Importance of Adequately Assessing Governance & Internal Control Design for SOX Assessments
Summary
Having good internal controls is important to mitigate risks, increase efficiency, enhance compliance, and provide organizations a greater chance to achieve their business objectives. However, if the internal controls are not appropriately designed, these activities will not provide the desired results for organizations. In fact, these activities can take away valuable resources from other, more important activities. The root cause for most internal control deficiencies identified during internal and external audits are due to ineffective governance and inadequate control design to address the stated risks.
Governance Considerations
Management is ultimately responsible and accountable to implement well-designed internal controls to mitigate various risks identified as part of their processes and operations. For management to effectively manage their risks and implement well-designed internal controls, it is important to ensure that proper governance is in place.
Some of the key considerations for management are:
- Strategy Alignment: Are your business objectives aligned with the organization’s strategy?
- Tone at the Top: Is there adequate leadership and board support for the set objectives and operational execution plans to drive?
- Policies and Procedures: Are policies and procedures documented, authorized, communicated, and enforced to govern processes and related performance?
- Roles and Responsibilities: Are roles and responsibilities properly identified and communicated to establish accountability among key stakeholders and team members?
- Process Documentation: Are the processes adequately documented to identify key inputs, stakeholders, systems, flow of activities, transactions, and data?
- Risk Identification: Are the risks identified and documented for their processes that can hinder the achievement of their business objectives? Are various risk categories considered based on your organization’s industry, regulatory environment, corporate structure, hierarchy, technology, process complexity, etc.?
- Systems: Are your systems properly designed to enable your business processes and produce effective, efficient, and reliable transactions, data, and reports?
In addition to having appropriate governance in sustaining a good internal control environment, controls should be designed appropriately to mitigate the stated risk and help management achieve their business objectives. Below are some of the control design considerations.
Control Design Considerations
- Control Activity: Does the control description include the control activity to address the risk? Key words such as reviewed, approved, authorized, monitored, access restricted or segregated are included to demonstrate the control activity. Are control performers and reviewers clearly identified?
- Competence: Does the control owner have the adequate skills and experience to effectively design and execute on the stated control to address the associated risks?
- Segregation of Duties: Is the control appropriately segregated to avoid any conflicts and minimize fraud risk?
- Automated control: Is the control designed to automatically restrict unauthorized changes or actions? Are proper IT General Controls in place to place reliance on the automated control activity?
- Key Reports and End-User Computing Tools (EUCT’s): Does the control involve the use of reports and/or EUCT’s to execute a control? Is the data in the report accurate and complete? Is the source of the data properly determined? Can the data be relied upon to operate the control or make decisions?
Well-designed controls help organizations save valuable resources and address risks appropriately. A well-designed control reduces the risk of timely prevention or detecting a material misstatement in their financial statements. Therefore, auditors focus on evaluating the design of the internal controls in a thorough manner to help determine the nature, extent, and timing of operational effectiveness testing and level of substantive testing.
How Centri Can Help
Centri’s Risk Advisory Services team will help you identify risks keeping in mind the current state of your organization, industry, and competitive landscape, providing advisory solutions to manage risks effectively. Our RAS team offers a variety of sustainable risk management solutions to help you stay competitive in the marketplace and reduce risks.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com