Management review controls (MRCs) are critical to any organization’s internal control framework. By their nature, MRCs vary greatly, allowing management the flexibility to enact specific control processes designed to fit the needs of a unique situation that may otherwise lack control. The variable nature of these controls creates a challenge for those managers who perform and evidence the control and auditors who later test the controls. The greatest challenge is that MRCs are usually manual control processes that do not meet the requirements for automation, and front-line managers often need to remember to perform the control.
Variability in management review controls can arise due to many factors, including differences in management styles, varying interpretations of policies and procedures, uniqueness of the control environment, differences in organizational structures, and variations in the risks the controls are intended to mitigate. If not monitored, breakdowns in management review controls can negatively impact an organization by leading to inconsistency in the application of controls, undermining the effectiveness of internal controls, and resulting in misaligned priorities. This article will outline five strategies organizations can use to reduce variability and perform effective monitoring over management review controls.
Five Strategies for Variability in Management Review Controls
Organizations can take several steps to address the variability in management review controls. The following strategies have proven successful in reducing variability and monitoring the control processes:
1. Leverage Technology and Automation
Leveraging technology as a process enabler can also reduce variability and simplify management review controls. For example, using automated workflows to standardize processes, produce reminders, reduce errors, and ensure consistency can be a game changer in performing management review controls. Automating workflows in MRCs using a connected risk platform solution provides real-time visibility into control effectiveness, allowing management to identify and address issues quickly, as well as documenting an end-to-end audit trial
2. Establish a Consistent Control Framework
The first step in tackling variability in MRCs involves defining the key controls required to manage risks and ensuring that these are sufficiently documented and communicated effectively. A best practice in tackling this effort is establishing a clear and consistent control framework. The control framework should guide the organization in establishing management review controls that effectively and efficiently address the underlying risk. In turn, the framework should include guidance for management on assessing, monitoring, and documenting control effectiveness.
3. Provide Training and Support
Management review control variability can arise from managers’ knowledge, skill sets, and experience differences. Some managers are more detail-oriented and attuned to performing control activities. Training and support can standardize the understanding of policies and procedures while setting clear expectations regarding how managers should perform and document the controls. Management should monitor changes in control ownership to ensure the training is available to people with new control responsibilities. Succession planning and cross-training opportunities should be considered as people frequently change roles within the organization. This further enforces standardization and expectations of performed duties for those who may not have sufficient knowledge or understanding.
4. Foster a Culture of Collaboration
Management review controls tend to have more issues than other types of controls. Fostering a culture of collaboration can reduce variability in management review controls by allowing control owners to compare notes, and may help decrease common root causes of issues across the organization. Sharing the details of the issues (assuming these are not confidential) with other control performers will help other control performers understand potential weaknesses in their control processes. Since audit reports are rarely shared broadly within an organization, even increasing visibility with dashboards could be a major shift in communication and transparency.
5. Monitor and Evaluate Control Performance
Finally, monitoring and evaluating the performance of management review controls regularly is essential. Monitoring involves tracking key metrics, analyzing trends, and identifying areas of noncompliance. Real-time monitoring using automated workflows alerts management when they need to perform a control activity or a corrective action when necessary while continuously improving control effectiveness.
Tackling Variability to Ensure Proper Control
Tackling variability in management review controls is vital for ensuring the effectiveness of internal controls, which impacts the overall performance of an organization. Organizations may struggle with management review controls, but they can reduce variability and improve the performance of management review controls by establishing a clear and consistent control framework, providing training for control performers, fostering transparency related to control findings, leveraging technology, and monitoring control effectiveness. If you are ready to strengthen your control environment, leverage audit management software to facilitate automation, increase transparency, and facilitate monitoring in your controls compliance program.
Tim Weyant, CIA is a Manager of Product Solutions at AuditBoard. An experienced auditor and KPMG alumnus, Tim has over 11 years of professional experience, including SOX/ICFR consulting, most recently serving as an Internal Audit Manager in the credit union space. Connect with Tim on LinkedIn.