Implementation and Optimisation of Internal Controls-Driving Value

According to Reuters, Britain’s accounting watchdog says forcing executives at top listed companies to personally vouch for the accuracy of financial statements would drive better company behavior and help stamp out fraud1. In the United States, public company executives are required to certify the accuracy of the company’s financial statements and the company’s effectiveness of internal controls and are subject to criminal penalties for certifying a misleading or fraudulent financial report. There have been multiple discussions around introducing a similar set of rules in Britain regarding internal controls.

According to COSO 2013 (a widely accepted internal control framework), “A system of internal control allows management to stay focused on the organisation’s pursuit of its operations and financial performance goals, while operating within the confines of relevant laws and minimizing surprises along the way. Internal control enables an organisation to deal more effectively with changing economic and competitive environments, leadership, priorities, and evolving business models.” A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. The key word in this definition is “process.” Most organizations should consider carefully the costs and benefits of the efforts required. Leveraging lessons learned during U.S. implementations of such efforts can help in considerations around scoping, documentation, testing and other internal processes. Below are some common areas to consider related to internal controls over financial reporting and the “process” by which a company should begin optimising and/or implementing its internal controls to get a head start on Britain’s approaching regulation.

Areas to Consider
  • Roles and Responsibilities: Management should clearly establish the roles and responsibilities for internal controls ownership, documentation, testing, etc.
  • Planning and Scoping: Within this phase, materiality is determined by identifying quantitative and qualitative factors that are important to the company. Once a materiality amount is determined, it is applied to the company’s financial statements to determine which areas are subject to the internal control process.
  • Documentation: The in-scope processes, risks and controls are determined and documented and maintained by the business. Documentation may include narratives, process flows and risk and control matrices.
  • Design of Controls: A review of the identified risks and controls is performed to determine if any additional are needed or if the controls need to be modified to address the risk sufficiently.
  • Operating Effectiveness of Controls: The controls are tested to ensure that they are fully operational throughout the business at the specified frequency.
  • Remediation: For any design or operational deficiencies that occur, the business will be responsible for remediating the controls, and the compliance/internal control/internal audit function will be responsible for validation of those controls in a timeframe agreed upon by management.
  • Reporting: Reporting occurs at all phases and levels of the process, starting with the plan and procedures, and ending with the final results of testing.
  • Training: Training is an essential function that communicates to all levels of the organization what internal controls are, why they are important and how to implement a solid process.
Lessons Learned and How DHG Can Help Optimise

With our experience, DHG has encountered many challenges that occur when implementing a robust internal control system within an organisation. We have managed to learn lessons and navigate those challenges successfully. A key aspect to evaluating the company’s standing is to perform a readiness assessment that will determine where the company stands with the overall process and ultimately where the company would need to focus to build out the function. Below are some of the lessons learned as well as proposed mitigation factors and solutions:

Area Lessons Learned Proposed Solution
(How DHG Can Help Optimise)
Roles and Responsibilities
  • Clear roles and responsibilities are not established at the outset of the implementation of internal controls
  • Establish policies and procedures to define roles and responsibilities
  • Provide guidance and “best practices” on internal control function setup
  • Trainings (see below)
Planning and Scoping
  • Too many or too few business process areas are deemed to be in scope for the company
  • Materiality calculation is determined to be too high or too low for the company
  • All significant applications are not defined early in the process
  • All Information Technology (IT) application controls are not identified
  • Define current universe of processes, risk and controls through readiness assessment
  • Perform mapping exercise to link current process, risks and controls with financial statements
  • Provide examples of materiality calculations and assumptions
  • Enhance process through use of tools and Data Analytics
  • Assist with the identification of significant applications and IT application controls
Documentation
  • Processes, risks, and key controls exist in everyday operations, but are not documented or they are not documented appropriately
  • Develop internal control framework/policies
  • Enhance control documentation for existing and new controls (i.e. Process Narratives, Process Flows, Risk & Control Matrices)
  • Provide templates to assist with documentation
Design of Controls
  • Too many key controls are in place to mitigate the same risk
  • Not enough controls are in place to effectively mitigate the given risks
  • Controls are not designed effectively to mitigate the risk
  • Evaluate the design effectiveness of controls
  • Perform a controls rationalisation/optimisation exercise
  • Provide examples of automation opportunities
  • Provide examples of appropriate control design
Operational Effectiveness of Controls
  • Controls are not operating at the frequency which they were intended
  • Testing methodology is not suitable for the control/organisation
  • The control is not performed timely and /or the testing is not completed timely
  • Test the operational effectiveness of controls
  • Provide established testing methodology
Remediation
  • Controls are not remediated or put into place timely
  • Management does not understand the appropriate type of control to implement in order to mitigate the risk
  • Assess the severity level of controls deemed to be ineffective
  • Assist with the development of remediation action plans
Reporting
  • Appropriate level of detail is not communicated by the level or involvement of the audience
  • Timing of report is not effective for decision making
  • Develop an established process for communicating results of internal control to relevant parties (i.e. Board, Management, External Audit)
Training
  • Many employees do not understand the importance of internal controls and how it impacts their business (i.e., the “what” and “why” they are doing it)
  • Conduct training for organization on the what/why/importance of internal control
  • Provide examples of well-established internal controls from our industry experience
Program Delivery
  • Program is not delivered efficiently and effectively
  • Program is not cost effective
  • Experienced professionals in delivering internal control engagements
  • True “Big 4” alternative at lower cost
  • Identify opportunities to reduce cost through on-shoring and/or off-shoring partnership

References

  1. Jones, Huw. “UK watchdog backs tougher Sarbanes Oxley-style rules for top companies.” Reuters, March 9, 2020.

Sources

ABOUT THE AUTHORS

Michael Bordoni
Managing Partner, Risk Advisory
Michael.Bordoni@dhg.com
GET IN
TOUCH
© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.
praxity