Controls under the Corporate Governance Code has been saved
The 'UK SOX' debate has led organisations to increase their focus on controls, readying themselves for the impact of potential enhanced regulation. Regardless of the outcome of the UK Government’s BEIS White Paper, Heads of Internal Audit should be thinking about whether their own organisations meet current requirements under the Corporate Governance Code, as well as the impact of potential enhancements.
Following the roll-out of US SOX in 2002, it was clear that the process to prepare and implement a documented controls framework to confirm the effectiveness of controls requirements took more time and effort than many expected. Considering this, Heads of Internal Audit have an important role to play in helping ensure that their organisations use lessons learned from the implementation of US SOX to get ahead now. They should leverage the opportunities a controls framework presents for their organisation and their role in the business.
1. What opportunities does a controls framework offer?
Across the US, SOX has seen increased scrutiny and focus given to the effectiveness of controls and enabled business to better empower management to manage their own risks. This has encouraged many Heads of Internal Audit to help strengthen the ‘tone from the top’, and in turn provides a chance to act as a catalyst for change and rethink the controls landscape. Organisations can identify ways to build digital tools and technologies into the internal control’s framework from the bottom-up which will provide greater assurance over the accuracy of their financial reporting data and detect fraud more effectively.
Heads of Internal Audit should embrace this and utilise the benefits in regard to their own function’s activity. Whether that be in informing a more focused plan of Internal Audit activity or allowing for a proactive approach to identifying heightened fraud risks; the outcome is a function which is more efficient and supportive of business needs. There is an opportunity to remind organisations that controls matter and that Internal Audit functions are here to support and add value through specialist insights.
2. When does my business need to be ready and how long will it take?
Although there are not yet confirmed dates, it is widely expected that some form of tighter controls regulation will become effective in the next couple of years. The FRC has also recently pointed out that companies applying the Corporate Governance Code should already be publicly reporting on their process to annually review the effectiveness of their material controls and any significant weaknesses.
Organisations must understand, now, what level of effort and remediation is required to put in place the evidence that controls are operating effectively and Heads of Internal Audit are well placed to support and challenge management when doing so, due to their role providing them with a holistic view of the controls landscape. Experience suggests that there will be at least 12 – 18 months’ work required to implement and embed a documented and effective financial control framework.
3. What activities should be prioritised when aiming to achieve effective internal controls?
At a minimum, an effective internal control environment would require the identification of material risks and a mechanism in place to monitor and report against the controls that mitigate them. As such, Heads of Internal Audit will need to support the business in undertaking a controls gap analysis as the basis for understanding remediation efforts required to ensure internal controls are in place; and they are designed and operating effectively. A four step process to perform an ICFR gap analysis was outlined within our ‘Considerations for internal audit in light of UK SOX’ paper published in February 2021.
Heads of Internal Audit should consider what part their functions might play as their organisations define and embed procedures to monitor the effectiveness of these controls on a recurring basis. Early adoption of continuous controls monitoring solutions and real-time data analytics will allow organisations to build solutions which are flexible and quick in identifying and reacting to risks identified within the business. At the same time Internal Audit will need to protect their risk based planned to ensure their efforts do not become overly focused on controls of financial reporting.
4. What documentation will be needed to evidence the control environment?
Documentation and a clear understanding of the end-to-end risks, processes, and controls is essential for establishing an effective controls framework. Whilst many Internal Audit functions have often been able to operate without this reference point to date, this will be critical to ensure an internal controls framework can be monitored effectively and meet regulatory reporting requirements.
When reflecting upon the lessons of US SOX, it is clear that getting a risk assessment in place from the start is critical. Without a clear understanding of the risk landscape and a focus on the risks that really matter, there is a danger the approach to documenting will be unfocussed and unnecessarily extensive.
Whilst Heads of Internal Audit should not own the end-to-end implementation of a controls framework, they have a key role in asking the right questions of management and leveraging the existing knowledge of their function to ease the transition. As such, Heads of Internal Audit should begin to assess where existing documentation can be leveraged to begin mapping process, risks and controls across the business and ask the business how additional resources may be required to support the completion of this alongside day to day activity e.g. process mapping being performed within the scope of existing Internal Audit plans.
5. How can Internal Audit support remediation efforts to achieve compliance with a controls framework?
A robust approach is essential in fully embedding changes within an internal control environment, whether that be in introducing new internal controls or enhancing those currently in place. Once an ICFR gap analysis has been performed, Internal Audit will be well equipped to provide programme assurance across remediation efforts and then be able to provide a view as to how effectively remediation efforts have been implemented.
A key motivator behind the US SOX framework was to instil the importance of honest and ethical leadership. Heads of Internal Audit should begin to consider taking a cultural ‘dip test’ of their organisation to understand how well control owners understand and manage their risks, and how the organisation proactively encourages a transparent and honest environment. There are a number of mechanisms Heads of Internal Audit can consider when reflecting upon this; ranging from the behaviour and communications of senior management through to how the company responds to employee voice panels.
Please get in touch if you would like to discuss how your Internal Audit function should ready itself. We can share with you our four-step plan for where you should be now.
Key contact
Sonya Butters
Partner, CFO Advisory, Controls
Sonya is a controls specialist, Audit partner and the leader of our Accounting Operations team. Accounting Operations is a team of audit trained accountants who support our non-audit clients in modernising their finance functions, embedding controls and being ready for audit. She works with UK and US, private and listed companies. Her project experience includes US and UK IPOs, SOX and JSOX implementations, controls and finance transformation and close optimisation.
Erin Gormley
Senior Manager
Erin is a Senior Manager within Deloitte’s Internal Audit & Controls team with over 7 years’ experience in delivering risk, controls and assurance services. Erin has experience in delivering Internal Audit services across a range of industries and FTSE250 organisations, as well as delivering and leading controls transformation projects which are focused on defining and optimising internal control environments. In particular, Erin has specialised in working with US-listed companies to ensure their SOX control frameworks are designed and operating effectively.
