The aim of robust internal controls is to effectively mitigate the company’s risks. Given the changing nature of risks, regular assessments of the existing business processes are required to ensure that the internal controls are covering all relevant risks. By anticipating and identifying risks for the business proactively, companies are ensuring that preventive and detective controls are in place which optimizes business operations as well as the corresponding financial and reputational risk.
a. The importance
The role and expectation of the internal control framework is evolving as it is no longer a mere ‘tick the box’ function but must provide true value to the business. It is therefore central for internal controls to provide more value and insights for the business. By identifying potential gaps and shortcomings and subsequently implementing the recommendations, companies will enhance risk management, optimise cost, and improve the performance of its preventive and detective controls. Moreover, the financial services environment is constantly evolving, and it is essential for companies to stay up to speed and implement new controls as a result of a change in the company’s strategy, new product offerings, new regulations, or emerging technologies.
b. The assessment
An internal control assessment contains several layers and deep dives into various features of the existing processes.
Phase 1: Process inspection: Identifying and reviewing current processes and assessing these against the key risks identified and relevant regulations in place
Phase 2: Design review: Deep diving into the design of the controls (mainly done through process walkthroughs) and evaluating it critically against best practices in the sector and regulatory recommendations
Phase 3: Operating effectiveness: Testing the operational implementation of the described as well as documented controls and measures in the company. This includes for example an evaluation of the monitoring capabilities
Phase 4: Improvement: The three review phases mentioned above lead to the creation of individual assessments and detailed documentation of key issues and gaps. This review is accompanied with a series of recommendations to fill the potential gaps and therefore increase the efficiency and effectiveness of the controls. These recommendations are aligned and defined with clear action points and a timeline for resolving the identified issues.