Ey Are Your Internal Controls in Harmony With Your Business Unlocked
Ey Are Your Internal Controls in Harmony With Your Business Unlocked
Ey Are Your Internal Controls in Harmony With Your Business Unlocked
controls in
harmony with
your business?
H ow t h e t h r e e line s of d e f e nse ca n w or k in
conce r t t o h e lp y our or g a niz a t ion im p r ov e it s
p e r f or m a nce
Introduction
Who is in
Contents
Today, change is coming faster than ever, and there’s
more of it. Industries have been completely disrupted
through digitalization and outsourcing. The sheer velocity
of change has upended the business environment, and
Introduction 2—7
business models are constantly having to respond at an
Maturity model 8 unprecedented pace. In fact, five years ago, we were talking
control?
about the fast pace of change, but that pace and the amount
Enhancement opportunities 9—29 of change have only increased, with no slowdown in sight.
and regulatory
t h e m a r k e t w a s r e cov e r ing , som e com p a nie s m a d e p r og r e ss
not p r e v e nt a and stakeholder confidence
t ow a r d b e t t e r a lig nm e nt of r isk m a na g e m e nt w it h ch a ng e s d ow nt ur n a nd m a na g e m e nt
in b usine ss m od e ls a nd e m e r g ing r isk s.
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
4 op p or t unit ie s
opportunities 5
I nt r od uct ion
an effective and
T h is g r oup ( t y p ica lly includ ing r isk m a na g e m e nt , int e r na l
sy st e m s of int e r na l cont r ol h a v e a p osit iv e im p a ct on long - int e r na l cont r ol st r a t e g y . H ow e v e r , no line of d e f e nse
cont r ols, le g a l, com p lia nce , e t c. ) is r e sp onsib le f or t h e
t e r m b usine ss p e r f or m a nce a nd e a r ning s p ot e nt ia l. e x e cut e s t h is st r a t e g y sing le - h a nd e d ly ; t h e y m ust w or k
ong oing m onit or ing of t h e d e sig n a nd op e r a t ion of cont r ols
together. In the context of an integrated LOD model, EY
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
6 op p or t unit ie s
opportunities 7
M a t ur it y m od e l Enhancement opportunities
Has your ICFR program kept pace Key considerations to enhance your
with changes in the business and internal controls Welcome from EY
regulatory landscapes? At EY, we have helped organizations of different sizes and T h e sur v e y e ncom p a sse d 1 4 7 of our a ud it a nd a d v isor y
a cr oss se ct or s a s t h e y d e v e lop e d a nd im p le m e nt e d t h e ir clie nt s of v a r y ing siz e s a cr oss t h e U S , cov e r ing m a ny
init ia l I CF R p r og r a m s a nd h a v e cont inue d t o w or k w it h ind ust r y se ct or s.
m a ny of t h e m a s t h e y h a v e e v olv e d t h e ir p r og r a m s ov e r
34%
I n lig h t of t h e ch a ng ing b usine ss e nv ir onm e nt , r e g ula t or y
t im e . W e sur v e y e d our int e r na l a ud it p r of e ssiona ls t o g a t h e r
Even though we have been living with SOX O nly
of r e sp ond e nt s
inf or m a t ion a b out I CF R le a d ing p r a ct ice s a nd a r e a s of
findings and our work with clients, we have seen a number
of a r e a s e m e r g e a s le a d ing p r a ct ice s or op p or t unit ie s f or
requirements for over a decade, many companies have ind ica t e d t h e im p r ov e m e nt not e d a s t h e y w or k e d w it h our clie nt s. com p a nie s t o e nh a nce t h e ir int e r na l cont r ols.
int e r na l cont r ol
not matured or optimized their ICFR programs. p r og r a m w a s
m a t ur e * .
Enhancement The topics below are the most common enhancement opportunities we see at our clients. These
ICFR maturity assessment enabler opportunities: topics are discussed in the pages that follow, along with thoughts on the benefits of taking action.
L e a d ing or g a niz a t ions a r e using a m od e l t o a sse ss t h e m a t ur it y of t h e ir int e r na l cont r ol e nv ir onm e nt s.
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
8 *EY ICFR Leading Practice survey op p or t unit ie s
opportunities 9
1 2
G ov e r na nce st r uct ur e I CF R p r og r a m
Does your A sp
a nd
a rt
or g
of our sur v e y , w e a sk e d q ue st ions a b out r e p or t ing line s
a niz a t iona l st r uct ur e in a n e f f or t t o und e r st a nd t h e Do you regularly In 2004, many companies were issuing their first reports
on I CF R . H ow e v e r , cont r ols t h a t w e r e a p p r op r ia t e a t
cur r e nt t r e nd s. W e f ound t h a t no one m od e l e m e r g e d a s t h e t h e t im e of im p le m e nt a t ion m a y no long e r b e e f f e ct iv e
governance le a d ing or m ost com m on.
T h e or g a niz a t ion’ s m a na g e m e nt is r e sp onsib le f or e st a b lish ing
update your g iv e n t h e f a st p a ce of ch a ng e on t h e g lob a l st a g e . S ince
t h e n, sh if t s in t h e r e g ula t or y e nv ir onm e nt h a v e a f f e ct e d
and regulatory
a r e ne e d e d t o sust a in a st r ong int e r na l cont r ol e nv ir onm e nt , a nd enhancements intended to (1) address significant
it w or k s b e t t e r w h e n a ll p a r t ie s k now t h e ir r ole s. F or e x a m p le , ch a ng e s in t h e b usine ss e nv ir onm e nt a nd a ssocia t e d
30%
r isk s; ( 2 ) sp e cif y cr it e r ia t o use in t h e d e v e lop m e nt
requirements?
t h e r e sour ce s r e sp onsib le f or m a int a ining I CF R d ocum e nt a t ion
a nd t h ose r e sp onsib le f or t e st ing a nd m onit or ing cont r ol d if f e r a nd a sse ssm e nt of int e r na l cont r ols; a nd ( 3 ) incr e a se
of sur v e y r e sp ond e nt s ind ica t e d a cr oss or g a niz a t ions. T h e r e is no one cle a r a nsw e r , b ut w h a t is the focus on operations, compliance and nonfinancial
t h a t int e r na l cont r ol ow ne r clear is that companies need to have these roles defined so that reporting objectives. This is just one example of how our
clie nt s h a v e d one a m or e in- d e p t h r e f r e sh of t h e ir I CF R
87%
p e r f or m a nce r a t ing s a r e link e d t o t h ing s d on’ t f a ll t h r oug h t h e cr a ck s.
t h e e f f e ct iv e ne ss of t h e cont r ols p r og r a m a nd use d it a s a p la t f or m t o m a k e m or e h olist ic
ch a ng e s a nd im p r ov e m e nt s.
f or w h ich t h e y a r e r e sp onsib le
of sur v e y r e sp ond e nt s
ind ica t e d t h a t t h e I CF R
p r og r a m is a lig ne d w it h CO S O
2 0 1 3 .
27%
• D o y ou a sse ss t h e a m ount of r e lia nce t h e e x t e r na l
a ud it or s p la ce on t h e com p a ny ’ s w or k a nd w h e t h e r
modifications could enhance such reliance?
of sur v e y r e sp ond e nt s
ind ica t e d t h a t t h e int e r na l
cont r ol f unct ion w a sv e r y
m a t ur e or le a d ing - p r a ct ice .
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
1 0 op p or t unit ie s
opportunities 1 1
3 4
Ch a ng e s t o a ccount ing st a nd a r d s SOX Section 302 certifications
4 4
ch a ng e s t o or g a niz a t iona l b usine ss m od e ls, t h e r isk e x ist s communicating the results to the CEO and CFO
t h a t st a nd a r d s m a y b e m isint e r p r e t e d a nd d isclosur e
r e q uir e m e nt s w it h in q ua r t e r ly r e p or t ing m a y b e m isse d . • I d e nt if y f unct iona l le a d e r s t h a t w ill colle ct a nd r e v ie w
A ccount ing ch a ng e is m or e t h a n a ccount ing a nd m or e t h e ir a r e a ’ s q ue st ionna ir e s a nd a ct a s ind e p e nd e nt
t h a n ch a ng e . Com p a nie s t h a t h a nd le t h e t r a nsit ions w e ll r e v ie w e r s, ch a lle ng ing t h e st a t us q uo a nd p ush ing t h e
will find themselves in a position of improved performance CEO and CFO to make certain they are comfortable with
f r om I T t o p r oce sse s a nd r e la t e d g ov e r na nce a nd cont r ols. t h e r e sp onse s
• Create a questionnaire that certifiers will need to
complete; the type of questions each certifier receives
Questions to consider Benefits of taking action Timing m a y d e p e nd on a num b e r of f a ct or s, includ ing t h e
• Enables compliance with • O ng oing t o r e sp ond t o certifier’s role in the organization and the business unit
• D o y ou k now w h e r e t o ob t a in a ssist a nce w it h
r e g ula t or y r e q uir e m e nt s ch a ng e s on a t im e ly to which the 302 certifier belongs
int e r p r e t a t ion w h e n ne e d e d ? W h ile m a ny com p a nie s m a y f e e l t h e y h a v e a g ood
• F a cilit a t e s a p p r op r ia t e b a sis SOX Section 302 certification process, some may • S e nd a ny q ue st ionna ir e s w it h not e d issue s t o t h e
• Are internal controls evaluated to confirm that they are
up - f r ont int e r p r e t a t ion h a v e b e com e com p la ce nt , g oing a s f a r a s r ub b e r - f unct iona l le a d e r s im m e d ia t e ly
a d e q ua t e ly d e sig ne d t o a d d r e ss t h e se ch a ng e s?
a nd a p p lica t ion of stamping certifications, introducing even more risk to • S e le ct a t ool t h a t w ill b e use d t o a d m inist e r t h e
• H ow a r e ch a ng e s t o a ccount ing st a nd a r d s t h e ir or g a niz a t ion.
a ccount ing st a nd a r d s t o questionnaire and approval/certification process
com m unica t e d t o t h ose r e sp onsib le f or t h e r e la t e d
y our b usine ss
int e r na l cont r ols? • Confirm that control objects are processed and
• Enables open lines of d ocum e nt e d a p p r op r ia t e ly t h r oug h t h e use of y our
• H a v e y ou e v a lua t e d t h e im p a ct of a ccount ing ch a ng e
com m unica t ion a cr oss com p a ny ’ s ca le nd a r f unct ions f or r e m ind e r s, e sca la t ions
not only on t h e a ct ua l a ccount ing b ut a lso on
t h e or g a niz a t ion and notifications
g ov e r na nce , p e op le , p r oce ss, t e ch nolog y a nd r e la t e d
int e r na l cont r ols?
A w e ll- d ocum e nt e d a nd w e ll- und e r st ood ong oing • H a s y our or g a niz a t ion na m e d som e one a s t h e S O X • Enables compliance with • Q ua r t e r ly a nd
p r oce ss is cr it ica l t o st a y ing a b r e a st of a ccount ing S e ct ion 3 0 2 p r og r a m le a d e r ? r e g ula t or y r e q uir e m e nt s a s ne e d e d
st a nd a r d s ch a ng e s. • D oe s y our or g a niz a t ion use q ue st ionna ir e s a nd se t • P r ov id e s m or e v isib ilit y int o a nd a s cont r ol
r e m ind e r s t o f a cilit a t e t h e p r oce ss? ov e r sig h t of t h e or g a niz a t ion’ s e nv ir onm e nt s
int e r na l cont r ol e nv ir onm e nt ch a ng e
• H a s y our or g a niz a t ion im p le m e nt e d a t ool t o
a d m inist e r t h e p r og r a m ? • Enables identification of issues
• Has your organization identified the functional leaders, t h r oug h out t h e y e a r r a t h e r t h a n
a nd d o t h e y und e r st a nd w h a t is e x p e ct e d of t h e m ? a t y e a r - e nd
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
1 2 op p or t unit ie s
opportunities 1 3
5 6
S cop e a nd m ix of cont r ols t e st ing M a na g e m e nt r e v ie w cont r ols
Questions to consider Benefits of taking action Timing Questions to consider Benefits of taking action Timing
• H a v e y ou p e r f or m e d a n int e r na l cont r ols op t im iz a t ion • M a y im p r ov e ov e r a ll • W h e n cont r ols a r e • D oe s m a na g e m e nt und e r st a nd t h e p ur p ose of t h e • Enables the organization to • O ng oing t o r e sp ond
e x e r cise e v a lua t ing t h e m ix of cont r ols? efficiencies in the execution e x e cut e d r e v ie w a nd t h e r isk it is int e nd e d t o a d d r e ss? e f f e ct iv e ly a d d r e ss t o ch a ng e s on a
• H a v e y ou e v a lua t e d y our int e r na l a ud it a nd int e r na l of t h e I CF R p r og r a m • D o cont r ol ow ne r s und e r st a nd t h e r e q uir e d b usine ss r isk t im e ly b a sis
• A t le a st
cont r ol f unct ion r isk cov e r a g e f or op t im iz a t ion • M a y r e d uce t h e cost of a nnua lly — cont r ol d ocum e nt a t ion t o sup p or t e x e cut ion of t h e cont r ols? • M a y r e d uce t h e r isk • A t le a st a nnua lly —
op p or t unit ie s? cont r ols t h r oug h t h e use of ow ne r t r a ining • D oe s m a na g e m e nt r e ce iv e p e r iod ic inf or m a t ion of financial reporting m a na g e m e nt t r a ining
• H a v e y ou consid e r e d a lt e r na t iv e m onit or ing a ut om a t ion up d a t e s a nd t r a ining on m a na g e m e nt r e v ie w cont r ol m isst a t e m e nt s or
ca p a b ilit ie s, e . g . , of f sh or e , b y t h ir d p a r t ie s or b y • M a y r e d uce t h e r isk r e q uir e m e nt s? r e st a t e m e nt s
d if f e r e nt p a r t ie s in- h ouse ? of financial reporting • H a v e y ou e v a lua t e d t h e t h r e sh old s y ou a r e using a nd • Enhances awareness and
• Have you evaluated the relevant IPE and IT general m isst a t e m e nt s or ob t a ine d a lig nm e nt w it h a ll st a k e h old e r s? a ccount a b ilit y a m ong cont r ol
cont r ols in y our I CF R p r og r a m ? r e st a t e m e nt s ow ne r s
• H a v e t h e cont r ol ow ne r s r e ce iv e d t r a ining on t h e • M a y im p r ov e a w a r e ne ss a nd
importance of IPE and IT general controls? a ccount a b ilit y a m ong cont r ol
ow ne r s
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
1 4 op p or t unit ie s
opportunities 1 5
7 8
IPE P op ula t ion com p le t e ne ss
Are you IPE is any information provided by the entity using the
e nt it y ’ s I T a p p lica t ions, e nd - use r com p ut ing t ools or ot h e r When is You may find that data previously provided as population
e v id e nce t o t h e a ud it or s is now b e ing q ue st ione d w it h r e sp e ct
m e a ns. I t is use d b y m a na g e m e nt , b e it in e le ct r onic or t o com p le t e ne ss. I t is im p or t a nt t h a t no d a t a is ina d v e r t e nt ly
considering p r int e d f or m , in t h e p e r f or m a nce of cont r ols. I ne f f e ct iv e
cont r ols ov e r sy st e m - g e ne r a t e d d a t a or r e p or t s cont inue
population om it t e d or e x clud e d , t h us m isr e p r e se nt ing t h e p op ula t ion.
O ne w a y t o r e d uce t h e b ur d e n of g a t h e r ing a nd r e t a ining t h e
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
1 6 op p or t unit ie s
opportunities 1 7
9 10
Cont r ol p r e cision R e la t e d p a r t ie s
significant issues?
S im ila r t o m a na g e m e nt r e v ie w cont r ols, t h e f ollow ing • F ina ncia l r e la t ionsh ip s a nd t r a nsa ct ions w it h e x e cut iv e
it e m s sh ould b e t op of m ind w h e n a sse ssing m a na g e m e nt ’ s officers
cont r ols r e g a r d ing k e y e st im a t e s:
• Determine the method, significant assumptions and Com p a nie s sh ould r e v isit t h e cont r ols t h e y h a v e T h e P CA O B d e v e lop e d t h e st a nd a r d t o f ocus t h e a ud it or ’ s
com p le t e ne ss a nd a ccur a cy of inf or m a t ion use d in p la ce t o id e nt if y , a ccount f or a nd d isclose a t t e nt ion on a r e a s t h a t h a v e b e e n a ssocia t e d w it h r isk s of
• G a t h e r a nd e v a lua t e inf or m a t ion, includ ing a v a ila b le t r a nsa ct ions w it h r e la t e d p a r t ie s a nd e x e cut iv e s, a nd fraudulent financial reporting and error. To address these
T h e ov e r a ll g oa l of m a na g e m e nt e st im a t e t e st ing is t o
significant unusual transactions. r isk s, com p a nie s sh ould a lso f ocus on t h e se t r a nsa ct ions.
v a lid a t e t h a t t h e issue r ’ s a ssum p t ions a nd e st im a t e s cont r a r y inf or m a t ion, a nd a p p ly it in d e t e r m ining t h e
und e r ly ing t h e v a lua t ion of a sse t s a nd lia b ilit ie s a r e a m ount s t o b e r e cor d e d or d isclose d
r e a sona b le . • Evaluate which key assumptions drive the estimate
• A na ly z e w h e t h e r m a na g e m e nt ’ s r e v ie w of t h ose Questions to consider Benefits of taking action Timing
a ssum p t ions is r e a sona b le g iv e n t h e sup p or t
• Does your organization have a confirmation process • M a y e x p e d it e t h e d isclosur e • Q ua r t e r ly
f or t h e e st im a t e s
t h a t includ e s k e y st a k e h old e r s t o e v a lua t e e x ist ing a nd p r oce ss confirmation
ne w r e la t ionsh ip s? • M a y r e d uce a ud it f a t ig ue p r oce ss
• H ow d o y ou ob t a in com p le t e ne ss in r e p or t ing of • Enhances risk management
r e la t e d p a r t ie s a nd t h e ir t r a nsa ct ions in a t im e ly a ct iv it ie s
Questions to consider Benefits of taking action Timing m a nne r ?
• D oe s m a na g e m e nt h a v e a n und e r st a nd ing of t h e • Ca n h a v e a p osit iv e e f f e ct on • O ng oing t o r e sp ond
r e q uir e m e nt s f or it s r e v ie w of int e r na l cont r ols — e . g . , b usine ss p e r f or m a nce t o ch a ng e s on a
is t h e r e a nnua l r e f r e sh t r a ining on cont r ol ow ne r • M a y r e sult in a r e d uct ion t im e ly b a sis
r e q uir e m e nt s? of financial reporting • A t le a st Companies should maintain the following
• Are controls evaluated periodically to confirm that m isst a t e m e nt s or a nnua lly — documentation:
t h e y a r e d e sig ne d t o a d d r e ss e m e r g ing a r e a s of f ocus? r e st a t e m e nt s m a na g e m e nt • T h e na m e s of t h e com p a ny ’ s r e la t e d p a r t ie s
• Is control precision evaluated for areas of significant • P r ov id e s b e t t e r a w a r e ne ss t r a ining a nd t h e b usine ss p ur p ose f or e nt e r ing int o t h e
e st im a t ion, includ ing f a ir v a lue m e a sur e m e nt s, a nd a ccount a b ilit y a m ong t h e t r a nsa ct ion
im p a ir m e nt s, r e se r v e s a nd incom e t a x e s? cont r ol ow ne r s • B a ck g r ound inf or m a t ion on t h e r e la t e d p a r t ie s
( f or e x a m p le , p h y sica l loca t ion, ind ust r y , siz e
a nd e x t e nt of op e r a t ions)
• T h e na t ur e of a ny r e la t ionsh ip s, includ ing
ow ne r sh ip st r uct ur e , b e t w e e n t h e com p a ny a nd
it s r e la t e d p a r t ie s
• The transactions entered into, modified
or t e r m ina t e d , w it h it s r e la t e d p a r t ie s a nd
t h e t e r m s a nd b usine ss p ur p ose s of such
t r a nsa ct ions
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
1 8 op p or t unit ie s
opportunities 1 9
11 12
Deficiency impact analysis Remediation of deficiencies
Does your When deficiencies are identified during the fiscal year
a nd int e r na l cont r ols a r e d e e m e d ine f f e ct iv e , com p lia nce Can M a na g e m e nt m a y not b e a w a r e of t h e conse q ue nce s
of postponing remediation of identified deficiencies or
t e a m s ca n h e lp m a na g e m e nt im p le m e nt a ct ion p la ns t h a t may have no plans to remediate the deficiencies. Some
organization r e d uce t h e r isk t o t h e or g a niz a t ion a nd m a y p r e v e nt t h e
ne e d f or e x p a nd e d e x t e r na l a ud it p r oce d ur e s. F or e x a m p le ,
delaying deficiencies are more challenging or may take longer to
r e m e d ia t e d ue t o p e op le or p r oce ss com p le x it y or d ue
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
2 0 op p or t unit ie s
opportunities 2 1
13 14
S y st e m im p le m e nt a t ions O ut sour ce d sy st e m s a nd b usine ss
p r oce sse s
• H a s m a na g e m e nt e m b e d d e d cont r ol consid e r a t ions • Reduces the risk of financial • T h e p la nning A d d it iona lly , t h e se r v ice or g a niz a t ion m a y out sour ce ce r t a in
into their system development process for financially t r a nsa ct ion m isst a t e m e nt s p h a se of sy st e m U se r e nt it y a nd M a na g e m e nt of se r v ice s t o a sub se r v ice or g a niz a t ion a nd ca r v e out t h ose
I nt e nd e d
d ue t o e r r one ous sy st e m im p le m e nt a t ions a n a ud it or of it s se r v ice or g a niz a t ion, se r v ice s f r om it s S O C r e p or t . A sub se r v ice or g a niz a t ion m a y
significant IT applications? a ud ie nce
financial statements use r e nt it ie s a nd not p r ov id e a S O C r e p or t t o use r e nt it ie s; h ow e v e r , cont r ols
• D o b usine ss a nd I T r e p r e se nt a t iv e s a ct iv e ly p a r t icip a t e f unct iona lit y • P la nning a nd t e st ing other specified a t t h e sub se r v ice or g a niz a t ion m a y b e r e le v a nt t o t h e use r
in defining relevant risk and control considerations? • R e d uce s t h e r isk of p r ior t o g o- liv e k now le d g e a b le e nt it y ’ s int e r na l cont r ol e nv ir onm e nt . Com p lia nce t e a m s a nd
ina p p r op r ia t e ch a ng e s t o k e y t o h e lp r e d uce p a r t ie s int e r na l a ud it or s h a v e a n op p or t unit y t o a ssist m a na g e m e nt
sy st e m s p ost - im p le m e nt a t ion w it h a sse ssing a nd m inim iz ing r isk s inh e r e nt in out sour cing
• A v oid s sy st e m out a g e s a nd issue s sy st e m s a nd b usine ss p r oce sse s w h ile m a na g ing cost s of
e f f e ct iv e int e r na l cont r ol.
op e r a t iona l p r ob le m s a f t e r
g o- liv e
• P r om ot e s und e r st a nd ing Questions to consider
w it h in t h e b usine ss a s Benefits of taking action Timing
• H a v e f or m a l r ole s a nd r e sp onsib ilit ie s b e e n e st a b lish e d
t o h ow sy st e m ch a ng e s • P r oa ct iv e ly m onit or s • D ur ing t h e p la nning
f or a ll out sour ce d p r oce sse s?
could op t im iz e t h e cont r ol p e r f or m a nce of sy st e m a nd cont r a ct ing
e nv ir onm e nt • What specific services, including control objectives, se r v ice p r ov id e r s p h a se s
cont r ols a nd a p p lica t ions, a r e b e ing p r ov id e d b y t h ir d
• D r iv e s com m unica t ion a nd • A v oid s sur p r ise s r e g a r d ing • Cont r ols sh ould b e
p a r t ie s?
f ur t h e r link s I T a nd b usine ss CUECs in op e r a t ion f or t h e
p r oce ss t og e t h e r w it h in t h e • A r e e x p e ct e d cont r ols includ e d in S O C r e p or t s a nd fiscal period
• M a y p r e v e nt la t e
or g a niz a t ion tested properly and for a sufficient period of time?
identification of deficiencies
• Do you proactively address CUECs through existing
cont r ols t o r e d uce ov e r a ll I CF R cost s?
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
2 2 op p or t unit ie s
opportunities 2 3
15 16
S O C r e p or t s Cont r ols in t h e cloud
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
2 4 op p or t unit ie s
opportunities 2 5
17 18
S e g r e g a t ion of d ut ie s Cy b e r r isk
31%
conflicts within IT processes that must be mitigated through N um e r ous a r e a s of
+ =
und e r a ny cir cum st a nce s.
appropriate controls, the majority of a company’s SOD h e ig h t e ne d cy b e r -
cont r ols m ust r e sid e w it h in b usine ss p r oce sse s t o e f f e ct iv e ly r e la t e d r isk s
of r e sp ond e nt s use d a n mitigate the risk of fraud or errors. To avoid significant SOD Conce r ns ov e r t h e
a ut om a t e d solut ion t o e v a lua t e deficiencies, even in the absence of an automated tool, m a t ur it y of a n e nt it y ’ s
S O D a s it r e la t e s t o use r a cce ss. st e p s ca n b e t a k e n t o m inim iz e r isk s. T h e k e y is a p r oa ct iv e cy b e r r isk m a na g e m e nt
a p p r oa ch t h a t a na ly z e s t h e r isk s a nd im p le m e nt s a p p r op r ia t e p r og r a m
cont r ols.
Questions to consider Benefits of taking action Timing Questions to consider Benefits of taking action Timing
D oe s y our or g a niz a t ion: • M a y p r e v e nt f r a ud , e r r or s • M it ig a t ing • H a s y our or g a niz a t ion cond uct e d a com p r e h e nsiv e • M a y p r e v e nt b r e a ch e s a nd • Cont r ols sh ould b e
or financial reporting cont r ols ca n b e cy b e r se cur it y a sse ssm e nt a s p a r t of t h e r isk op e r a t iona l p r ob le m s in op e r a t ion ov e r t h e
• Have a process-specific SOD rule set based on the risk im p le m e nt e d a t
m isst a t e m e nt s m a na g e m e nt p r og r a m ? • Cont r ib ut e s t o a n e f f e ct iv e fiscal period
of m isst a t e m e nt ? y e a r - e nd a nd
• Cr e a t e s a n e f f e ct iv e cont r ol im p a ct a na ly sis • A r e y our or g a niz a t ion’ s p olicie s a nd p r oce d ur e s up t o r isk m a na g e m e nt f r a m e w or k • Annual ERM
• H a v e a p r oce ss f or h a nd ling e x ce p t ions?
f r a m e w or k p e r f or m e d t o d a te ? a ct iv it ie s m a y
• H a v e cont r ols t o e nf or ce t h e r ule s? confirm there sp e a r h e a d incr e a se d
• May prevent deficiencies • H a v e y ou e v a lua t e d cy b e r se cur it y cont r ols a t y our I T
• G a t h e r e v id e nce of a n a nnua l r ule r e v ie w a nd w a s no e f f e ct f ocus on cont r ols
on the financial se r v ice p r ov id e r s?
a p p r ov a l? a r ound cy b e r t h r e a t s
st a t e m e nt s d e sp it e • H a s y our or g a niz a t ion incor p or a t e d cy b e r t op ics int o t h e
• G a t h e r e v id e nce of t h e a sse ssm e nt of S O D v iola t ions t h e p r e se nce of enterprise risk management (ERM) program? • I nt e r na l a ud it s
to show that deficiencies were not exploited? SOD conflicts sh ould b e consid e r e d
• Adjust the control framework to align compensating • Cont r ols sh ould b e d ur ing p la nning a nd
in op e r a t ion ov e r b ud g e t ing cy cle s
controls if SOD conflicts cannot be avoided? the fiscal period
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
2 6 op p or t unit ie s
opportunities 2 7
19 20
D a t a a na ly t ics L e v e r a g ing t e ch nolog y a nd t ools
59%
m a k e s op e r a t iona l se nse , d a t a a na ly t ics m a y b e one a r e a t e st ing sof t w a r e , w h ich e na b le s im p le m e nt a t ion of
w h e r e a st r a t e g ic p a r t ne r sh ip ca n y ie ld b e t t e r r e sult s. of sur v e y r e sp ond e nt s a disciplined approach to financial system change
15%
of r e sp ond e nt s ind ica t e d A cce ss t o t ools a nd le a d ing - p r a ct ice e x p e r ie nce sh ould b e ind ica t e d t h a t a t ool, t e st ing a nd t h e g a t h e r ing of t e st ing a nd a p p r ov a l
t h a t d a t a a na ly t ics is b r oug h t t o t h e t a b le b y y our st r a t e g ic p a r t ne r t o la unch or e . g . , G R C, is use d t o m a int a in t h e e v id e nce .
use d t o sup p or t t h e refine the analytics program in support of your compliance d ocum e nt a t ion a nd t e st ing of R ob ust im p le m e nt a t ion of t h e se t ools a nd t h e ir
e x e cut ion of I CF R e f f or t s. int e r na l cont r ols. inclusion in t h e r isk a nd cont r ol f r a m e w or k s r e d uce
p r og r a m s r e lia nce on m a nua l p r oce d ur e s a nd t h e r e f or e r e d uce
r isk of cont r ol f a ilur e s.
38%
of sur v e y r e sp ond e nt s ind ica t e d
Questions to consider Benefits of taking action Timing a tool with built-in workflow
• D oe s y our or g a niz a t ion h a v e d a t a a na ly t ics p r og r a m s • Cov e r s a la r g e r sa m p le of t h e • W h e n p r e p a r ing f unct iona lit y is use d .
in p la ce ? p op ula t ion a nd p r ov id e s m or e f or t h e a nnua l
ERM activities
• H a v e y ou look e d f or a d d it iona l a r e a s t h a t w ould d if f e r e nt ia l f ocus on r isk s
• W h e n a sk ing
benefit from ongoing analytical assessments? • Identifies trends and all
f or I A a nnua l
• H a v e y ou e v a lua t e d m a nua lly int e nsiv e a ud it a r e a s f or e x ce p t ions in a p op ula t ion f und ing Timing
Questions to consider Benefits of taking
op p or t unit ie s t o le v e r a g e d a t a a na ly t ics? • Uses a more efficient audit • O ng oing action • Consid e r use
• D oe s y our or g a niz a t ion h a v e t h e t e ch nolog y a nd t ools
• H a v e y ou consid e r e d w h e t h e r d a t a a na ly t ics ca n a p p r oa ch of t ools a t t h e
t o e nh a nce t h e e x e cut ion of int e r na l cont r ol t e st ing ? • Ca n a llow com p a nie s t o
a ssist in t h e I CF R scop ing p r oce ss? b e g inning of I CF R
• Has your organization identified tools that would or g a niz e t h e ir p r oce d ur e s
t e st ing e a ch y e a r
m e e t y our r e q uir e m e nt s if not a lr e a d y in p la ce ? a nd m or e e f f e ct iv e ly a nd
efficiently address risks • O ng oing
• M a y r e d uce ov e r a ll cost of
cont r ols a nd m inim iz e t h e
le v e l of e m p loy e e e f f or t
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
2 8 op p or t unit ie s
opportunities 2 9
Conclusion
Refreshing your ICFR ICFR program
program can provide
additional benefits
W e k now of no r e a son t o e x p e ct t h a t t h e v e locit y of ch a ng e Control
w ill slow d ow n a ny t im e soon. N e w p la y e r s w ill e nt e r t h e evaluation Technology
m a r k e t w it h innov a t iv e id e a s t h a t w ill cont inue t o d isr up t
b usine ss m od e ls, r e q uir ing com p a nie s t o r e sp ond q uick ly
t o st a y com p e t it iv e . T e ch nolog y w ill cont inue t o r a p id ly
e v olv e , up e nd ing t h e w a y com p a nie s d o b usine ss a nd
Governance Tools and
m a k ing t h e m m or e v ulne r a b le t o “ b a d a ct or s” look ing
techniques
for ways to infiltrate their systems. The ease of global
com m unica t ion t h r oug h socia l a nd ot h e r m e d ia w ill
cont inue t o ch a lle ng e or g a niz a t ions t o st a y on t op of h ow
t h e y a r e p e r ce iv e d in t h e m a r k e t p la ce . A nd r e g ula t or s w ill
cont inue t o e v olv e t h e ir r e q uir e m e nt s a s t h e y st r iv e t o
p r ot e ct st a k e h old e r s.
I nt r od uct ion
Introduction Maturity
M a t ur it y mmodel
od e l E nh a nce m e nt
Enhancement Conclusion
3 0 op p or t unit ie s
opportunities 3 1
To find out more about how our Risk Advisory services could help EY | Assurance | Tax | Transactions | Advisory
your organization, speak to your local EY professional or a member
About EY
of our g lob a l t e a m , or g o t o e y . com / a d v isor y EY is a global leader in assurance, tax, transaction
O ur A m e r ica s R isk le a d e r s a r e : a nd a d v isor y se r v ice s. T h e insig h t s a nd q ua lit y
services we deliver help build trust and confidence
in t h e ca p it a l m a r k e t s a nd in e conom ie s t h e w or ld
ov e r . W e d e v e lop out st a nd ing le a d e r s w h o t e a m t o
Global Advisory Risk Leader d e liv e r on our p r om ise s t o a ll of our st a k e h old e r s.
I n so d oing , w e p la y a cr it ica l r ole in b uild ing a
A m y B r a ch io + 1 6 1 2 3 7 1 8 5 3 7 a m y . b r a ch io@ e y . com b e t t e r w or k ing w or ld f or our p e op le , f or our clie nt s
a nd f or our com m unit ie s.
Americas Advisory Internal Audit Leader About EY’s Advisory Services
In a world of unprecedented change, EY Advisory
L isa H a r t k op f + 1 3 1 2 8 7 9 2 2 2 6 lisa . h a r t k op f @ e y . com b e lie v e s a b e t t e r w or k ing w or ld m e a ns solv ing
b ig , com p le x ind ust r y issue s a nd ca p it a liz ing on
op p or t unit ie s t o h e lp d e liv e r out com e s t h a t g r ow ,
Americas Advisory Risk Assurance Leader op t im iz e a nd p r ot e ct clie nt s’ b usine sse s.
T h r oug h a colla b or a t iv e , ind ust r y - f ocuse d
J a m e s M a r t in + 1 2 1 6 5 8 3 3 0 0 4 [email protected] approach, EY Advisory combines a wealth of
consult ing ca p a b ilit ie s — st r a t e g y , cust om e r ,
Americas Advisory Region Risk Leaders finance, IT, supply chain, people and organizational
ch a ng e , p r og r a m m a na g e m e nt a nd r isk — w it h
a com p le t e und e r st a nd ing of a clie nt ’ s m ost
Central com p le x issue s a nd op p or t unit ie s, such a s d ig it a l
d isr up t ion, innov a t ion, a na ly t ics, cy b e r se cur it y ,
risk and transformation. EY Advisory’s high-
K e v in J a ne s + 1 3 1 2 8 7 9 5 4 0 0 [email protected] p e r f or m a nce t e a m s a lso d r a w on t h e b r e a d t h of
EY’s Assurance, Tax and Transaction Advisory
S e r v ice s p r of e ssiona ls, a s w e ll a s t h e or g a niz a t ion’ s
Northeast ind ust r y ce nt e r s of e x ce lle nce , t o h e lp clie nt s
d e liv e r sust a ina b le r e sult s.
M a r ce lo B a r t h olo + 1 2 1 5 4 4 8 2 6 3 8 m a r ce lo. b a r t h olo@ e y . com True to EY’s 150-year heritage in finance and
risk, EY Advisory thinks about risk management
w h e n w or k ing on p e r f or m a nce im p r ov e m e nt , a nd
Southeast p e r f or m a nce im p r ov e m e nt is t op of m ind w h e n
providing risk management services. EY Advisory
A J D e sa i + 1 7 0 4 3 3 1 1 9 8 3 [email protected] a lso inf use s a na ly t ics, cy b e r se cur it y a nd d ig it a l int o
e v e r y se r v ice of f e r ing .
Southwest T h e b e t t e r t h e q ue st ion. T h e b e t t e r t h e a nsw e r . T h e
b e t t e r t h e w or ld w or k s.
G e of f B e a t t y + 1 7 1 3 7 5 0 1 4 6 7 g e of f r e y . b e a t t y @ e y . com W it h 4 0 , 0 0 0 consult a nt s a nd ind ust r y p r of e ssiona ls
a cr oss m or e t h a n 1 5 0 count r ie s, w e w or k w it h y ou
t o h e lp a d d r e ss y our m ost com p le x ind ust r y issue s,
West from strategy to execution. To find out more about
h ow our R isk A d v isor y se r v ice s could h e lp y our
S cot t Coolid g e + 1 2 1 3 9 7 7 4 2 0 6 scot t . coolid g e @ e y . com organization, speak to your local EY professional
or a m e m b e r of our g lob a l t e a m , or v ie w e y . com /
a d v isor y
EY refers to the global organization, and may
refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited,
a U K com p a ny lim it e d b y g ua r a nt e e , d oe s not
p r ov id e se r v ice s t o clie nt s. F or m or e inf or m a t ion
a b out our or g a niz a t ion, p le a se v isit e y . com .
Ernst & Young LLP is a client-serving member firm
of Ernst & Young Global Limited operating in the
U S .
© 2017 Ernst & Young LLP.
A ll R ig h t s R e se r v e d .
1 6 0 9 -2 0 7 0 3 5 6
SCORE No. 00594-171US.
ED None
T h is m a t e r ia l h a s b e e n p r e p a r e d f or g e ne r a l
inf or m a t iona l p ur p ose s only a nd is not int e nd e d
t o b e r e lie d up on a s a ccount ing , t a x or ot h e r
p r of e ssiona l a d v ice . P le a se r e f e r t o y our a d v isor s
for specific advice.
e y . com
3 2