A seamless and risk-free control environment is the ideal – clear division of responsibilities, seamless integration of people, processes, and systems, and visibility over issues.
But this is rarely the reality.
To start, we have the control owners, who perform critical steps to identify and mitigate risks. They work with management to configure systems, map controls to risks, and document policies and procedures.
Internal audit then coordinates with control owners and management to evaluate the effectiveness of controls. On top of that, all parties must report findings to the board or other governance committees, and external audit.
Everyone is executing their work steps and documenting them independently and in separate systems, which adds complexity and confusion.
Suddenly, we start to see how complicated and disconnected compliance can be.
To reduce risk and achieve the most effective and efficient operating environment, accounting and internal audit must address the following three questions.
Who owns the controls?
Often times, the swim lanes for control ownership aren’t very clear. If we’re lucky, internal audit swoops in and handles the administrative work – updating process documents, maintaining checklists, and managing RCMs.
This is great — until internal audit becomes a crutch for accounting.
We’ve all been there: “It’s quarter-end and I’m just now thinking about my controls!” As a result, we assume a “same as last year” mentality, which allows risk to creep in.
As a best practice, accounting should have ownership over controls. Controls should be embedded in everyday activities, and owners should proactively update process documentation and alert auditors and other stakeholders to changes or enhancements.
Unfortunately, this can be a tall order and require significant incremental effort when controls are manual and documentation is decentralized.
With a technology-enabled approach, control evidence is integrated on a single platform. Accounting can evaluate and evidence controls while they’re being performed – not just at quarter-end.
Instead of relying on a retrospective approach, accounting can be proactive in reducing risk, improving processes, identifying control gaps, and remediating any deficiencies.
Where are the documents I need?
With hundreds of controls to track, narratives for each process, ever-evolving RCMs, and piles of PBC requests, it’s easy to get lost. Accounting and internal audit spend excessive amounts of time trying to locate control evidence, emailing back and forth, and rushing to update documents after the fact.
A centralized system eliminates these inefficiencies. Documentation is in one place and version control is automatically maintained. Certified controls are available to internal audit in real time; direct access to PBCs frees-up valuable time and keeps audits on track and in budget.
How do I manage issues?
Management, internal audit, and external audit all have a line of sight into control effectiveness. In many cases, if issues arise, each group documents them separately.
All parties then meet to aggregate issues and determine whether they should be reported as control deficiencies, significant deficiencies, or material weaknesses. When issues aren’t addressed until the end of an audit cycle, it can result in unnecessary debate over the existence or severity of deficiencies. These debates can damage the relationship between management and auditors and waste valuable time.
An integrated reporting tool centralizes issue management. All stakeholders have visibility into findings so there are no surprises at the end of the audit period. This can also record the severity or impact of the issue – whether there are mitigating controls or if remediation is being performed, and the status and owner – all in one location.
With the proper alignment between accounting and internal audit, both teams can focus on proactively managing risk and improving processes throughout the organization.