3 minute read
Business Operations l Internal controls Maintaining Effective Internal Controls in a Compliance-Driven World
By Chad Schaefer,
Implementing and maintaining effective internal controls can pose several challenges. It is important to note that internal controls are not a one-time implementation but an ongoing process. They require regular review, assessment and adjustment to accommodate regulations, organizational needs and changes in the business environment.
Weggeman,
Internal controls are a combination of processes, policies and procedures established within an organization to achieve its objectives, mitigate risks and maintain compliance with applicable laws and regulations. These controls help safeguard assets, promote accurate and reliable financial reporting and encourage adherence to organizational standards.
Here are some common issues faced by organizations and leading practices to support a healthy control environment:
1. Complexity/Scalability
Internal controls can become complex for a variety of reasons, including but not limited to the size of an organization, whether the organization is publicly traded, the number of business lines the organization has, recent acquisitions and the gamut of compliance requirements the organization may be subject to. As organizations have more compliance requirements, scaling controls to meet requirements while being efficient is a challenge. Organizations can begin by establishing a baseline of all compliance requirements that apply. Some requirements may impact all lines of business, while others may be business-line specific. To effectively manage these requirements, further analysis of the requirements is needed to identify where the same requirement can be covered for multiple business lines or compliance frameworks. Root cause analysis is the first step in the planning process, whereas failing to plan is simply planning to fail.
2. Compliance efforts
Internal controls can be used for internal compliance and to help external auditors fulfill their examination obligations. Internal controls apply not only to financial reporting but also to information technology systems. Working with an organization’s external auditor(s) can be beneficial to identify where internal control testing can be used directly or modified to include the scope being examined by the auditors. Historically, controls have been developed to cover risks for independent business lines or systems, which often leads to duplicate efforts and inconsistent treatment of controls across an organization. Understanding the scope of controls is critical to identifying duplication and finding ways to become more efficient and standardized as an organization. To do this, actively work with process owners to determine if processes are the same across different business lines and systems. An example of this can be seen with the shift to cloud-based infrastructure. Multiple service lines may be loaded to the cloud infrastructure, where a single process is now used instead of numerous legacy processes. Actively managing controls and understanding organizational changes can help identify ways to potentially consolidate duplicate efforts where it makes sense for the business.
3. Changing regulations
As mentioned before, internal controls can apply to different areas outside of financial reporting. With new compliance frameworks and updated guidelines continually evolving, understanding whether an organization complies with new requirements is challenging. Manually reviewing each framework and set of requirements is time consuming and can lead to manual error. To avoid this, an organization should effectively maintain a current list of controls and identify a systematic way of analyzing whether adjustments are needed. Leveraging a governance, risk and compliance tool may help maintain this going forward.
4. Cost
Developing and implementing robust internal controls can involve significant costs. In addition, purchasing a tool to manage them effectively can also require a considerable investment. Conducting an initial risk assessment, designing and implementing controls, training employees, documenting and retaining audit evidence and addressing control deficiencies are just some of the requirements of an internal control environment. Organizations should take a “crawl–walk–run” approach, in which a realistic plan that considers limited human resources and budget constraints is coordinated. A healthy control environment takes time to build.
5. Organizational standpoint
There may be resistance when new controls are implemented. Controls may be time consuming and hinder work efficiency. Suppose an organization has a compliance-first mentality. This would lessen the burden of implementing controls after the fact and convey that having controls in place to meet requirements is essential to the organization. In addition, if controls are proactively factored in during process implementation, it reduces risk and allows for easier maintenance of controls. For example, automated controls are more accessible to add in during a process buildout rather than adding a manual check afterward. This also reduces the burden and human error of manually supporting a control. Giving time back to focus on tasks at hand rather than pulling compliance documentation will be well received by employees, as well.
A healthy internal control environment takes time to build and has many challenges. Overcoming these challenges in an evolving compliance landscape can be overwhelming. When organizations face requirements from different frameworks and address various risks, having a culture in which compliance is at the forefront is critical. Risk is everywhere. How will your organization work to control it?
Chad Schaefer, CPA, CISA, CISSP, is a risk advisory manager for Baker Tilly in Appleton, where he specializes in system and organization controls (SOC) reporting. Contact him at chad.schaefer@bakertilly.com. Monica Weggeman, CISSP, CISA, CIA, HITRUST CCSFP, is a risk advisory manager for Baker Tilly in Milwaukee, where she specializes in attestation engagements. Contact her at monica.weggeman@bakertilly.com.
