As government organizations adapt their operations in response to recent economic changes, they are likely making modifications or in some cases having to make difficult decisions related to their structure. Human resources and other personnel departments must work with leadership and IT to redefine reporting structures, realign responsibilities, adapt to new working practices, and focus on the health and well-being of their workforce.
Regardless of the changes, however, internal controls are expected to continue to operate effectively. Soon, external auditors will be asking these and other questions as they make interim selection of samples.
- Are individuals aware (and performing) their control obligations?
- How well did the execution of controls transition to new team members?
- What considerations has management made in determining that conflict of interests are not introduced with changes in control ownership?
Regarding control ownership, organizations need to take into account:
- The individuals responsible for the execution of the control;
- The approvers responsible for executing review controls or transactional controls; and
- The individuals responsible for independently and/or objectively evaluating the effectiveness of controls.
The responsibility for execution of internal controls may be assigned to one individual user who has full responsibility for execution of controls or shared by many individuals across the organization (i.e. invoice approvals, change management). In addition, evidence that the control was performed must be retained.
For control ownership, organizations should take these steps:
- Ensure that procedures for executing the control are clearly documented, understood by the owner(s) and appropriate training is executed (as needed).
- Update control matrices to reflect ownership of the control and track any changes in ownership throughout the year.
- If control ownership changes, assess the new individual’s competency and objectivity. This is necessary to validate that a lack of segregation of duties is not introduced. If not addressed, there may be an increased opportunity for fraud.
Similarly, if individuals who have review and approval responsibilities change, the organization should assess whether:
- Changes in approval thresholds introduced the elimination of management layers or organizational structures that violate written approval matrices;
- Individuals with review and/or approval responsibilities understand their changes to thresholds or precision to how the control is performed as a result of changes to the company’s financials;
- Reviews and approvals performed and evidenced are fully operating in a remote environment;
- Segregation of duties between the transaction owners and the approver and reviewers have been maintained; and
- The person reviewing transactions is not being recorded as a result of individuals who have been furloughed and transactions re-routed to new approvers.
Other IT Considerations
With changes to employment, including the granting of users to remote solutions, you should be proactive in performing additional user access reviews or re-assessing access rights. Do not wait until the next iteration of a user access review control to address issues resulting from a lack of segregation of duties or with not addressing the “least privileges required” philosophy.
Internal auditors or others who are responsible for assessing the design and operation of internal controls also impact control ownership. Even if a third party, such as Weaver, is responsible for the evaluation of controls, the organization needs to have a system for sharing changes in employees and work environment. Some organizations are choosing to downsize internal audit or place these employees on furlough. Regardless of changes to the individuals responsible for management’s assessment of internal controls, the potential impact on the overall control environment should be considered.
Control owners, approvers, and assessors all play a vital role in the ongoing and consistent execution of controls. As changes in structure occur, it is important to assess the impact to the operation of controls and address risks that may result in failures in controls that impact the company’s ICFR opinion. New controls may need to be put in place to supplement process changes and remote execution. This should include a formal assessment to determine which controls have been disrupted, the residual risk of that control not being executed, and whether a compensating control is necessary to mitigate the risk.
For more information about control ownership, contact us. We are here to help.