4. Determine overlapping controls and controls that are not addressing any risks
Identify overlapping or duplicative controls across the organization, then assess the appropriate control to remain in the environment that provides the requisite risk mitigation with the most efficient control population.
For example, there may be one control for reconciliations of all balance sheet accounts, and then separate controls for each process dictating a reconciliation of associated accounts.
Another example is in regards to system balances: if System A is being reconciled to System B, System B is being reconciled to System C, and System C is being reconciled to System A, and all are currently being identified as key controls — the key control between System A and system B can be removed as this reconciliation provides no additional risk mitigation (i.e., the System A to System C reconciliation provides appropriate coverage.) A reconciling control to agree all balances back to the source system may reduce the number of controls required to ensure that system balances are correct.
Additionally, risks that may have historically challenged the organization may no longer be relevant. This is true, for example, when materiality thresholds change, products are phased out, or when financial activities are outsourced.
5. Identify risks that are not covered
Perform a gap analysis in order to align each of your controls to the applicable risk or framework. For controls that are not currently aligned to a risk, or that are aligned to a risk that is no longer relevant, consider whether those controls continue to be relevant for testing and/or documentation.
For risks that are not covered, consider if there is an existing control in place that effectively mitigates the risk. If not, evaluate the process that gives rise to the risk, and determine the appropriate control design.
6. Understand the key transaction points within each process, and evaluate the efficacy of controls in place
Once you’ve determined all of the key data elements, you can begin to holistically evaluate the overall control environment and understand how your processes, risks, and controls work together to create a comprehensive, effective environment. Using judgement and your understanding of each of the processes, evaluate the coverage provided for each of the controls and determine if the control is being performed at the appropriate step of the process — if there are effective upstream controls in place, downstream controls become less relevant.
Completing the Controls Rationalization Process
Once you’ve completed the controls rationalization process for your baseline framework, you will be able to assess additional frameworks to determine which additional controls are necessary to ensure adequate coverage. By performing a controls rationalization exercise, your organization can strategically confirm the adequacy and efficiency of the control environment, which drives value across the organization.