Internal control over financial reporting (ICFR) series

Part four: Refocus your 302 certification program lens

The Sarbanes-Oxley Act of 2002 (SOX), most commonly known for the annual internal control requirements of Section 404, also includes specific requirements related to the periodic financial statements within Section 302, also known as the "302 certification." When organizations initially are required to comply with Section 302, they frequently ask questions like:

• Who should certify, beyond the certifying officers?
• What should they certify to?
• Who should evaluate changes reported?
• What should the assessment for significant change for required disclosure consider?
• What technology is available to automate the certification process?

But organizations rarely reconsider how they initially structured their 302 compliance process. And few ever ask, "can we optimize the 302 certification process to unlock hidden value to identify organizational efficiencies, enhance quality, and lower the cost of compliance?"

Organizations that view the Section 302 requirements as a burden or a check-the-box exercise are likely missing opportunities to unlock hidden value, which may have a broader impact on a system of internal control.

Read the report to learn more about the common challenges and leading practices relative to each dimension of a 302 program—governance, people, process, technology, and tools—and how organizations can unlock value by developing a next-gen certification program.

Back to top

Part three: Refocus your robotic process automation lens

Market trends are indicating near-universal adoption of robotic process automation (RPA) in the next five years, according to Deloitte’s 2017 RPA survey. Average spending among companies surveyed was $1.5 million for RPA pilots and upward of $3 million for full-scale programs. This rapid increase in market penetration and spending is contributing to the emergence of a broad ecosystem of RPA vendors and RPA solutions geared toward helping companies capitalize on automation. Part three in our ICFR series explores the effects of RPA on organizations and provides RPA financial risk and control considerations.

Enterprises are now pivoting toward automation of certain business tasks to further disrupt the workforce leverage model. Specifically, RPA may replace or enhance certain tasks previously performed by humans with bots that are cheaper, more efficient, and more reliable.

When exploring the adoption of RPA technologies, it’s important to challenge areas where the governance construct may not adequately support these changes. Companies may consider controls in the following layers in terms of the life cycle from ideation and creation of a bot:

• Development
• Implementation
• Monitoring

Read the report to learn more about RPAs, the key areas of RPA risks and controls, and the full benefits of automation.

Back to top

Part two: Refocus your management review control lens

Sarbanes-Oxley (SOX) is turning 16 this upcoming July. Will it be cause for celebration? Only if some changes are made. Part two of our series will explore using management review controls (MRCs) to address these current SOX Act hitches:

• High compliance costs
• Outdated ICFR programs
• A continued focus on ICFR by regulators

MRCs are the reviews conducted by management of estimates and other kinds of information for accuracy. At the core, providing management with insights on key success factors, common challenges, and examples of modernizing and renewing ICFR programs is critical. It will create a roadmap for increasing financial reporting reliability while decreasing compliance costs.

Read the report to learn more about MRCs, tools and techniques, and why having the right people in place is critical. It’s time to refocus your internal control lens. MRCs can be the success story for the upcoming year.

Back to top

Part one: Refocus your risk assessment lens

The starting point to evaluate the sufficiency of an ICFR program should be with a financial statement risk assessment. The risk assessment, which includes specific financial reporting objectives and identification of risks to achieving those objectives, answers these fundamental questions:

• Which controls are necessary to address the company's risks?

• How many controls does the company need?

• What is "just enough" for the company's ICFR program?

A risk assessment that integrates the right people, processes, tools, and techniques serves to identify the relevant risks of material misstatement (ROMMs). The risk assessment also includes the selection of controls and the evaluation of the design of the control in regard to the ROMM. It's through the risk assessment process that a company can report with confidence the number and types of controls necessary to have an effective ICFR system.

What can management do to refresh their lens?

Management's focus on ICFR should start with determining whether the company's risk assessment process is sufficient to identify and assess the risks to reliable financial reporting, including changes in those risks. Proactive steps management can consider include:

• Refreshing the risk assessment program to incorporate the right people, processes, and technologies to unlock the hidden value.

• Integrating data analytics and visualization to improve the quality of the data analyzed to support robust risk identification and report results succinctly to key stakeholders. This, in turn, can rationalize risks of material misstatement to a level of granularity to focus on what could truly be a material misstatement.

Back to top