Internal Controls & Compliance in an ERP Environment – Key influencers
Internal Control framework has been in existence for a very long time and much before Sarbanes Oxley made it mandatory. COSO (Committee of Sponsoring Organization of the Treadway Commission) issued its first framework way back in 1992.
While Section 404 of SOx has made to mandatory for companies to annually assess and report on the effectiveness of internal controls over financial reporting. Financial reporting is directly influenced by multiple factors including the industry in which the company is working, local statutory requirements i.e., US GAAP and size of the company. From an internal controls perspective, it is entirely influenced by Risk. And this risk is entirely influenced by business and IT processes in place.
To an extent SOX has made Internal Controls to be looked at not as a one time exercise. For successful compliance the controls have to be existent, controls have to operational and continuously operational.
Complying with internal control requirements carry certain cost. This cost will be both one time and recurring. By making internal controls tightly integrated with operational components, companies can look at both increasing the efficiencies & predictability of their operations as well as reduce the ongoing cost of maintaining controls. Potentially, a company is also saved the cost and embarrassment of any misstatements, malfeasance and financial frauds.
Let’s look at some of the key influencers:
Financial Reporting: Financial Reporting is primarily influenced by the industry and statutory regulations. More so for companies in regulated domains like Insurance, Banking etc. Local Statutory reporting and disclosure requirements are another key factor. If a company is operating in multiple geographies and have to report in different formats i.e., US GAAP, IFRS etc. each of these will have a bearing on how financial information is processed for final statement and disclosure
Business Process: Addressing Risk through internal controls will strongly influence and be influenced by business process. Here business process could mean revenue recognition, special purpose vehicles, capitalization / amortization etc. Evaluation and mitigation of risk will include assessment of policies & procedures guided by financial reporting objectives and aided by financial reporting competencies.
IT Process: Information Technology is perhaps the biggest area for internal controls both in terms of impact and in terms of coverage. Risk assessment in this area is directly related to the complexity of IT ecology. With multiple systems, silos of information processing and complex integration strategies, assessment ranges from access control to change control, data integrity to data protection. In many of the internal control review assignments audit that Thirdware has executed, much of the leakages emanate around these four areas:
- i. Generic ids and access control
- ii. Segregation of duties
- iii. Audit trail
- iv. Data integration and integrity
Internal controls, like any other key management process, must revolve around these 5 key processes. COSO Framework on Internal Controls elaborates these areas extensively.
- Control Environment: Setting the overall control environment including buy in from top management, organizational structure, financial reporting competencies, authority & responsibility and human resources.
- Risk Assessment: Establishment of financial reporting objectives, assessment of financial reporting & fraud risks
- Control Activities: Address risks, selection & development of control activities incl policies & procedures and IT controls
- Information and Communication: Address information relating to financial reporting & internal control both for internal and external consumption
- Monitoring: Ongoing evaluation and corrective actions.
More to follow
