Learn about the 10 best practices your organisation can apply to your internal control journey. They’re all connected to the ‘golden triangle’ of process, people and technology:
Defining a scope means deciding which business units, processes and financial statement line items to prioritise in the internal controls (IC) system, and to what extent. Risk-based scoping is essential to an effective and efficient IC system, in that it ensures that IC controls are designed to mitigate the most significant risks. Given the increasing pace of change businesses are exposed to, the IC scope should be revised annually and aligned with the outcome of risk assessments.
IC practitioners from the second and third lines of defence (LOD) are familiar with the Committee of Sponsoring Organizations (COSO) model as the preferred IC methodology. However, control owners from the first LOD require more pragmatic support that translates the COSO methodology into something practical and tangible.
Here’s a checklist for a successful IC roll-out process on the first LOD:
Define a scope of the right controls (see point 1 above).
Draft a risk and control matrix listing the control objective, activity and owner, the risk and the assessment plan.
Set up design meetings with control owners to obtain an understanding of the selected key controls.
Translate the key control activities into steps and summarise them in a one-pager.
Perform a dry run. Are the steps outlined on the one-pager test proof in practice, or does the plan requires further fine tuning?
Set up an action list. What can be developed further to ease the control owner’s task during control execution?
Test control effectiveness.
Monitor and report IC findings.
Your company's three lines of defence will have to collaborate in a constructive manner in order to achieve your desired level of internal control maturity. Assurance on the effective design and operation of your controls can be gained across your three lines of defence. Visualising these sources of comfort and the effectiveness thereof in an integrated assurance reporting or dashboard will help you optimise your internal control efforts across your organisation.
Before starting any IC project, it’s important that it’s backed by senior management. Your organisation’s decision makers define the IC culture and have a role to play in communicating expectations and cascading IC culture to all levels of the company.
The Three Lines of Defense model is commonly used for clarifying roles and responsibilities in IC. All three lines need to work effectively with each other and with the audit committee to create the right conditions to achieve an IC culture. Clearly defined, communicated, understood and agreed upon roles and responsibilities are the backbone of any well-functioning IC system.
Source: Chartered Institute of Internal Auditors (https://www.iia.org.uk)
Why not consider an IC communication campaign that explains the importance of proper IC? Too often, companies see IC as an impediment that slows down work processes. If it’s clear to control owners that you’re putting IC in place to safeguard assets, prevent fraud, verify financial records, monitor organisational performance and ensure an efficient and uninterrupted flow of business, they’re more likely to approach IC initiatives with enthusiasm.
Introducing a game or an excellence programme can help raise IC awareness across all levels of your company. It can bring an end-to-end IC and risk culture to life, which encourages your people to reflect on its importance. A game can simulate the effects of IC and their impact on the organisation. It enables you to develop and practise IC strategies in response to increasing compliance rules in a fun and interactive environment.
IC concepts and principles, such as those in COSO’s Integrated Internal Control Framework, will continue to be applicable and relevant in the digital age. Emerging technologies can make IC even more effective, efficient and pervasive.
When control owners are convinced of the purpose and added value of IC activities, they’ll look for ways to streamline their day-to-day IC. Certain IC processes can be performed by robotic process automation (RPA), resulting in greater accuracy at a lower cost in a shorter timeframe than when these tasks are performed manually.
Driven by new technologies and rapid growth, business processes in large and mid-size companies generate an increasing volume of transactions. Throughout a company’s journey to stay in control of business processes and risks, first and second LOD can benefit from data analytics techniques to support an understanding of the process and risks, as well as executing and testing the mitigating controls.
The most commonly used data-enabled risk and control analytics are in the areas of finance, procure-to-pay and order-to-cash.
Many organisations use technology to support part or all of the IC processes like governance, risk and compliance (GRC) software, enterprise resource planning (ERP) system functionalities and workflow support. There’s a clear need for document storage and management due to the large number of documents typically required to manage IC. A GRC tool adds value, and developing a strong business case with proper financial metrics can help pave the way for more proactive and progressive investments in controls automation technology.