Basics of Internal Controls
To better understand the basic of implementing Internal Controls, we have asked Jesper Parsberg, Partner PwC Risk Assurance, to share some of his more than 25 years’ experience supporting companies getting in compliance. In the process of developing ComplianceNow’ new component CN Internal Control, we have among other sources reached out to Jesper’s team to check and refine our understanding of how auditors think the internal control process. Now we are back with a line of questions and answers to elaborate on the key essentials of the control process, implementation strategy and the link to the company’s enterprise risks.
If a company has no control process established, then what is the most common reason for this?
This is primarily due to resources as an effective control environment is difficult to set up with limited resources. And often we see that a high number of the critical business processes are highly dependent on manual controls. Companies with no controls often have a perception of no risks and/or no unmitigated risks.
What are the typical triggers for establishing internal control processes in those companies that previously have not had such?
This is often triggered by an event such as e.g. fraud or loss of assets. This triggers the need for a risk assessment and rethinking of the internal controls. However, this often results in additional manual controls with follow-up on transactions etc. and the first exercise does not necessarily encompass all business processes.
Establishing a control environment; which stakeholders are important in the process and why?
This needs to be driven by key people across the business. Top management is key for ensuring management buy-in, however, identifying and handling risks needs involvement of key persons from different parts of the business to get the right end-to-end processes. The CFO is not the only go-to person as we have often seen – because then all internal controls will end up in the Finance department. And this will shift the balance towards primarily detective controls and not preventive controls.
Establishing a control process; many are asked to make a business case – what are the key points to look for in such?
Setting up a business case for internal controls will often only show additional costs, however, the key benefits is to mitigate the risks and by this mitigation reduce the impact and/or consequences if these risks should be materialized.
What is typically overseen when establishing the company’s control library and how can you approve the process?
Often segregation of duties and access rights are forgotten from the start, and this is unfortunate as these are key preventive controls in all business processes. Another area that is hard to handle is the automated application controls as they are built into the applications and more difficult to identify. And these two topics often result in setting up only manual controls being set up. And the manual controls are more subject to risk of not being performed due to humans performing the controls.
Which controls do you prioritize and how do you select the most relevant taken into consideration the organizations maturity level?
I would definitely prioritize segregation of duties and the automated application controls as these will minimize the need for manual controls. And in general, the risk assessment shall set the scene for the focus areas.
Is it important to link the company’s overall risk to the actual controls being processed and why?
Yes, this is key as the internal controls are one of the measures to mitigate the risk.
When the control library and the control process is established what are the most commons challenges experienced?
That is keeping up the good work and performing controls as designed and on time. And often the risk assessment is forgotten to be updated despite changes to applications, business areas etc.
What is the added value you as an auditor can offer a company establishing or maturing a control environment?
We can offer guidance on all the above and of course test of both the design and operational effectiveness of the internal controls. In complex environments such as SAP and D365 we have customized tools for evaluating SOD and automated application controls to facilitate this with focus on the right risks.
How do you see the key differences in handling controls manual versus utilizing a software component?
The key difference is having the repository for the evidence of performing the controls and the possibility to follow-up on the timeliness in performing the internal controls.
Which trends do you see for internal controls the next two years?
I see more focus on SOD, a higher use/utilization of automated application controls and a more extensive of robotics (RPA) for performed rule-based tasks.
Interested to learn more….?
We always look forward presenting Internal Control to present customers, possible new customers, partners and network. So, if you want to learn more, have questions or would like to see a live demo of CN Internal Control please contact us.