FOCUSING ON YOUR SYSTEM OF INTERNAL CONTROL
Are you concerned that your internal control system can’t keep up with the changing risks facing your business e.g., globalisation, entering new markets, acquisitions etc?
Are you satisfied that the accuracy and validity of management information is ensured through the current internal control practices?
Are your practices geared at meeting emerging Governance Standards?
Is your internal control system too costly – based on duplicate and manual processes?
Are you unable to keep your internal controls personnel trained on all of the emerging technologies and systems that your company needs to compete?
It’s hard to recall a time when there has been such a focus on internal controls for businesses of all sizes. Internal controls have gone from often being an afterthought to an integral part of a company’s infrastructure.
While the Sarbanes-Oxley legislation applies only to public companies in the U.S., the resulting focus on internal controls is raising the bar for acceptable practices world-wide. Internal controls are no longer about outdated policies and practices but rather to a range of practices from the tone at the top delivered by the CEO and the Board of Directors to the day to day tasks performed by employees.
Often, controls would have been designed and implemented in an unstructured manner, as the need arises, upon identifying that there is a particular risk that is not being properly addressed. In most of these cases, these controls are manual as they are put in place at the spur of the moment and / or to overcome a limitation in IT systems used. Such controls evolve by department rather than by function, often resulting in duplication of controls within a company.
The implementation of a structured system of controls within a company always comes at a cost. It is therefore important to ensure that the controls put in place provide added value in terms of effectiveness and efficiency in addressing an identified risk. Duplication of tasks and the performance of superfluous controls that do not address a valid risk should be avoided. The application of automated controls, as appropriate, should be considered to replace manual procedures that are lengthy and error-prone.
Another hidden cost resulting from an unstructured control environment is that relating to the risks that remain unaddressed. Companies feel a false sense of security through the implementation of duplicate or manual controls when often, despite the cost, control gaps remain in unforeseen areas. Recent international experience of business failures shows that even well-run companies needed a refresher lesson about the fundamental importance of internal control. Strengthening internal controls is an area that a business at any stage can benefit from.
Ensuring you are ‘in’ control
There are five components of internal control that you need to consider:
· The control environment that acts as the foundation for an internal controls system. This component encompasses a code of conduct that defines the company’s commitment to quality and ethical behaviour.
· The identification of risks and the definition of a plan as to how the risks will be managed.
· The establishment of control activities over company processes to ensure that they run more efficient and at lowest possible cost.
· The provision of information to support control activities.
· The monitoring of internal controls, from within the organisation by management and from outside the process either by an internal audit function or commissioned one-off exercises.
Our PricewaterhouseCoopers Internal Control Services professionals have a wide range of experience and expertise in the areas of controls, finance and Information Technology. That's why we possess a unique understanding of the value of the Internal Control process to gain more effective business risk management capabilities.
Some of our clients need support to strengthen their existing systems of Internal Control. Others need assistance to monitor their changing risks. Certain clients need help to assess their systems of control and to implement the changes as necessary. Some need to build up or enhance their controls documentation. And some need a partner for any combination of the above.
We offer a wide range of services that are flexible to client requirements:
Full outsourcing : We may act as the client’s own internal audit department providing an internal audit team that is stationed at the client’s premises throughout the duration of the engagement.
Partial/Co-sourcing: This is similar to full outsourcing, with the difference that part of the internal audit team is staffed by client employees. The client may choose to have such an arrangement on an ongoing basis or otherwise until the company’s own internal audit staff has acquired sufficient training and experience.
Controls Health Checks : These assignments involve a review of the key processes and controls of the main cycles of the client’s business, or otherwise limited to only one or two specific areas of business.
Writing of Procedures : We assist companies to set out internal control policies and procedures.
Strategic Sourcing : Although the client may not require a full-fledged internal audit department, the company may at times require focused internal audit assistance on a particular area of concern. Similar services also include fraud investigations and IT effectiveness audits.
Advisory Sourcing : We also provide consultancy to already existing internal audit departments, or otherwise towards the setting up of a new internal audit department. Such consultancy work includes assistance in the work methods (to be) adopted and may also include a review of the effectiveness of an existing internal audit function.
Sarbox Work : This relates to compliance audits performed in conformity with the Sarbanes-Oxley regulations for SEC-listed companies, as well as related support to prepare for such audits.
Our services enable a broad range of flexible and unique solutions ensuring an ‘added value’ driven approach through the utilisation of a diversity of skills available. On a typical assignment a range of expertise is applied, on the areas of process analysis, risk-controls assessment and IT evaluation, to deliver a holistic approach.