Internal controls are the activities and mechanisms which prevent or detect issues, errors or non-compliance with policies or laws and regulations, helping to define the parameters within which an organisation can operate. Controls that are well designed and function effectively will ensure risks are robustly managed in line with the Board's desired risk appetite and empower management to operate and pursue objectives with a greater degree of confidence and certainty.
Formalised internal control frameworks are commonly defined and adopted by finance functions to mitigate risks in areas such as fraud and misreporting, with larger organisations having established frameworks that cover a broader range of operational activities, legal and compliance risks in order to promote a more uniform internal control environment and address weak links. Consistency, clarity and transparency over an organisations' key internal controls enables management teams and assurance providers to focus their oversight and challenge, as well as strengthening governance and accountability.
We recognise that in most organisations there is a clear business imperative to promote autonomy within departments and subsidiaries in support of entrepreneurial behaviours; however, this cannot excuse recklessness and an appropriate balance of control is needed. Rather than crippling the organisation in bureaucracy or maintaining ‘institutional' controls that no longer address live risks, our focus is to support our clients in developing efficiently administered, risk intelligent and pragmatic internal control frameworks that empower the organisation to be more agile and responsive in a 'safe' manner.
How do we help?
Our team has extensive experience in designing and implementing internal control frameworks. We can help support you:
Identify the organisation's key operational, financial (including IFCR / SOX / JSOX) and legal / compliance controls, and consolidate these controls into a Risk and Control Matrix (RACM) with supporting framework design and component development
Highlight potential control gaps and weaknesses, as well as standardisation opportunities, and work with management to design related control improvement plans
Perform independent control testing (including ICFR, SOX and JSOX)
Identify and implement improvement and efficiency opportunities around management's SOX / JSOX testing programme (e.g. scope reductions, external auditor alignment, methodology development etc.)
Develop control self-assessment mechanisms and related reporting templates and channels (including s.302 reporting)
Capture and track remediation of control deficiencies and other issues
Consolidate and integrate all assurance activities over key controls into an 'assurance map'