Share

Importance of Adequately Assessing Governance & Internal Control Design for SOX Assessments

Summary

Having good internal controls is important to mitigate risks, increase efficiency, enhance compliance, and provide organizations a greater chance to achieve their business objectives. However, if the internal controls are not appropriately designed, these activities will not provide the desired results for organizations. In fact, these activities can take away valuable resources from other, more important activities. The root cause for most internal control deficiencies identified during internal and external audits are due to ineffective governance and inadequate control design to address the stated risks.

Governance Considerations

Management is ultimately responsible and accountable to implement well-designed internal controls to mitigate various risks identified as part of their processes and operations. For management to effectively manage their risks and implement well-designed internal controls, it is important to ensure that proper governance is in place.

Some of the key considerations for management are:

• Strategy Alignment: Are your business objectives aligned with the organization’s strategy?
• Tone at the Top: Is there adequate leadership and board support for the set objectives and operational execution plans to drive?
• Policies and Procedures: Are policies and procedures documented, authorized, communicated, and enforced to govern processes and related performance?
• Roles and Responsibilities: Are roles and responsibilities properly identified and communicated to establish accountability among key stakeholders and team members?
• Process Documentation: Are the processes adequately documented to identify key inputs, stakeholders, systems, flow of activities, transactions, and data?
• Risk Identification: Are the risks identified and documented for their processes that can hinder the achievement of their business objectives? Are various risk categories considered based on your organization’s industry, regulatory environment, corporate structure, hierarchy, technology, process complexity, etc.?
• Systems: Are your systems properly designed to enable your business processes and produce effective, efficient, and reliable transactions, data, and reports?

In addition to having appropriate governance in sustaining a good internal control environment, controls should be designed appropriately to mitigate the stated risk and help management achieve their business objectives. Below are some of the control design considerations.

Control Design Considerations

• Control Activity: Does the control description include the control activity to address the risk? Key words such as reviewed, approved, authorized, monitored, access restricted or segregated are included to demonstrate the control activity. Are control performers and reviewers clearly identified?
• Competence: Does the control owner have the adequate skills and experience to effectively design and execute on the stated control to address the associated risks?
• Segregation of Duties: Is the control appropriately segregated to avoid any conflicts and minimize fraud risk?
• Automated control: Is the control designed to automatically restrict unauthorized changes or actions? Are proper IT General Controls in place to place reliance on the automated control activity?
• Key Reports and End-User Computing Tools (EUCT’s): Does the control involve the use of reports and/or EUCT’s to execute a control? Is the data in the report accurate and complete? Is the source of the data properly determined? Can the data be relied upon to operate the control or make decisions?

Well-designed controls help organizations save valuable resources and address risks appropriately. A well-designed control reduces the risk of timely prevention or detecting a material misstatement in their financial statements. Therefore, auditors focus on evaluating the design of the internal controls in a thorough manner to help determine the nature, extent, and timing of operational effectiveness testing and level of substantive testing.

How Centri Can Help

Centri’s Risk Advisory Services team will help you identify risks keeping in mind the current state of your organization, industry, and competitive landscape, providing advisory solutions to manage risks effectively. Our RAS team offers a variety of sustainable risk management solutions to help you stay competitive in the marketplace and reduce risks.