Management, possibly in combination with internal audit, will identify an inventory of significant key controls applicable to the financial reporting function. It is important to take a risk-based approach to identify these key controls as well as a top-down approach, focusing on broader detect controls in addition to critical transactional prevent controls. Several of these higher-level controls will undoubtedly be management review controls, which require significant knowledge and judgment to be completed, and are typically in the higher-risk areas of the financial institution.
Management review controls in particular draw significant regulatory scrutiny; thus, they require robust documentation of the procedures performed and the decision-making process of the individuals performing the controls. Management will need to thoroughly document and define the considerations, criteria and thresholds in a management review control identified as a key control.
In addition, it is important for management to document how they evaluated the completeness of the controls addressing the financial statement assertions. Equally important is how management ensures that any system-generated report used to perform a given control is itself complete and accurate.
Management will need to prepare a summary matrix of all key internal controls which will include all key controls, control owners, financial statement assertions addressed, description of controls and frequency of performing controls. Process owners will need to be responsible for the successful completion of these controls and ensuring the listing is accurate for any changes in controls or processes.
The listing of significant key controls should be reviewed with both external and internal auditors for completeness of the population and precision of the review. In the year of implementation, the level of focus on the documentation involved typically exposes necessary enhancements in the current procedures being performed by management.