Control Identification and Implementation

One of our teams just completed a Control Identification and Implementation project for a great client partner that is implementing a new ERP system. Our team analyzed business processes to understand process steps and identified controls in business and IT processes including manual controls and automated system controls. In cases where gaps in controls were identified, we worked with our client to design and implement new controls.  We documented the processes in process flow diagrams and documented the risks, controls and internal audit test procedures in the client’s Risk and Control Matrix. As a result of this project, we helped our client improve the design and operating effectiveness of their controls and provided internal and external stakeholders with a better understanding of the control environment.

 

Streamlining Control Operations: Control Rationalizations

Control rationalization can help companies align controls with risk, improve governance and deploy resources more efficiently.

Control rationalization helps identify and mitigate risks more efficiently. One of the results of a thorough assessment is that companies can identify control gaps and weaknesses that may expose them to financial misstatements, fraud, compliance breaches, and cybersecurity threats.  Changes to business operations, systems or processes occur and require controls to be adjusted in order to address associated risks.

Enhancing Efficiency and Effectiveness: Control rationalization involves evaluating existing controls to identify redundancies and inefficiencies. By eliminating unnecessary controls, companies can streamline activities associated with performing and documenting the controls and streamline control effectiveness assessments.

Tips for Successful Control Rationalization:

  1. Identify the objectives for maintaining your control environment (e.g. improve the accuracy and reliability of financial reporting, compliance with regulatory requirements, prevent fraud etc.)
  2. Assess existing processes and controls. Conduct meetings with stakeholders (control owners, process owners, etc.) to understand current business processes to identify control procedures being performed including both automated and manual controls. Also identify changes to environment, systems and processes.
  3. Evaluate processes to identify relevant risks and associate controls in place to mitigate those risks. 
  4. Analyze the risks and controls to:
    • Determine if there are risks which are no longer relevant and should be removed;
    • Identify which controls most effectively mitigate the associated risks (consider both manual and automated controls);
    • Determine if there are controls that can be removed from the risk and control matrix;
    • Consider utilizing a tiered control strategy of primary and secondary controls where primary controls are relied upon for initial compliance support and secondary controls are only used for audit support when the primary controls are not operating effectively.  Both primary and secondary control procedures would be performed however the documentation requirements for secondary controls maybe different than primary controls.
    • Where risks are identified with no associated controls, work with process owners to design and implement appropriate controls.
  5. Collaborate and communicate with stakeholders to finalize the risk and control matrix to help encourage the effective adoption of any changes to the control environment.
  6. Update supporting control documentation (e.g. process flow diagrams, process narratives, etc.) to add new controls, remove controls no longer needed, change controls from primary to secondary, etc.
  7. Perform ongoing monitoring of processes, controls and risks to maintain the risk and control matrix to adapt to changing environment and risks.

Control rationalization helps companies to mitigate risks, strengthen governance and compliance, and enhance efficiency. By streamlining controls and eliminating redundancies, organizations can improve operational agility and allocate resources strategically.

#Audit #InternalControls #RiskMitigation #SOX #SOXCompliance

 

Preparing for a System Implementation Audit

Whether it’s a global ERP system, or a small payroll system, it’s likely any system implementation has the potential to interest internal audit and possibly even your external auditors. You may be wondering what aspects of an implementation your stakeholders will be most interested in, when the time comes. The following paragraphs identify some of the most common areas that are reviewed during an implementation audit.

Testing.

Testing is often the area where auditors spend a majority of their time during an implementation review. User acceptance testing, validation testing, and interface testing are the main types of testing that auditors will want to review. Consider whether the testing performed was documented in a way to allow an auditor to follow the testing process and understand whether the test was successful or not. When it comes to testing, maintaining adequate documentation is often the key.

End-User Access. 

End-user access is another area to consider when performing an implementation. Your auditors will want to gain comfort that only appropriate users that require access for their job function, are the users that have been set up within the system, and that there are no concerns around the segregation of duties associated with the users, as well. A documented pre-implementation user access review is instrumental in providing your auditors with the comfort they will be looking for, regarding the end-user access to the new system.

Governance and Ongoing Maintenance. 

As you already know, the work doesn’t end when the system goes live, and your auditors know this too. It’s important to show that consideration has been given to the ongoing processes and procedures that will be in place around such things as granting and removing access to the system and handling program changes or upgrades. Ideally, these processes or procedures are formally documented by the time the system is fully implemented.

Documentation. 

You’ve probably heard the phrase, “if it’s not documented, it’s not done.” Often, organizations have very strong system implementation processes and procedures in place; however, the areas where gaps occur are in the documentation and support to evidence the process. Appropriate documentation needs to be maintained to evidence each aspect of the system implementation, so that the support can be provided to auditors, or anyone that is interested in understanding your system implementation process and outcome.