Many companies have not materially modified the way they manage their system of internal controls since the inception of their internal control over financial reporting (ICFR) programs as part of their Sarbanes-Oxley Act (SOX) implementation. In fact, only 34% of companies surveyed by EY say they have mature internal control programs1.
A review of an organization’s internal control program may not only identify areas requiring control enhancements in response to changes in the business and regulatory environment, but also suggest ways to improve the efficiency of the ICFR program. Organizations have an opportunity to clarify or reinforce the roles and responsibilities for their internal control environment, stressing that management has responsibility for internal controls.
They may also be able to increase collaboration among the business, IT, internal audit (IA) and compliance functions; enhance communication with external auditors; and improve the effectiveness and efficiency of their internal controls.
1. Does your governance structure maximize risk coverage and resources?
While it might seem like an unimportant task after 10 years of complying with SOX requirements, many companies are taking a step back and documenting their ICFR program charter and rolling this out as part of their training programs.
2. Do you regularly update your ICFR program to respond to changes in the business and regulatory requirements?
Leading-practice organizations have established a sustainable process to periodically refresh their ICFR program to respond to changes in the marketplace, and even use it as a platform to make more holistic changes and improvements.
3. Are changes to accounting standards identified and implications to the business addressed on a timely basis?
A well-documented and well-understood ongoing process is critical to staying abreast of accounting standards changes.
4. Is your SOX Section 302 certification process conducted with the appropriate level of diligence?
While many companies may feel they have a good SOX Section 302 certification process, some may have become complacent, going as far as rubber-stamping certifications, introducing even more risk to their organization.
5. How do you select and monitor the right scope and mix of controls?
Controls optimization should not be a one-time exercise – it should be done periodically to keep pace with changes in the business and regulatory environments.
6. Are management review controls designed and executed appropriately?
Typical areas include higher-risk estimation processes, fraud or other significant risks, unusual or non-routine classes of transactions, group wide controls and compensating controls that are being relied on to mitigate deficiencies.
7. Are you considering the completeness and accuracy of IPE in your controls?
When companies internally gather evidence of the design and operating effectiveness of controls, they should consider and document the completeness and accuracy of the evidence.
8. When is population completeness important?
Reports used as population in the testing of IT and business process controls should be accompanied by evidence that the reported data completely reflects the information contained in the system and that it was not inappropriately modified when the reports were generated.
9. Are your controls precise enough to detect significant issues?
The overall goal of management estimate testing is to validate that the issuer’s assumptions and estimates underlying the valuation of assets and liabilities are reasonable.
10. Do you know who your related parties are?
Companies should revisit the controls they have in place to identify, account for and disclose transactions with related parties and executives, as well as significant unusual transactions.
11. Does your organization conduct an impact analysis once a deficiency is identified?
When deficiencies related to business processes or key financial systems and controls are identified, performing additional procedures to determine whether anything “bad” happened is the next step.
12. Can delaying remediation of deficiencies today turn into significant deficiencies in the future?
Management should define and implement specific remediation plans for all deficiencies. If the plans are in place but span multiple years, temporary compensating controls may need to be implemented to mitigate risks.
13. How do system implementations affect the internal control environment?
IT application implementations often introduce new control capabilities but also new risks which affect the application’s ability to support effective internal control that enables accurate financial reporting.
14. Where does responsibility and oversight for outsourced systems and business processes reside in your organization?
Outsourcing systems and business processes does not absolve user entities of their responsibility for an effective internal control environment.
15. What can you do if a SOC report is not available?
If sufficient controls do not exist at the user entity then management, with assistance from compliance teams and internal auditors, may need to perform tests of controls or substantive procedures at the service organization.
16. When systems move into the cloud, can you expect controls to follow?
Buyer beware: when entire systems or their components are oved into vendor-managed solutions, due diligence related to controls will pay off.
17. Why is segregation of duties a ticking time bomb?
Without an automated GRC tool, major enterprise resource planning systems may not have adequate controls over SOD conflicts.
18. Is cyber risk given enough consideration in your risk management program?
When it comes to cyber risk, waiting is generally not a good answer under any circumstances.
19. Have you considered how data analytics can help your organization evaluate controls and assess risks more efficiently?
Common areas of implementation are continuous controls monitoring in conjunction with systems; audit scoping to identify the highest-risk areas; and impact analysis in the case of identified control deficiencies.
20. Does your organization leverage technology and tools to more effectively manage internal controls?
Source code repository and release management tools can enable proper controls over changes to production systems and segregation of support vs. development duties. Also, commercial testing software enables implementation of a disciplined approach to financial system change testing.