Internal controls identified & documented against various risks in the process would be assessed periodically by management to analyze if the design of the control is sufficient and appropriate. In addition, controls will be evaluated to determine if they have been operating effectively throughout the relevant period.
Common Control Deficiency
1. Entity Level Controls, absence of
- Fraud risk management framework
- Formal succession planning
- Legal compliance framework
- IT disaster recovery plan
- Business continuity management program
- No formal process to present ethics and compliance issues to the board/management
- Guidelines or formal process for board self-evaluation
2. Process Level Controls, absence of
A. Human Resource Process
• Controls around attendance management and overtime calculation
• Controls related to monthly reconciliation of headcount prior to payroll processing
• Super user access to employee master data
• Unauthorized access or absence of maker-checker mechanisms for modifying employee master data
B. Order to Cash Process
• Controls over access to tariff master/price master
• Controls over customer onboarding and master management
• Monitoring of aged receivable outstanding
• Provisioning for or write off of doubtful debts
C. Asset Management
• Assets are capitalized without componentization or de-componentization
• Significant delays in moving from capital work-in-progress to asset cost account
• Assets are not tagged and referenced to an asset listing in the fixed asset register and there is an absence of a formal process for physical verification
• Useful life review of assets and impairment analyses are not conducted periodically
D. Inter Company Reconciliations
• Clear and comprehensive policies and procedures for intercompany balance reconciliation
• Mechanisms to clear unreconciled balances on a timely basis
E. Financial Statement and Closure process
• Insufficiencies in calculation of provisions and accruals
• Balance confirmations are not obtained for significant customers and suppliers on periodic basis
3. IT General controls, absence of:
• User access management: access control matrix and periodic review of user access
• Incident management: An escalation matrix and non-compliance with the incident reporting process
• Back up and restoration testing: backup and restoration testing and assignment of a dedicated disaster recovery data center
• Change management: Segregation of duties for conducting changes not maintained and inadequate evidence to verify user acceptance testing
• Business continuity management program
Approach for Internal Control Framework
1. Governance and Entity Level Controls (ELC)
• Monitor entity level controls to strengthen governance, address reputation risk and roadmap to strengthen ELC by integrating with Internal Audit.
2. Efficient and Transparent Operations
• Sector Insights
• Strengthening process level controls
• Monitoring underlying compliances with process
3. Agile Analytics
• Flexible and Agile analytics basis deep process diagnostic to provide comprehensive assurance in existing environment.
4. Eye of Forensic
• Applying knowledge and repository of fraud risks to focus on anti-fraud controls.
5. Enabling Through Technology
• Internal Financial controls
• IT & Cybersecurity controls
• ERP application controls
• Roadmap to automation
Conclusion
Organizations need to significantly transform their business operating models to remain competitive amid a growing number of industry challenges. Investors are also willing to assign significantly higher PE multiples to entities with better governance. Internal Control over Financial Reporting (ICFR) program is an important step in this direction.
Internal control teams need to take a close look at the fundamental business processes, understand core issues and financial reporting risks and subsequently identify opportunities for value creation. Continuous identification and monitoring of risks related to external and internal changes. Technology-enabled risk assessment, driving alignment with enterprise risk assessment. Leverages ICFR results to identity operational and organizational improvements.
At S&B Consulting, we empower organizations to strengthen their governance frameworks through tailored ICFR programs and technology-enabled risk assessments. By partnering with us, companies can transform their internal control capabilities, align financial reporting practices with industry best standards, and achieve greater operational efficiency. Together, we guide our clients in navigating complexities, enhancing investor confidence, and positioning their business for long-term success.
