Deloitte have recently released an interesting report in relation to the 15 year anniversary of Sarbanes Oxley. While anniversaries are usually an opportunity to celebrate and reflect on accomplishments. Instead of celebration, the 15-year reflection was met by several observations from management:
• The cost of compliance is too high
• Internal Control over Financial Reporting (ICFR) programs lack modernization
• Regulators continue to focus in ICFR
Management is also challenged by Management Review Controls (MRC), spending time and resources to address continued control deficiencies, significant deficiencies or material weaknesses and answer questions from auditors to meet regulatory expectation.
We thought we would put together a brief synopsis of the message they extrapolated – exploring how management can refocus their internal control lens related to MRCs by providing insights around pillars of success, common challenges, and how world-class organizations are modernizing and renewing their focus into the ICFR program.
It’s clear its time to move on from the MRC’s of old, when SOX was first introduced and make it work for us in the new era, using latest techniques and technologies to consolidate our efforts.
What are the issues that management are currently grappling with:
- People – They need to have the right kind of experience, authority and known responsibility to be able to perform the MRC in an ICFR context
- Data Quality – If garbage is going in, garbage is going to come out, if bad or wrong data is being used in the decision making process, then the conclusions and actions are not going to have the desired effect.
- Risk Identification – Management suffers from a lack of revisiting and retesting of risks, and a lack of clear system in place to identify, analyze and respond
- Documentation – Documentation isn’t granular or thorough enough and there’s a lack of understanding of what should be being documented
- Control Design – It’s not specific enough or providing detailed steps for mitigating material weaknesses.
But some people have already refocused their controls lens and are leading in the World Class organizations standards, how are they doing it:
- People – They provide cross-training and clear roles and responsibilities
- Processes – They have a robust risk assessment in place, with clear and detailed documentation policies
- Tools and Techniques – Although not the be all or end all, World Class functions know that using latest tools to make the complex simple, including data analytics and visualization and RPA for repetitive time consuming parts of the process are a key way to ensure that the process is optimised.
If you want to read the full report you can find and download it here