Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
19 September 2016

3 steps to a controls-based approach to financial statement audits

As part of the year-end statutory audit of the financial statements for a company, the external auditors will often seek to adopt a controls-based approach to their audit, but only when it can be satisfactorily concluded that they are able to place reliance on the internal control environment. The benefit of an organisation having sound internal controls is that the transactional data which makes its way onto their accounts should be complete, accurate and valid, as per the underlying objectives of the associated controls.

If the external auditors can evidence that a company’s controls are designed effectively and meet their intended objectives, and that they are also operating as expected, then they already have a degree of comfort over the validity of the data. This means they are able to reduce the amount of financial audit work that otherwise would have been necessary to provide an opinion on the financial statements.

This approach has significant advantages for the auditee as it reduces the amount of required substantive testing, which includes effort intensive detailed procedures such as:

  • Physically inspecting or observing assets (e.g. inventory, equipment etc.)
  • Examining records to support balances and transactions
  • Obtaining confirmation from 3rd parties (e.g. banks, customers, suppliers etc.)
  • Checking calculations

This reduction in substantive testing means less work required by the auditors, as well as less time commitment for the auditee themselves. Overall this can have a positive impact on the overall time and cost associated with the year-end audit.

All too often however the auditors are not able to adopt a controls-based approach, as their testing of identifies significant control-related issues which means they can’t place the necessary reliance on them. As a result, the benefits associated with a controls-based approach are never realised. However, this can be easily rectified if companies implement a few simple measures:

  1. A periodic review of applicable business risks ensures that an organization has ongoing transparency and understanding of all those key risks which need to be mitigated, allowing them to identify necessary internal control requirements. This periodic review should be broken down into functional areas and include process owners and other key stakeholders;
  2. Perform regular control gap analyses to evaluate whether a company has controls in place to mitigate those risks identified as part of the periodic risk review, and the output of such reviews should be formally documented and maintained in a Risk and Control Matrix; and
  3. A periodic controls assurance program should be established whereby nominated control owners perform controls testing and/or assessments to conclude on the design and operating effectiveness of their controls. It’s much more desirable to be aware of, and remediate, control-related issues during the course of the year as they happen, rather than wait for problems to be identified by the auditors during year-end, which could ultimately affect their audit approach.

 Delivering business benefits when upgrading