater leveraging of application controls better aligns an organization with the significant investments that it is making in IT systems to support and transform its businesses.
Examples of what some companies have done in the name of controls redesign include:
- Implementation or expansion of shared services organization
- Migration to standard general ledger or ERP platforms
- Standardized policies and procedures across all business units or subsidiaries
- Integration of acquisitions or business units that are similar in form or function
- Process simplification around financial reporting and disclosure processes
- Implementation of continuous process monitoring
- Implementation of global standard access control and user identify management processes and supporting technology
<< Previous | Next >>