SOX Compliance in a Post-COVID World
5 Signs Your Client Has Poor Control Environments
Any fan of horror movies knows that when the lights start to flicker in a secluded cabin on a lake, it's never due to the local utility company dealing with an easily fixable electrical glitch. Instead, there is either a supernatural demon at work or a tall, husky gentleman with a hockey mask and machete waiting to wreak havoc on the unknowing teenagers partying in the cabin. Suffice it to say, things rarely work out well in that cabin on the lake when lights flicker and the silence becomes deafening.
In other words, in horror movies, things always happen for a reason. The tropes emphatically state there's no such thing as coincidence and dire circumstances are always the root cause, even though the protagonist doesn't realize it until the third act of the film. Embark appreciates a good horror movie just as much as the next person and have seen our fair share of the accounting equivalents to those well-worn tropes.
The point to this meandering tone is that much like horror movies, audit procedures don't turn bad without good reason. There will always be an underlying cause that must be rooted out and corrected in order to prevent repetition in the future. In the particular case of auditors struggling to conduct a reliable and insightful audit, there are a handful of telltale signs your client lacks the proper control environments needed to conduct an effective audit.
Sign #1: Your Client Doesn't Know About Their Own Controls
When auditors ask for a review of controls and the process owners immediately look like a deer caught in headlights, it's probably safe to say those owners don't have a thorough understanding of their own controls. While you might hear them stumble for a decent excuse – either the controls stem back to the Nixon administration, are something they haven't seen before, or are new procedures that just recently changed – auditors should just assume that the process owners don't know their own control systems.
In fact, these teams might not even be aware they are completing a control but rather see it as running either a process or completing standard tasks without sufficient knowledge or understanding of the underlying purpose. Suffice to say, when this occurs, it doesn't make life easier for the auditors.
Sign #2: Internal Audit Walkthroughs Either Don’t Occur or Are Insufficient
Walkthroughs are a vital component in establishing the checks and balances needed to create a healthy and effective control environment. If walkthroughs only occur on the winter solstice of a leap year or routinely by a single person – highly suggestive of a lack of segregation of duties – walkthrough procedures are at best lacking and at worst providing the opportunity for fraudulent activity. Often, auditors find themselves having to redo the internal audit team’s walkthroughs because they weren’t detailed enough or didn’t ask the right questions. IA teams sometimes won’t ask about the systems being used or identify the IUC (information used in the control) or the controls around the IUC.
Sign #3: High Frequency of Errors in Routine Areas
Another telltale sign of poor control environments is a prevalence of errors in simple processes like regular AR and regular AP. Given the frequency of transactions taking place within these areas, they pose the highest risk to both an audit and overall organization. If even the most basic of accounting and financial functions are failing, it's a sure sign of bad controls. If these deficiencies do no get remediated quickly, they could linger on for quarters or even years.
Sign #4: Competency of the IA Team
A cursory examination of the relative health and competency of people in an internal audit group can be extremely revealing into another possible source of poor control environments. Look at the background of the controller and other important positions, check for high turnover rates, poor processes, lethargic output of tasks, poor communication, and bad morale within an IA team for obvious signs of an insufficient control environment. A strong IA team will provide support and hold the control owners accountable to their designated controls. They'll also ensure that controls are properly identified and designed.
Sign #5: Documentation Issues
Perhaps the most obvious sign is a lack of documented processes and controls. Without written documentation to provide constant direction and a much-needed touchstone for all aspects of the processes and procedures, an IA team is functionally like a boat without a rudder or nautical map. Poor documentation will inevitably cause gaps in the control environment.
For the most part, auditors have enough on their plates without poor control environments adding to their workload and frustration. Failing to establish an effective control environment is tantamount to fostering an environment inviting failure and fraud. Your fellow financial advisory professionals here at Embark implore you to be ever-vigilant for these signs and head them off at the pass before the damage threatens the stability of the entire organization.