« Top 7 benefit of automation control
Top 4 Common problems with sustainability reporting »

Five steps to a healthy internal control environment

1. Documentation: The mapping exercise
A company looks at SOX and other regulations to see which areas of their business are going to be affected by the regulation’s requirements. They then go through an intensive mapping process, identifying the business processes, subprocesses, and departments that are involved.

The next step is to highlight the risks and compliance issues. For example, when someone is taking orders from new customers, they need to make sure that a credit check is performed every time. The company should develop a control that will be done from outside its order-taking system that checks all transactions and reports back on whether the system is running credit checks for all new customers.

2. Testing: Real-time and historical
After the documentation phase, companies then implement control checks, either preventative checks, such as those that seek out Segregation of Duties (SoD) violations, or detective checks, which are after-the-fact checks on what happened (historical) or what’s happening right now (real-time). By automating both real-time and historical checks, a company can form a clearer idea of how their business is operating.

3. Remediation: Fixing the problem
When an internal control flags an issue — either a control violation or a control failure — someone must fix it. The control software should automatically create a case in the system that includes all the details of what happened, why the case has been created, what control has failed, and who is going to fix it. The system should ensure that cases are automatically assigned to the people who are responsible for that business area: the business process owners as well as the control owners.

When the system creates a case, it should notify the control owner that they are responsible for investigating the failure, and notify the business process owner that a problem has been found and that she is now responsible for fixing it.

4. Analysis: Reports for management
In the analysis phase, managers report on the control environment. The senior management in charge of compliance (whether it’s the compliance team, the Chief Financial Officer, Chief Risk Officer or the Compliance Vice President) runs reports: what controls have run recently, how many failed, and which business processes are most at risk. The most important of these reports is always that which impacts a significant account, or anything that ends up on the income statement.

The reports are available so that companies can measure and analyze their regulatory compliance. At a board meeting, management will now ask, “How are we doing with regard to financial compliance?” and having this quick, up-to-theminute status will enable them to ascertain how compliant the company is.

5. Optimization: Barring risk
Finally, the control software should optimize controls by preventing risks from entering enterprise applications. Companies that implement preventative measures such as compliant change control (see Chapter 13) and compliant user provisioning (see Chapter 6) will see a reduction in control violations because risk never enters the enterprise applications that they use to run their business.

Popularity: 37% [?]

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Slashdot
  • StumbleUpon
  • Reddit

This entry was posted on Monday, January 26th, 2009 at 12:04 am and is filed under Audit, Control, SAP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.