Many organizations take an approach to internal control management that has defined intersections with risk, compliance, and audit processes. These organizations may use well-defined risk control matrices (RCMS) based upon standards of internal control but they’re focused on only executing checklists which result in a reactionary rather than a proactive approach.
This 10 step roadmap helps to build a strategic internal control program that is flexible enough to respond to today’s business challenges. The roadmap is helpful when establishing a new program or when enhancing your current internal controls program. It can also be used a guide when evaluating the effectiveness of your overall program.
10 Steps To Build A Strategic Internal Controls Program
1. Provide an integrated strategy and view of financial and operational controls across the organization and define ownership. Focus on transparency in reporting and monitoring.
2. Define a common language for risk and control. This is an opportunity to establish common definitions across your company so that everyone has a concise understanding of internal controls and how they can mitigate risk. A comprehensive glossary of terms can help to define your internal controls language. Your language can also be supported by a good training program.
3. Establish overall responsibility for a company’s internal controls program to ensure consistency and to avoid duplication of effort. Integrate controls into daily workflow particularly when staff transitions occur. This is a good way to embed controls into your company’s “DNA.”
4. Prioritize the key controls for a business process that can truly mitigate risk, address pain points, and improve processes. A higher number of key controls is not always a good thing since this diminishes the focus of your program and risk may not be identified or mitigated. Many companies focus on the business processes that may have the biggest risk. Higher-risk processes usually include payments to suppliers and employees, the financial close process, account reconciliations, approvals, and segregation of duties.
5. Capture business changes with updated controls. Business changes can best be identified by your company’s process owners and are often driven by process transformation and automation.
6. Combine finance and operational control teams and revamp processes to address a controls weakness. A well-defined internal controls program brings together finance and operations and helps to establish a true business partnership.
7. Implement a Controls Self-Assessment (CSA) approach to increase confidence in ongoing risk coverage throughout all business processes. This is accomplished by building a CSA process across your company using a monthly or quarterly completion schedule. An effective CSA process is dependent upon business process involvement and ownership.
8. Manage the human element in controls management. This begins with the definition of a common language and the establishment of roles and responsibilities. The execution of an internal controls program can evoke defensiveness and negative reactions with process owners if the goals and purpose of the program are not well-defined or communicated consistently.
9. Implement technology to effectively manage all controls across the organization. The technology should focus on specific access and transaction controls with real-time alerts and reporting of possible anomalies.
10. Expand and address the ongoing regulatory requirements for internal control management. Your internal controls program should be flexible enough to react to any new requirements and changes to your business environment.
In conclusion, the effectiveness of an internal controls program is dependent upon communication, well-defined roles and responsibilities, business process involvement, prioritization of key controls, technology, and reporting. A successful program considers the recommended steps in the roadmap and builds upon people, process, and technology.
Listen to Chris Doxey and APQC's Rachele Collins on an APQC podcast discussing How Internal Controls Fit With Sarbanes-Oxley.