Companies are exposed to a wide range of risks that are constantly changing due to internal and external influencing factors, but also due to increasing digitalization. Thus, they must adapt flexibly and quickly in order to mitigate risks sufficiently. For an appropriate management of enterprise risks, an effective internal control system (ICS) is necessary, which supports companies as a control and monitoring instrument to reduce risks to an acceptable level. However, as complexity increases, so do the requirements for an ICS, especially with regard to scalability. To this end, we discuss not only the basics of an ICS, but also core concepts for creating a scalable ICS, which includes automation in particular.
Aligning risk management with business strategy
Every organization must set a risk strategy that can continuously adapt to new challenges and opportunities. Integrating an enterprise risk management framework throughout your organization offers a number of benefits:
Identification of the appropriate internal control framework
An internal control framework assists in organizing and categorizing expected controls or control topics. The use of these frameworks can vary depending on the area of application. Some organizations design control frameworks for general purposes like the COSO internal control framework, while others are more specific such as the COBIT IT Control framework. The International Organization for Standards also proposed multiple standardized control frameworks for internal auditors in various domains including for quality auditing (ISO 9001) and for IT (ISO 27001). Therefore, an excellent understanding of the variety of frameworks is important in the design of internal controls tailored to the needs of the company. Our consultants bring in-depth knowledge and the necessary experience in dealing with the respective frameworks.
Implementing the identified control framework
The implementation of a control framework, the management and maintenance of its underlying internal controls involves six steps. These steps are:
- Development of an implementation plan
- Evaluating and documenting the control structure,
- Identifying gaps through comparison of organization’s practices and principles outlined by the respective control framework
- Remediate gaps identified in the previous assessment step 3.
- Testing controls in term of effectiveness and reporting to management
- Internal controls optimization
As a result of the increasing complexity of the business environment bundled with a multitude of regulatory requirements, the required controls also increase and with them the effort required for testing the controls. Therefore, scalability is an important, if not the most important, requirement of today's internal control systems. After all, high scalability results in time and cost efficiency.
Automating internal controls
Automation in the ICS domain leads to high scalability. Automation can be integrated either injectively or holistically in the implementation of internal control systems. A system view as well as an individual view on controls are mandatory here. One example of many for an injective integration of automation is the continuous monitoring approach of controls through automations, which makes it possible to generate reports on effectiveness or violations of controls in real time. The implementation of the underlying automations requires a high level of technical implementation skills that our consultants bring to the table. Projects have confirmed this time and time again.
In line with the saying “less is more”, our takeaway is: Scalable internal control systems must have a high degree of injective and holistic automations.