Taking Five Steps to Better Internal Controls...........................................
The evolution and automation of internal controls have a number of advan-
tages for companies — lowered costs, fewer errors, management by excep-
tion, and regulatory compliance. And, by improving internal controls in a
particular area, companies can take the lessons learned and then scale those
improved controls out to the whole organization.
There are five steps to a healthy internal control environment:
�Documentation
�Testing
�Remediation
�Analysis
�Optimization
In the next few sections, we look at each in more detail.
Documentation: The mapping exercise ...........................................
A company looks at SOX and other regulations to see which areas of their
business are going to be affected by the regulation’s requirements. They then
go through an intensive mapping process, identifying the business processes,
subprocesses, and departments that are involved.
The next step is to highlight the risks and compliance issues. For example,
when someone is taking orders from new customers, they need to make sure
that a credit check is performed every time. The company should develop a
control that will be done from outside its order-taking system that checks all
transactions and reports back on whether the system is running credit
checks for all new customers.
Then companies develop controls. Manual controls tend to be vulnerable to
human error or fraud, so companies automate as many of their internal con-
trols as they can. They write scripts or programs that will be kicked off on a
preset basis to perform control checks and then report back. Some manual
controls will still be needed, but automated controls can substantially reduce
the amount of work needed to monitor controls.
134 Part II: Diving into GRC
