EY Internal Controls Managed Service

What EY can do for you

Under UK Government proposals, a reform of internal controls may be on the way. Business leaders will need to confirm the effectiveness of their internal financial controls and ensure that they have an effective and efficient operation that gives assurance over controls and data on an ongoing basis.

What this means for companies

As mentioned in our video, companies should incorporate smart and efficient ways of strengthening their internal controls regime. We recommend companies employ a three-step approach to meet requirements – find, fix and run.

However, once you have complied with these proposals under the ‘find’ and ‘fix’ steps, how do you attest to the effectiveness of your internal financial controls into the future? How do you ensure you have an effective and efficient business-as-usual operation that provides assurance and insights over controls and data on an ongoing basis?

How EY’s UK Internal Controls Managed Service can help

EY teams have developed a managed service and an operating model to ‘run’ your internal controls regime in future:

Second line of defence managed service

A ‘second line of defence’ managed service to help companies maintain compliance with UK corporate reforms. An example of this is a specific controls testing managed service, where EY teams can test your internal controls. 

Operating model

We have developed an operating model (described below), which all organisations need to consider to run an effective business-as-usual operation. 

There are three ways in which EY teams can help and deliver the managed service. This can be via a:

1. fully managed service: we perform all eight components over a period of time, which typically lasts between three to five years. 
   
   
2. ‘build, operate and transfer back’ model:  we set up the eight components, operate them for a short period and then hand back operations to you – typically within 18-24 months. 
   
   
3. co-sourced model: we agree which particular services you would like to be managed by EY and which components you would deliver yourself. 
    

Operating model components

2.1) Service delivery leadership: A capability to operate and manage end-to-end internal controls requirements or ecosystems

2.2) Technical Design Authority (TDA): A function providing one version of the truth and governing all latest documentation, e.g. policies and procedures, testing analysis, risk and control matrix

2.3) Service management: A centralised team for internal client organisation to call and service queries, and requirements related to internal controls processes

2.4) Annual planning - Readiness assessment (ongoing ‘find’ phase): A function dedicated to planning, assessing and subsequently scoping any internal control gaps with respect to processes etc. on an ongoing basis, after initial set up

2.5) Data and technology operations: A capability ensuring the correct tools, technology and people are in place to manage internal control requirements or ecosystem including execution of TDA activities 

2.6) Second line of defence testing: An independent function to provide regular testing of internal controls and give directors confidence in what they are attesting to

2.7) Reporting and management information (including data analytics): A reporting capability to provide directors, CFOs and CEOs with a ‘point in time’ view of the status of their internal control operations.

2.8) Remediation services (ongoing ‘fix’ phase): An ongoing capability to perform remediation work to get ready for annual internal control attestations; this capability follows the annual ongoing readiness assessments (2.4)

Why EY

There are a number of benefits to having EY deliver a managed service based on the operating model above. Specific examples include:

• As part of ‘Service Delivery Leadership’ we could, for example, embed resources within your team to drive long-term, sustainable value through regulatory horizon scanning (supported by our long-standing relationships with regulators).
  
  
• We can offer a service management capability to drive standardisation, operational efficiency and an end-to-end service experience for your team. This would bring all of the aspects of UK internal controls together in a holistically delivered service — e.g. audit and assurance, fraud and any process optimisation.
  
  
• Services could be delivered via a technology solution ensuring a ‘digital-first’ approach. This would help you manage internal controls in a smarter, faster and more efficient way, from establishing a ‘no regrets’ foundation to getting ready for 2022 design, remediation and implementation.