Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
15 April 2016

Learn why surveys are essential in your toolset for gaining assurance over internal controls

Internal controls are (or at least should be) implemented for a specific reason – to mitigate risks. Organisations that are risk conscious strive to provide transparency over the continued ability of their controls to achieve this objective. This can be in reaction to strict regulatory requirements which enforce the need to evaluate their controls periodically, or can be driven purely from a good practice perspective and a desire to manage risks effectively within their organisation.Discover_why_surveys_should_be_a_central_element_in_your_toolset_for_gaining_assurance_over_internal_controls-min

Whatever the reason there are several ways in which controls can be evaluated to determine whether they are designed/operating effectively or not. A common traditional method is based on manual sample testing using pre-defined test plans. Whilst this sampling approach can produce test results which are representative of a controls total population, based on the use of statistical sampling techniques, it can also be extremely resource intensive. This notion that controls need to be evaluated in this way is a common reason why organisations shy away from their own control assessments, and instead choose to brace themselves for documented control failures as part of the annual external audit report.

This is not a particularly healthy way to manage the internal control environment, and is also not necessary. The use of surveys to perform control self-assessments can be an effective strategy providing valuable insights into the status of your internal controls, as well as being relatively non-invasive for those involved. Although this efficient method for gathering control-related information cannot completely replace all manual sample-based testing activities, particularly within those organisations for whom regulations such as Sarbanes-Oxley dictate management testing as a specific requirement, it can at least become part of the overall testing strategy and help to relieve the manual effort associated with controls testing.

For those organisations which don’t have any such obligations, this “light touch” approach can be extremely effective in providing a periodic controls health check, helping to allocate responsibilities for operating and/or overseeing controls, and at the same time developing an essential risk and controls culture. This functionality is central to the control evaluation capabilities available in SAP Process Controls, and this evaluation method, together with automated controls monitoring, can both strengthen and streamline your current controls assurance activities.