Key Takeaways from Riveron’s IIA Event on Control Rationalization and Remediation Strategies
On September 13, Riveron hosted a discussion on control rationalization and deficiency remediation strategies. The event, part of the Institute of Internal Auditors’ Insight Series, convened several dozen members of the Minneapolis business community to discuss how companies can right-size their control environment and generate the best return on rationalization changes. The day began with two presentations on PCAOB standards and regulations and concluded with a moderated panel discussion comprised of internal auditors and SOX directors from Polaris, Optum, and US Bank. Here are our key takeaways from the event.
Everyone wants fewer controls
Everyone claims to want a more efficient internal control environment, yet no one seems to have one. There are many obstacles that get in the way of SOX optimization—such as cost, availability of personnel, acquisitions, and system implementations —and some can be self-inflicted. Control optimization requires time, thoughtful planning, and a commitment to change from process and control owners.
Automation is the answer, but it won’t happen overnight
Today’s business world requires the use of innovative systems and technology to automate manual processes. While this transition may eventually augur a more optimized internal control environment, it will not happen quickly. Even when automated controls are implemented, they often do not replace manual controls assigned to similar risks or assertions until management is sure the risk is properly mitigated, the control is effectively designed, and auditors can determine how to test.
Focus remains on completeness and accuracy of data and estimation processes
Even though companies have been focusing on data used in the performance of controls as well as evidencing management’s review and challenge of the estimation processes, these are still the main drivers of control deficiencies. Some companies have decided to test reports manually, while others have implemented an annual benchmarking strategy. Control owners also evidence review by keeping various drafts of memorandums, stating their expectations, and even quantitatively defining their level of review precision. While significant enhancements have been made by management, it can still be difficult to satisfy auditor expectations as the data and assumptions are constantly changing.
Communication and teamwork is key
Whether management is trying to remediate a deficiency, optimize a control environment, or implement a new IT system application, having internal and external audit and—in the case of a significant deficiency—the audit committee fully engaged is critical. Communication among relevant stakeholders ensures accountability in implementing the plan upon which all parties have agreed.