ODon't give me more reports on my control weaknesses — fix them!" That's increasingly the attitude in some corporations, reacting to ever increasing pressure on internal controls, particularly from Section 302 and Section 404 of the Sarbanes-Oxley Act.
When CEOs and CFOs certify their assessments of internal controls effectiveness, the last thing they want is to be presented with a long list of worrying weaknesses.
Some corporations are creating new roles with names like "Internal Control Manager" and "Head of Business Assurance" to fix problems. These roles are in addition to internal audit, whose main task is to report on the effectiveness of internal control.
Sections 302 and 404
One of the most efficient ways to evaluate internal controls for the purposes of Sections 302 and 404 of the Act is to operate process monitoring for all large scale business/financial processes. This gives good control and virtually continuous evidence of controls effectiveness with minimal extra work.
This kind of management control means you can see statistics on the throughput, error rates, and backlogs of major processes and use them to improve performance and confirm controls effectiveness, within certain limits.
Of course, in most cases this means designing and implementing some new procedures and reports.
The Telecom Example
Telecom might not sound like the first industry to turn to for "best practices" in internal controls.
However, in the last five years or so, almost all major telcos have set up teams to do "revenue assurance;" namely, to fix billing problems that — for many telcos — were resulting in five percent or more of revenues simply not being billed.
These revenue assurance teams could be cost-justified easily. Many are now moving on from recovering lost revenues to preventing errors by building more effective control systems. These teams are comprised of hands-on, practical individuals, using their personal skills and an increasing range of tools to achieve remarkable improvements in process efficiency, revenues, and bottom line results.
Increasingly, these teams are using monitoring techniques to measure controls performance continuously.
The same opportunities to cut costs, improve top line numbers, reduce internal processing costs, and monitor controls effectiveness continuously exist in many industries. We could see "assurance" functions spring up in many places.
The Main Barrier
Whether you look to Internal Audit to sort out your internal control weaknesses, or to a dedicated hands-on team, the biggest barrier you are likely to face is lack of suitably skilled people.
Most people who understand internal controls are auditors.
Most people who are designers and implementers have only a weak grasp of internal control and risk management.
Create a multi-skilled team and develop effective ways of working as quickly as possible.
Design & Implementation Tips
Here are my tips for designing and implementing internal controls:
Design Vs. Audit - Remember that design and audit are very different. The main reason auditors are not more effective at controls design is that they try to do design using audit techniques. It doesn't work.
High Level Designs - Sketch out the solutions you are going to build. Create high-level designs showing key controls and types of mechanism at an early stage and use these to identify development projects and guide later work.
Personalize - Use generic models of internal control systems, but make sure you adapt them carefully for the distinctive characteristics of your company, processes, products, pricing structures, people — even the weather if necessary.
Delegate Appropriately - Use your top controls people when they are really needed. Many controls can be left to others and just reviewed. The appropriate information technology folks in your organization, for example, know they need to deal with disaster recovery and usually remember that passwords are important. As a result, it is often enough to meet them early on, clarify scope, then check in from time to time to keep the momentum going.
Don't Rely On One Control - Make your control system multi-layered. Never rely on one control to cover a risk. Always look to use process monitoring control.
Human Error - Don't overlook usability. Most errors can be traced back to human error, and human error is best countered by improving usability. The second most important control here is training.
Tough Control Issues
Finally, a word about the "old chestnuts" of internal control.
There are a number of topics that linger on everyone's list of control weaknesses, but I doubt if there are many more commonly found than business continuity and network security.
The key issue here: they are very difficult to solve. Even when you think you've done it, a year later they'll be back on the audit committee's hit list.
Here are some ideas that often work well:
Test Frequently -For business continuity, try running a test, even if you know you're not ready, and see what happens. Using this as a learning experience can cut out lots of drafting and other preparation that may not be needed.
Security & Centralization - For computer access security, consider establishing standard security settings for each operating system you use, and buy or write a tool to simply check any machine in your corporation to see if it complies. This helps reduce the incidence of non-hardened servers.
Failure to remove access rights when employees change jobs or leave the company is another key culprit. To tackle this one, consider centralizing access administration, and using a database to log the access each employee or contractor has. Link this to your personnel database and records of contractors. Doing these things will probably put you in the top quartile for computer security.
Be Realistic
Your organization will never be completely secure, so the aim should be to judge realistically the degree of risk remaining, taking into account all the layers of control you have in place.
Just because there is a gaping hole at one level doesn't mean you are wide open.
Just because it is possible to crack your security doesn't mean that anybody can do it.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet