Strengthening Internal Controls with Leading Practices

Frequently, the SEC enforcement efforts focus on absent or insufficient internal controls.  A report by the AFC "Mitigating the Risk of Common Fraud Schemes: Insights from SEC Enforcement Actions" published January 2021, focused on 204 enforcement actions related to financial statement frauds from which they identified 140 fraud schemes.

One of the key conclusions from the study stated:

"There was rarely a single root cause for each matter, as each scheme typically encompassed multiple issues...Companies should remain focused on the fundamentals—controls, processes, and environments that impact financial record keeping and decision-making—and company-specific risks by conducting regular risk assessments." 

Interestingly, this study was completed with events that occurred before the pandemic hit. Since the pandemic, we have experienced increased remote working, which may lead to significant disruption in internal controls, that in-turn, may introduce even greater risks to the organization.Today there's probably never been a more important time to re-visit and focus on internal controls (their technology, processes and policies) in context of an increased remote working situation.

Strengthening Internal Controls

In October APQC published a report based on a study conducted during the summer of 2021 called "Leading Practices to Strengthen Internal Controls."  The study included 360 participants representing a diverse range of industries, regions, and sizes. 53% said they have heightened their focus on internal controls over the past year.  The areas of focus reported were:

               69% Cyber Security | 63% Data Privacy | 53% Remote Working | 53% Fraud Risk 

Remarkably 47% have not heightened their focus on internal controls.  The key conclusions from the report regarding internal controls states:

• Internal Controls Environment
  • Many organizations have an opportunity to streamline and reduce the number of controls they have in place
  • Leading organizations test their controls at least quarterly, or more frequently on demand
  • Whether they are public or private, all organizations are well-served by achieving compliance with SOX requirements
• Internal Controls Automation
  • Many organizations still have room for growth when it comes to technology for internal controls. Two-thirds of surveyed organizations are using manually-intensive methods like spreadsheets to manage internal controls.
  • Many organizations are still piloting or testing emergent technologies like automation and cloud computing, which are prerequisites for leading practices like continuous controls monitoring

Cloud Technology for Risk Management & Compliance

Oracle a leader in Cloud ERP has a risk management module designed to manage risks and meet compliance and privacy mandates (SoD, SOX, GDPR, etc.). Oracle Risk Management subscribers can automate analysis, monitoring and control of ERP security, configurations and transactions.  The platform is built to help organizations employ leading best practices.

Key features in the risk management module are: 

• Automation of risk and compliance processes
• Secure role design to accelerate ERP implementation
• Deep SoD analysis with visualization and simulation of conflicts
• Continuous monitoring of all security, configurations and transactions
• Library of pre-built controls and intuitive workbench to author custom controls
• Streamline control assessments, certify compliance, and collaborate with auditors
• Full visibility with graphical, role-based dashboards

To learn more about Oracle's Risk Management & Compliance module click here.

In many ways, there’s never been a better time for organizations to invest and reinvest in strengthening their internal controls. 

1. Has your organization heightened its focus on internal controls? 
2. Is your organization still using manually-intensive methods to manage internal controls? 
3. Have you moved your financials to the cloud? 
4. Are you using automation and AI to help manage risk and meet compliance requirements? 

If not, then it's probably time to upgrade your ERP.

Source: APQC paper "Leading Practices to Strengthen Internal Controls" published October 15, 2021