Ask the Pro: Effectively testing and monitoring internal controls
David Hodgson, Partner, Deloitte & Touche LLP
Since we set up our finance SSO a few years ago, we have greatly improved the efficiency of testing and monitoring internal controls. Now, our CFO wants to know how our SSO can help make those controls more effective as well as keep costs down. Any ideas on how to do that?
Shared services can often help reduce internal control cost and complexity by consolidating, standardizing, and automating many processes and controls. However, our experience suggests that companies can use their SSOs to go beyond these “baseline” gains in several ways.
One opportunity for improving control effectiveness can arise when processes are redesigned for placement in shared services. Because standardization typically entails end-to-end analysis of a process, it can give risk and control specialists the opportunity to evaluate and, if needed, improve the controls associated with each process as well. Your CFO can help enable this by stressing the need to involve risk and controls professionals during process design and by helping to identify appropriate specialists for the process design team to consult.
Another opportunity lies in the possibility of using the consolidated, enterprise-wide data housed in the SSO to conduct risk analytics. Giving risk managers access to the broad, systematic/detailed data set collected by an SSO, as opposed to disparate local data, can allow them to use more standardized technology and tools for activities such as risk assessments and compliance monitoring.
Yet a third opportunity is to leverage shared services personnel as an additional set of “eyes and ears” to help identify breakdowns in control. If you embed risk awareness into SSO staff’s job responsibilities, they can stay alert for inconsistencies and weaknesses that can signal potential internal control issues. Because SSO staff work with the data on a day-to-day basis, involving them in this way can help a company identify potential issues in a timely manner,
Finally, your company may want to consider putting certain internal control and risk management capabilities in the finance SSO itself, right alongside the processes they address. The SSO may be a natural home for a risk analytics capability, for instance. You may also want to explore putting a risk and controls group in the SSO to regularly monitor the controls and processes executed by finance personnel as well as the SSO’s self-testing, self-reporting controls.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.