Risk and controls reporting

Developing an internal controls program for a changing risk profile

Historic approaches to risk and controls may not be suited for the current environment of digital transformations, persistent change, and uncertainty. With business complexity and regulatory changes increasing the risk of accounting and reporting misstatements, developing a new internal controls framework with an upgraded operating model and agile processes may help businesses stay ahead of risk and increase value.

April 20, 2022

A blog post by Beth Kaplan, managing director, Deloitte & Touche LLP

Increasing business complexity and regulatory requirements are driving continual change in risk environments for many organizations. Historic approaches to risk and controls may not be suited for the current environment of digital transformations, persistent change, and uncertainty. As the business landscape continues to evolve, the risk of accounting and reporting misstatements rises, often due to the inability to respond to internal and external circumstances and adapt quickly to business changes.

Developing an internal controls framework typically starts with looking at change drivers and using them to create a modern internal controls environment with upgraded operating models, advanced technology integration, and processes that stay ahead of risk and increase value. To start, we will explore some of the internal and external challenges driving remediation and restatements in accounting and reporting, including considerations receiving attention from the SEC and AIPCA. These critical remediation and restatement drivers can then be used to build a new framework that establishes processes to monitor, implement, maintain, and optimize an internal controls program.

External factors driving remediation and restatement

Remediation and restatement drivers include external challenges or drivers such as new accounting rules; SEC and regulators; and environmental, social, and governance (ESG) reporting. Some of these external drivers were highlighted at the recent AIPCA conference and featured prominently in recent SEC comments—including SEC reporting and rulemaking, ESG matters, auditor independence, and digital assets.i ii

Data quality and the importance of modernized reporting with new technology were prominent features at the conference—emphasizing that organizations should evaluate their standards, processes, and technologies to create accurate and easily accessible reports. In addition, responding to market demand for ESG information was a key theme throughout the conference and in SEC comments. ESG is framed as the universe of topics that reflect areas of performance management around the impacts and dependencies of the business on society and the environment. Some examples of financial statement areas possibly impacted by climate change include loss and gain contingencies, income taxes, financial instruments, risk and uncertainty disclosures, and equipment.

ESG disclosure is a dynamic and interactive process that will likely have far-reaching impacts on an organization. Overlap between sustainability and financial reporting is inherent. Still, given the scope and possible market share of ESG activities, multiple possibilities of future regulatory requirements may cause uncertainty around developing a new reporting framework designed to mitigate remediation and restatements and optimize the controls environment.

Internal controls and automation opportunities

Understanding both the external and internal drivers to risk and reporting structures helps inform the structure of a new internal controls program to be more resilient, efficient, and agile through a changing risk profile. Developing the new program using a change framework that identifies what to monitor, implement, maintain, and optimize in the controls program implementation may further enable a more resilient and efficient framework.

In addition to the external challenges to remediation, addressing internal threats is also necessary when developing the new controls program. The rapid disruption from new technology and digital transformation are potential examples of prevailing internal threats that may lead to restatements and remediation. The continuously evolving controls landscape will also likely have a lasting effect on risks and controls reporting.

Developing a new internal controls process

This five-step guide to developing a new internal controls framework can be considered to help address these threats and lower the chances of accounting and reporting remediation throughout the transformation.

Automation opportunities across the reporting lifecycle

The potential benefits of using a new controls framework

Using remediation and restatement drivers to create a modern controls framework may offer benefits beyond mitigation of risks in controls reporting. Developing a framework for a changing risk profile may enhance the quality of reporting by increasing transparency and visibility into business processes with meaningful insights into managing risks. These deeper insights allow the function to refocus efforts and move away from point-in-time solutions to address issues at their root cause.

The new framework structure may also improve efficiency by enhancing the focus on risks and controls with precision testing methods that move away from the “checklist” approach. In addition, this approach may ultimately reduce the total cost of compliance by enabling the allocation of skilled resources to more strategic assignments that drive revenue or improve operations and margins.

Taking a proactive rather than reactive approach to managing the changing risk profile with a controls framework informed by meaningful insights into restatement and remediation drivers can position controllership to drive an agile and efficient internal controls program that stays ahead of a continuously evolving landscape and drive more value.

Listen to our Dbriefs webcast, Risky business: Mitigating risks and improving controls in reporting, for additional considerations, examples of misstatement drivers, and risk and controls program case studies.

End notes

i Highlights of the 2021 AICPA & CIMA Conference on Current SEC and PCAOB Developments (December 12, 2021) Retrieved from: https://dart.deloitte.com/USDART/home/publications/deloitte/heads-up/2021/aicpa-cima-conference

ii Sample Letter to Companies Regarding Climate Change Disclosures (September 2021). Retrieved from: https://www.sec.gov/corpfin/sample-letter-climate-change-disclosures

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?