3 minute read 18 Feb 2019
boy learning to use bow and arrow

Twenty questions to enhance your internal controls

By Amy Brachio

EY Global Vice Chair - Sustainability

A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

3 minute read 18 Feb 2019
Related topics Consulting Risk Digital

Show resources

  • Are your internal controls in harmony with your business? (pdf)

    Download 466 KB

Are internal controls keeping pace with the regulatory environment in the countries you operate?

Many companies have not materially modified the way they manage their system of internal controls since the inception of their internal control over financial reporting (ICFR) programs as part of their Sarbanes-Oxley Act (SOX) implementation. In fact, only 34% of companies surveyed by EY say they have mature internal control programs1.

A review of an organization’s internal control program may not only identify areas requiring control enhancements in response to changes in the business and regulatory environment, but also suggest ways to improve the efficiency of the ICFR program. Organizations have an opportunity to clarify or reinforce the roles and responsibilities for their internal control environment, stressing that management has responsibility for internal controls.

They may also be able to increase collaboration among the business, IT, internal audit (IA) and compliance functions; enhance communication with external auditors; and improve the effectiveness and efficiency of their internal controls.

1.     Does your governance structure maximize risk coverage and resources?

While it might seem like an unimportant task after 10 years of complying with SOX requirements, many companies are taking a step back and documenting their ICFR program charter and rolling this out as part of their training programs.

2.     Do you regularly update your ICFR program to respond to changes in the business and regulatory requirements?

Leading-practice organizations have established a sustainable process to periodically refresh their ICFR program to respond to changes in the marketplace, and even use it as a platform to make more holistic changes and improvements.

3.     Are changes to accounting standards identified and implications to the business addressed on a timely basis?

A well-documented and well-understood ongoing process is critical to staying abreast of accounting standards changes.

4.     Is your SOX Section 302 certification process conducted with the appropriate level of diligence?

While many companies may feel they have a good SOX Section 302 certification process, some may have become complacent, going as far as rubber-stamping certifications, introducing even more risk to their organization.

5.     How do you select and monitor the right scope and mix of controls?

Controls optimization should not be a one-time exercise – it should be done periodically to keep pace with changes in the business and regulatory environments.

6.     Are management review controls designed and executed appropriately?

Typical areas include higher-risk estimation processes, fraud or other significant risks, unusual or non-routine classes of transactions, group wide controls and compensating controls that are being relied on to mitigate deficiencies.

7.     Are you considering the completeness and accuracy of IPE in your controls?

When companies internally gather evidence of the design and operating effectiveness of controls, they should consider and document the completeness and accuracy of the evidence.

8.     When is population completeness important?

Reports used as population in the testing of IT and business process controls should be accompanied by evidence that the reported data completely reflects the information contained in the system and that it was not inappropriately modified when the reports were generated.

9.     Are your controls precise enough to detect significant issues?

The overall goal of management estimate testing is to validate that the issuer’s assumptions and estimates underlying the valuation of assets and liabilities are reasonable.

10.    Do you know who your related parties are?

Companies should revisit the controls they have in place to identify, account for and disclose transactions with related parties and executives, as well as significant unusual transactions.

11.    Does your organization conduct an impact analysis once a deficiency is identified?

When deficiencies related to business processes or key financial systems and controls are identified, performing additional procedures to determine whether anything “bad” happened is the next step.

12.    Can delaying remediation of deficiencies today turn into significant deficiencies in the future?

Management should define and implement specific remediation plans for all deficiencies. If the plans are in place but span multiple years, temporary compensating controls may need to be implemented to mitigate risks.

13.    How do system implementations affect the internal control environment?

IT application implementations often introduce new control capabilities but also new risks which affect the application’s ability to support effective internal control that enables accurate financial reporting.

14.    Where does responsibility and oversight for outsourced systems and business processes reside in your organization?

Outsourcing systems and business processes does not absolve user entities of their responsibility for an effective internal control environment.

15.    What can you do if a SOC report is not available?

If sufficient controls do not exist at the user entity then management, with assistance from compliance teams and internal auditors, may need to perform tests of controls or substantive procedures at the service organization.

16.    When systems move into the cloud, can you expect controls to follow?

Buyer beware: when entire systems or their components are oved into vendor-managed solutions, due diligence related to controls will pay off.

17.    Why is segregation of duties a ticking time bomb?

Without an automated GRC tool, major enterprise resource planning systems may not have adequate controls over SOD conflicts.

18.    Is cyber risk given enough consideration in your risk management program?

When it comes to cyber risk, waiting is generally not a good answer under any circumstances.

19.    Have you considered how data analytics can help your organization evaluate controls and assess risks more efficiently?

Common areas of implementation are continuous controls monitoring in conjunction with systems; audit scoping to identify the highest-risk areas; and impact analysis in the case of identified control deficiencies.

20.   Does your organization leverage technology and tools to more effectively manage internal controls?

Source code repository and release management tools can enable proper controls over changes to production systems and segregation of support vs. development duties. Also, commercial testing software enables implementation of a disciplined approach to financial system change testing.

Even though we have been living with SOX requirements for over a decade, many companies have not matured or optimized their ICFR programs.

We know of no reason to expect the velocity of change will slow down anytime soon. New players will enter the market with innovative ideas that will continue to disrupt business models, requiring companies to respond quickly to stay competitive.

Technology will continue to rapidly evolve, upending the way companies do business and making them more vulnerable to bad actors looking for ways to infiltrate their systems. And regulators will continue to evolve their requirements as they strive to protect stakeholders. Re-evaluating your governance framework and ICFR program to determine whether they have kept up with the changes and making the necessary enhancements for what is known today are a good start.

However, preparing for future changes is not a one-time effort for or a compliance exercise. Rather, it is an opportunity to transform your organization’s internal control governance structure and framework, resource model and use of technology to be more agile, efficient and effective.

“Now is the time to rethink and enhance your internal controls. This should be thought of as a value-added task, not simply a compliance exercise,” says Amy Brachio, EY Global and Americas Consulting Risk Leader.

Additionally, it is an opportunity to clarify and reinforce the roles and responsibilities of the business, IT, internal audit and financial reporting functions to work together to help the organization meet its strategic objectives and improve business performance.

What can you do today to enact change?

  • Be proactive about addressing emerging topics within our organization.
  • Revisit your governance structure and operating model for internal controls
  • Collaborate with business and IT management on strengthening the control environment
  • Refresh and enhance internal control documentation
  • Evolve the nature, timing and extent of testing
  • Use technology more extensively and creatively to become more efficient and effective
  • Re-evaluate your staffing model and explore alternatives


One of the challenges facing organizations today is implementing the right integrated risk and control model and processes to address governance. Internal audit can play a key role in either validating or performing the internal control testing. IA’s independence, objectivity and internal control knowledge can allow management and external auditors alike to place more reliance on its work. Clearly defined roles and responsibilities that are regularly updated regardless of organizational structure enable a more efficient and effective ICFR program.

About this article

By Amy Brachio

EY Global Vice Chair - Sustainability

A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

Related topics Consulting Risk Digital