Although only public companies are required to have documented processes that identify internal controls, all companies could benefit from following a similar approach.
“What company wouldn’t want to know where their problem areas are and develop a plan to fix them?” says Chrissy Walters, principal at Skoda Minotti.
Adopting a risk-based approach starts with the question, “What keeps you up at night?” The answers will guide executives to the risks that need to be addressed.
Smart Business spoke with Walters about the benefits that control oversight and internal audit offers to companies of all types and sizes.
How well do C-level executives understand the risks their companies face?
C-level executives understand the high-level risks, but more granular issues are typically managed by the process owners. For example, an executive may understand the risk of non-compliance to Generally Accepted Accounting Principles (GAAP), but it is the process owner who manages risk mitigation activities such as completing a financial reporting checklist.
The key is to have effective communications so C-level executives are informed of emerging issues and can act accordingly. Internal audit plays a role in the communication cycle by reporting testing results to management and the board of directors.
Where should companies start when setting up control oversight?
Start by documenting existing processes such as accounts receivable, accounts payable, inventory, etc. This is commonly completed in narrative form, which may not capture the process correctly or may not contain an appropriate level of detail.
People tend to skim a narrative and believe that it’s acceptable without considering the underlying control structure. I prefer flowcharts because they provide a visual depiction of the process, with tasks assigned to specific individuals, and highlight controls.
Ideally, each person involved in the process reviews the steps to make sure they are captured correctly and agrees to their role in the control environment. A well-documented process has the added benefit of facilitating a clear understanding for new employees, management and auditors while showing the controls that have been implemented.
Through the documentation process, potential risks, such as segregation of duties conflicts, become more apparent. Process owners can then develop a control program to mitigate identified risks.
Once controls are established, they should be tested through an internal audit testing program to verify they are effective. Process documentation captures information at a specific point in time. It’s important that companies review their process documentation annually to verify that process flows and controls are still valid, or if additional risks and controls should be considered.
What are the benefits of using a third party to conduct an internal audit?
There are three benefits to using third-party internal audit consultants. They provide specific expertise, a more objective perspective and staffing flexibility.
Internal audit specialists are unique in their focus on risk environments and control development. They work with a variety of companies, learn from them, and therefore can share best practices to maximize control effectiveness in a cost-efficient manner.
Auditors work with their clients to challenge the status quo and identify better ways to manage their risk. Solutions could include automating processes, adding new controls, or in some cases eliminating overlapping controls. A different perspective is important because people may be accustomed to the way a company has operated over time, but there may be room for improvement.
A third-party auditing team provides staffing flexibility by taking on special projects, such as enterprise risk management reviews, litigation support and fraud investigations, leaving the company’s staff to focus on their core responsibilities.
Internal audit removes a company’s blindfold so risks can be seen and effective controls can be constructed to help the company become stronger. ●
Insights Accounting is brought to you by Skoda Minotti