Home
The APQC Blog

Mitigating Risk By Improving Internal Controls

<span>Mitigating Risk By Improving Internal Controls</span>

Many companies have ineffective internal controls programs due to an overwhelming amount of controls that don’t adequately consider risk. These organizations are only focused on testing the controls, and not on properly evaluating the effectiveness of controls when conducting a self–assessment or preparing for the annual SOX 404 internal controls assessment process. A risk-based controls approach, on the other hand, properly leverages resources, can reduce the cost of an overall internal controls program and, more importantly, ensures that the control properly mitigates the risk. Risk-based controls focus on the key controls that will mitigate risk within the business process. Failing to take a true risk-based approach may result in identifying more controls than the operation needs. The operation may erroneously focus on perceived “key controls” that do not properly address the inherent risks for a specific business process.

The following are tips to help organizations implement a risk-based internal controls program. 

Tips for Implementing Risk-Based Internal Controls

  • Focus controls on the business process and any sub-processes rather than just the expectations of the audit process. This means that a risk should be identified and mitigated with a well-defined internal control and updated when needed. 
  • Focus controls on the end-to-end process and its dependencies rather than just on the transaction. Although the control should address the accuracy of a transaction, a risk-based control addresses the impact of the end-to-end business process―not just a single transaction.
  • Consider Key Risk Indicators (KRIs) when developing risk-based controls. Examples include significant changes in KPI trends, employee turnover, and the occurrence of a theft or fraud.
  • Leverage risk-based controls to facilitate change. Risk-based internal controls should facilitate change since they should be updated when there is a significant change to the business process, if the control is found to inadequately mitigate a potential risk, or if a fraud has been perpetrated.
  • Focus on risk management rather than solely on current policies and procedures. Current policies and procedures may be outdated or incorrect due to organizational, process, or system changes.
  • Aim toward continual risk assessment coverage through Continuous Controls Monitoring (CCM) or Controls Self-Assessment (CSA) processes.
  • Leverage the risk-based controls program to set the foundation for implementing operational metrics and analytics.
  • Identify and mitigate risk as well as determine opportunities for process improvements within the business process as part of the risk-based controls program.

Conclusion
All companies, regardless of size, structure, nature, or industry, encounter risks at all levels within their organization. Risks affect each company’s ability to survive, successfully compete within its industry, maintain financial strength and positive public image, and maintain the overall quality of its products, services, and people. Since there is no practical way to reduce risk to zero, management should determine how much risk should be prudently accepted, and strive to maintain risk within acceptable levels by considering the implementation of risk- based controls. Ultimately, risk-based controls can identify risks and business process gaps across financial operations. In addition, a strong risk-based controls program can help prevent and detect fraud; such controls should represent the end-to-end business process, and can help teams highlight process gaps.

Are you interested in learning more about this topic? If so, participate in APQC's New Development in Internal Controls survey by June 30, and receive a complimentary survey summary report.