Get a step-by-step approach to performing a controls rationalization exercise to increase testing efficiency and help the organization identify new and emerging risks in uncertain times.
Updating Audit Plans to Address COVID-19 Pandemic Risks
In April 2020, the Institute of Internal Auditors reported that 75% of internal audit departments surveyed had updated their audit plans to address risks related to the COVID-19 pandemic. Nearly 40% had added new audit engagements, and 40% had redirected their team’s efforts to perform non-audit work during the crisis. Many audit groups have also increased efforts related to cybersecurity, enterprise risk management, fraud, and cost control and reduction to help their organizations manage the impact of the crisis.
As we look to the months ahead, audit teams must apply efficiency to their workloads in order to manage their audit plans on shortened timelines in addition to helping the business identify and manage emerging risks related to the crisis.
“Overall, internal audit leaders are demonstrating flexibility and agility in response to the dynamic risk environment caused by COVID-19.” — The IIA, COVID-19 Impact on Internal Audit
Reevaluating your testing scope may help improve your ability to meet existing audit plan goals and timelines. Performing a controls rationalization exercise is one way to improve testing efficiency by reducing scope. Organizations frequently have overlapping controls without realizing it due to decentralization of control documentation. Control rationalization is the effort to re-evaluate the existing control environment to remove duplicate, inefficient, unnecessary, or irrelevant controls from the testing population, and to re-assess the remaining controls for design efficiency to mitigate the respective risks. This drives value across the organization by reducing testing, thus preventing team and process owner strain.
This article will break down a step by step approach to performing a controls rationalization in order to ensure that the controls that are being tested are effectively mitigating the identified risks, and that the risks that are in place are representative of those facing the organization.
How to Perform a Controls Rationalization Exercise: A Step by Step Approach
1. Identify your frameworks
List the frameworks your organization is required to comply with, or that you are focusing your rationalization activities on, to clearly understand what you are designing your environment against.
2. Determine your baseline framework
Consider which framework is most comprehensive or most critical to your organization. In performing this evaluation, consider factors such as the requisite level of testing for the regulatory bodies overseeing each framework, and the implications across the organization. The goal is to identify the framework with the most appropriate foundation. Once you determine the identified baseline framework, it will be easier to include the necessary “add-on” controls to meet the requirements of any additional frameworks you are tracking towards.
3. Evaluate and rationalize the necessary risks/framework
Reassess the process risks or framework requirements in light of changing business activities. For certain frameworks, the principles to be covered will be clearly defined, but other frameworks will require additional analysis to confirm the associated risks.
For example, for a SOX program, you will need to:
- Define financial statement materiality thresholds and identify material financial statement line items
- Determine the transaction types, or classes of transactions, that make up those financial statement line items and map out the associated processes, and
- Evaluate each the financial statement risks associated to those processes
- For each of the risks or framework elements that you are tracking controls against, undertake an effort to understand the rationale for each of the identified risks, and re-assess the relevance given the current state of your organization.
4. Determine overlapping controls and controls that are not addressing any risks
Identify overlapping or duplicative controls across the organization, then assess the appropriate control to remain in the environment that provides the requisite risk mitigation with the most efficient control population.
- For example, there may be one control for reconciliations of all balance sheet accounts, and then separate controls for each process dictating a reconciliation of associated accounts.
- Another example is in regards to system balances: if System A is being reconciled to System B, System B is being reconciled to System C, and System C is being reconciled to System A, and all are currently being identified as key controls — the key control between System A and system B can be removed as this reconciliation provides no additional risk mitigation (i.e., the System A to System C reconciliation provides appropriate coverage.) A reconciling control to agree all balances back to the source system may reduce the number of controls required to ensure that system balances are correct.
- Additionally, risks that may have historically challenged the organization may no longer be relevant. This is true, for example, when materiality thresholds change, products are phased out, or when financial activities are outsourced.
5. Identify risks that are not covered
Perform a gap analysis in order to align each of your controls to the applicable risk or framework. For controls that are not currently aligned to a risk, or that are aligned to a risk that is no longer relevant, consider whether those controls continue to be relevant for testing and/or documentation.
For risks that are not covered, consider if there is an existing control in place that effectively mitigates the risk. If not, evaluate the process that gives rise to the risk, and determine the appropriate control design.
6. Understand the key transaction points within each process, and evaluate the efficacy of controls in place
Once you’ve determined all of the key data elements, you can begin to holistically evaluate the overall control environment and understand how your processes, risks, and controls work together to create a comprehensive, effective environment. Using judgement and your understanding of each of the processes, evaluate the coverage provided for each of the controls and determine if the control is being performed at the appropriate step of the process — if there are effective upstream controls in place, downstream controls become less relevant.
Completing the Controls Rationalization Process
Once you’ve completed the controls rationalization process for your baseline framework, you will be able to assess additional frameworks to determine which additional controls are necessary to ensure adequate coverage. By performing a controls rationalization exercise, your organization can strategically confirm the adequacy and efficiency of the control environment, which drives value across the organization.