While Section 404 of SOx has made to mandatory for companies to annually assess and report on the effectiveness of internal controls over financial reporting. Financial reporting is directly influenced by multiple factors including the industry in which the company is working, local statutory requirements i.e., US GAAP and size of the company. From an internal controls perspective, it is entirely influenced by Risk. And this risk is entirely influenced by business and IT processes in place.

To an extent SOX has made Internal Controls to be looked at not as a one time exercise. For successful compliance the controls have to be existent, controls have to operational and continuously operational.

Complying with internal control requirements carry certain cost. This cost will be both one time and recurring. By making internal controls tightly integrated with operational components, companies can look at both increasing the efficiencies & predictability of their operations as well as reduce the ongoing cost of maintaining controls. Potentially, a company is also saved the cost and embarrassment of any misstatements, malfeasance and financial frauds.

Let’s look at some of the key influencers:

Financial Reporting: Financial Reporting is primarily influenced by the industry and statutory regulations. More so for companies in regulated domains like Insurance, Banking etc. Local Statutory reporting and disclosure requirements are another key factor. If a company is operating in multiple geographies and have to report in different formats i.e., US GAAP, IFRS etc. each of these will have a bearing on how financial information is processed for final statement and disclosure

Business Process: Addressing Risk through internal controls will strongly influence and be influenced by business process. Here business process could mean revenue recognition, special purpose vehicles, capitalization / amortization etc. Evaluation and mitigation of risk will include assessment of policies & procedures guided by financial reporting objectives and aided by financial reporting competencies.

IT Process: Information Technology is perhaps the biggest area for internal controls both in terms of impact and in terms of coverage. Risk assessment in this area is directly related to the complexity of IT ecology. With multiple systems, silos of information processing and complex integration strategies, assessment ranges from access control to change control, data integrity to data protection. In many of the internal control review assignments audit that Thirdware has executed, much of the leakages emanate around these four areas:

1. i.        Generic ids and access control
2. ii.        Segregation of duties
3. iii.        Audit trail
4. iv.        Data integration and integrity

Internal controls, like any other key management process, must revolve around these 5 key processes. COSO Framework on Internal Controls elaborates these areas extensively.

1. Control Environment: Setting the overall control environment including buy in from top management, organizational structure, financial reporting competencies, authority & responsibility and human resources.
2. Risk Assessment: Establishment of financial reporting objectives, assessment of financial reporting & fraud risks
3. Control Activities: Address risks, selection & development of control activities incl policies & procedures and IT controls
4. Information and Communication: Address information relating to financial reporting & internal control both for internal and external consumption
5. Monitoring: Ongoing evaluation and corrective actions.
   

More to follow

Based on the numerous engagements Thirdware was involved in helping companies meet Internal Control requirements, this blog series should help explain the overall approach and execution. While many of the software vendors have provided patches or modules inside their application, unless the overall control process (both business and IT) is understood and addressed in unison, it is never complete.

Coming to the subject:

Internal Controls, for audit and certification purposes, must meet three essential conditions:

1.      Compliance and Controls must be documented

2.      Controls must be implemented and complied on an ongoing basis. It should be made part of the business process.

3.      Evidence must be available to prove compliance with the documented processes

If anyone of these elements is missing, the basic tenet of compliance is not fulfilled.

The foundation of these 3 conditions lies in the following approach

• Understanding and documenting Business and IT controls and their relationship to the financial reporting process
• Identifying risks and designing/implementing controls to mitigate risks and continuously monitoring them
• Ensure the controls are updated (Ongoing) and correspond to business process changes or the financial reporting changes impacting operations

The entire controls process lie both inside and outside the application. While, most companies have completed their initial phase in compliance, the requirement is to change SOx compliance from a project (audit compliance) based approach to that of a business process based approach.  Adopting a process-based approach to SOx compliance helps companies maintain strong internal control over financial reporting and saves money in the long-term and ensures a sustainable controls environment.

At a broad level, Internal Controls and Compliance must address the following: