Instilling a strong controls culture within an organisation has become a crucial part of compliance for any company needing to meet required standards or regulations. But with UK SOX on the way, is your controls environment prepared for the increased scrutiny of a formal review? One which will look much more closely into your internal controls for financial reporting.
Without the pressure of a SOX-like regulation, many organisation’s internal controls environments are managed in an informal, ad-hoc, and heavily manual way. Many are also control-driven, rather than risk-driven – this means that significant risks facing an organisation may be missed, as well as introducing the common pitfall of risks being ‘over controlled’ leading to negative impacts on business operations.
A point-in-time approach to controls testing and assessments can also lead to limited transparency into how controls are operating. This makes it harder to ensure underlying risks are being mitigated sufficiently across the entire financial year, whilst also hindering the visibility that ensures investment into controls is spent in the right areas.
In preparation for UK SOX, it’s essential that organisations look to transform their control environments - moving from unwieldy, point-in-time, manual controls processes, to a more automated, continuous, and streamlined control environment. A controls transformation programme helps achieve this through rationalisation, consolidation, and the introduction of automation, with an emphasis on preventative rather than detective controls.
This blog explores why this transformation is so important, and how to approach a transformation programme in a way that works for your business.
Why transform your controls now?
The main reason for moving away from a manual, reactive controls environment and towards a more automated, proactive one is that the compliance needs of tomorrow will be very different from those of today, and it’s important to ensure your controls environment is ready to adapt to those changes.
A major change on the horizon is the introduction of UK SOX. Although the first reporting date is still to be confirmed, 2023 is being rumoured as the earliest year for attestation. Whenever it does land, UK SOX will place greater demands on UK-listed companies, and potentially some larger private organisations as well. These organisations will need to demonstrate the operating effectiveness of internal controls over financial reporting in a much more rigorous and comprehensive way.
This is particularly true if directors are required to formally attest to them every year as part of the financial statements, as the risk of significant fines will naturally demand an even higher degree of confidence. Doing this through a controls environment that is manual, distributed, and largely spreadsheet-based would be extremely time-consuming, and certainly prone to human errors. Given that penalties for breaching UK SOX are likely to be severe - to the point of holding company executives and directors personally accountable - there is no room for these unnecessary mistakes.
In addition, if risk and controls aren’t already a board level agenda item for some organisations, then they soon will be. So systems and processes will need to be in place to gain real-time reporting and oversight to cater for all stakeholders.
This means now is the time to embark on a controls transformation programme. Not only will it support good practice generally, it will make it much easier for you to improve and demonstrate compliance. While also embedding the type of mindset and behaviours that will be required in a UK SOX-type regime.
Four key challenges
A controls transformation programme is not a minor undertaking, and requires significant effort, resources, and planning to bring together a wide range of stakeholders across an organisation. As you set out on your transformation journey, there are four crucial considerations to bear in mind:
- Navigating regulatory requirements: while understanding the regulations which need to be complied with sounds simple at face value, interpreting the requirements and what that means to your organisation’s internal control management and compliance processes can be a complex task. Clarifying what you ‘need to do’ as a minimum requirement is helpful to direct initial effort and investment in the right areas.
- Managing cultural change: control measures are useless if employees don’t buy into why they’re important and why they need to demonstrate compliance as part of their ‘business as usual’ routines.
- Siloed data: risk and control data managed in a siloed set-up can hinder the identification and treatment of potentially significant risks. In addition, lack of visibility of ineffective controls within the business can delay, or possibly prevent, the remediation of control weaknesses ahead of this regulatory change. As UK SOX will require any material control weaknesses to be disclosed, your risk and control data is crucial to enable clear insights.
- Understanding automated controls: knowing which automated controls are available within the enterprise finance systems you already own, and whether you have ‘switched on’ all those suitable for your business, can help you get the most from your existing investments. Other supporting Integrated Risk Management (IRM) technology (also referred to as ‘GRC’) can facilitate automation regarding the operation, testing, and compliance management activities required to deliver an effective controls transformation programme.
The way forward: technology and more
While technology has a big part to play in the transformation, it is not a ‘silver bullet’ solution on its own. The human and cultural elements of the programme have to be taken into consideration, as do any existing technical solutions you may possess that simply aren’t being utilised properly at present.
Nonetheless, the benefits of moving towards a more tech-driven internal controls landscape are many. Real-time reporting can improve visibility of controls, manual effort can be reduced through automated control evaluations, while self-assessments, and tech-orchestrated policies can ramp up efficiency.
All this may feel like an unnecessary and excessive move to consider right now. But when UK SOX comes into play, the ability of transformed controls in helping you easily conduct testing and prove compliance, will make the value of controls transformation plain to see.
Get more detailed insights on controls transformation and the wider risk landscape in the recordings from our most recent virtual event, The Integrated Risk Management Forum. Click here to access the videos:
