Financial transparency and accountability are the cornerstones of modern business practices. Delve into the intricacies of Internal Controls over Financial Reporting (ICFR) and the Sarbanes-Oxley Act (SOX) with our expert-led webinar in partnership with Open Compliance and Ethics Group (OCEG).
You can now review the slide deck and watch the video replay on “Mastering ICFR and SOX Compliance in 2024: Financial Reporting for Organizational Excellence” where Kristina Demollari, CPA, Associate GRC Product Manager, Resolver and Pooja Azhalavan, MBA, CPA, GRC Product Marketing Manager experts deep dive into the precision, integrity, and compliance of financial reporting controls.
Watch the replay to gain insights on:
- Overview of ICFR: Unravel the fundamental principles of Internal Controls over Financial Reporting and its pivotal role in safeguarding the integrity of financial data.
- SOX Compliance Essentials: Gain a comprehensive understanding of the Sarbanes-Oxley Act and its impact on corporate governance and financial disclosures.
- Building Effective Controls: Explore practical strategies for designing and implementing robust internal controls that meet regulatory requirements and enhance overall organizational efficiency.
- Common Challenges and Solutions: Identify challenges organizations face in maintaining and mastering ICFR and SOX compliance, and proactive approaches to mitigate issues.
- Technology and Automation: Discover how technology and automation can be leveraged to enhance the effectiveness of internal controls and streamline compliance
Resolver’s “Mastering ICFR and SOX Compliance in 2024” webinar is designed for:
- Finance professionals, auditors, compliance officers, and anyone involved in financial reporting. Whether you’re new to ICFR and SOX or looking to deepen your expertise, our webinar offers valuable insights and actionable strategies.
Don’t miss this opportunity to enhance your expertise in financial compliance. Click the “Play” button on the video above now to instantly watch the replay of “Mastering ICFR and SOX Compliance in 2024: Financial Reporting for Organizational Excellence”.
Webinar transcript:
Melissa Lentz:
Hello everyone, this is Melissa Lentz. I’m the Director of Education at OCEG and I’d like to welcome you to our webcast today, during which we will present, “Mastering ICFR and SOX Compliance in 2024: Financial Reporting for Organizational Excellence”. We are very glad you can join us for this insightful webinar as we delve into the intricacies of internal controls over financial reporting and the Sarbanes Oxley Act. In an era where financial transparency and accountability are paramount, understanding the nuances of these regulatory frameworks is essential for financial professionals, executives, and compliance officers alike.
Today we are joined by our speakers from Resolver, Kristina Demollari, Associate GRC Product Manager, and Pooja Azhalavan, Product Marketing Manager for GRC. Whether you’re new to these regulations or seeking to deepen your understanding, we are glad to be joined by these expert speakers as they provide valuable insights and practical guidance to navigate the complex ICFR and SOX compliance landscape.
But before we start, I’d like to take a minute to go over a few housekeeping notes. First, regarding continuing education credit, we provide NASPA-approved CPE credit for you for participation in live webinars. If you have an OCEG all-access pass, which you can purchase individually or as part of a company subscription, the all-access pass includes many benefits in addition to CPE credit for webcasts, such as access to all OCEG resources and on-demand education series. So if you don’t already have a pass, I would encourage you to check it out on the OCEG site. If you do have an all-access pass and would like a certificate of completion for CPE for this event, please stay with us for the entire hour and answer all the polls through the polling function in our webinar platform. These are requirements for receiving CPE credit for this event, and please note that certificates of completion for CPE credit are available only for live events.
They’re not available for viewing archived webinars. Additionally, if you need CPE credit only for OCEG certifications, your webinar attendance will be automatically tracked, and your certification dashboard on the OCEG site, will not need to upload your certificates of completion for OCEG certifications. Second, regarding the recording from this webcast, we will have the recording of this event posted on the OCEG website. Just log into the site, go to the resources tab, select webinar recordings, and then this webcast, anyone with an all-access pass may view this recording. Third, regarding our audience feedback, please feel free to submit your questions during our event today. If our presenters do not have the opportunity to respond directly during the webinar, they will be able to respond to you via email after the event.
Additionally, we value your opinions and encourage you to submit the evaluation offered after the webinar.
Fourth, regarding upcoming events and activities, please watch your email for announcements from OCEG about other upcoming webinars. You can view this information about these upcoming webcasts on the OCEG site, but before we hand over the presentation to our speakers, we’d like to offer our first poll. So again, please be sure to answer this poll by responding in the poll panel on your screen. If you are interested in receiving CPE credit for this event, please note that we will email certificates of completion for this webinar in a day or two to all participants who meet all the criteria for CPE credit.
The first poll question is, do you have an OCEG all-access pass, which is a paid membership that will enable you to receive CPE credit for this event? Your options here are yes, I have an all-access pass that will enable me to receive a certificate of completion for this event. If I attend the entire meeting and answer all the polls or not, I do not have an all-access pass, so I understand I will not receive CPE credit for this event. As you answer this poll, I’d like to hand over the presentation to our speakers to begin our discussion today.
Pooja Azhalavan:
Awesome, thanks as always, Melissa. Good morning, afternoon, and evening to everyone; I know many of you are joining us from all over. I think there are a couple of hundred of you here today from different places and different time zones, so we truly, truly appreciate it. So, today’s webinar is all about learning about the intricacies of internal controls over financial reporting and the Sarbanes Oxley compliance and of course lots of things happening in the news across the pond in the UK, but more on that as we run through this webinar.
Alright, so before we delve into the core of our discussion, let me introduce my esteemed colleague who is going to be doing most of the talking today. Kristina Demollari is an associate GRC product manager at Resolver. She brings a wealth of experience from her roles at Brookfield Assets, EY, and other global organizations. Her expertise in the internal controls and audit space, coupled with her firsthand experience in enhancing the equivalent of a software solution and Resolver makes her an invaluable asset in our journey toward building some of the best-in-class solutions in financial reporting.
Kristina Demollari:
For sure. Thank you, Pooja and hello, everyone. I’m super excited to be here today and have a conversation about one of my personal favorite topics, which is ICFR and SOX compliance.
Pooja:
Amazing and I serve as the Product Marketing Manager for again, the GRC division at Resolver with a focus on enterprise risk compliance, and BCP audit control solutions. I’ve had the privilege of working with our customers to really understand and navigate some of the complex challenges that they faced in this space and delve into solutions that can really alleviate some of their struggles. So that’s a little intro from our end very quickly on what we plan to cover today. So first we’ll get into the very basics focused on a quick intro to the concept of ICFR. We’ll follow that with SOX and its impact on financial disclosure and corporate governance.
We’ll then explore some actual strategies to use to design and implement internal controls. And lastly, we’ll dive into the challenges to maintain compliance in these different areas of business and how and why affordable technology like Resolver is increasingly necessitated to automate and streamline much of the compliance process. And with that, over to you Kristina.
Kristina:
Amazing. As Pooja mentioned, we have a well-packed agenda and hopefully a very informative session to start with. Let’s get an understanding of what is ICFR. I know that the finance and accounting world loves acronyms, but what ICFR really means is internal controls over financial reporting. ICFR is a process consisting of policies and procedures to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements. So if we take a step back, what is one of the reasons companies exist? It is to make a profit, and one of the reasons accounting or finance departments were created is to be able to track these profits and compile financial statements starting with bookkeeping month-end or quarter-end, analyzing annual balance sheet income statements, and cash flow statements. We really understand the power of finance departments for stakeholders to have more credibility over these financial statements.
ICFR programs were created as part of ICFR companies establishing internal control systems with policies and procedures that include segregation of duties, invoice document matching, and authorizations or approvals for proper separation of duties. The same employee isn’t handling assets like cash and recording accounting transactions for revenue, cost, assets, expenses, and other expenditures. So in short, by creating ICFR programs, we are saying let’s have a look at the procedures the finance team is completing so we can have more reassurance and credibility that our financial statements represent the reality of our organizations. Continuing this conversation, let’s go through ICFR expectations for our internal stakeholders, maybe starting with the board and audit committee, which uses the financial statements to understand the progress of the organizations and help them in the decision-making. Their ICFR expectation is to ensure that financial statements prepared by management are based on an effective ICFR framework.
For these, they approve the required budget, they go through policies and procedures associated with the ICFR and this is a continuous conversation that happens with the senior management trustee, CEO, or CFO, where they receive the required budget approvals from the board or audit committee and have the authority to implement effective ICFR practices. They play a crucial responsibility because they sign off the organization’s conformance with ICFR practices and endorse it for board or audit committee approvals. This is a legal or regulatory obligation if the organization is public, but we’ll go into those details a bit later.
I just want to pass it on to process owners what does that exactly mean? Who are the process owners From the name? We can say that the process owner consists of team members from the finance department such as the director of cash, the director of equity, et cetera. Process owners obtain guidance from senior management and the internal audit team in understanding financial reporting controls and their role in managing them.
Process owners exercise compliance with organizations in internal control practices during day-to-day operations. So they’ll follow those policies and procedures. That audit committee and senior management, that tone of the top has provided as part of their day-to-day operations, which might be month end, quarter end, and so on. Lastly, internal audit teams provide advisory support to the finance departments in the effective implementation of ICFR. They are involved in discussions with the finance team where any specific input is required on critical controls. They are the experts of documentation and as such they provide this guidance when it comes to controls and how those should get documented to help process owners, as well as tone at the top, which is senior management and board or audit committees. Now I just want to go through a new concept that has recently come up such as ICFR teams. A common but also not-so-common practice is for organizations to have specific ICFR teams.
As we discussed earlier, finance teams are already very busy handling what they traditionally have been handling, which is financial day-to-day operations and compiling financial statements. As such, there is a risk that ICFR may not get as much attention if handled by these teams. Some companies have created ICFR core teams that lead ICFR mandate in the organization to ensure financial controls are adequately designed and operating effectively. Best practices indicate that the ICFR team should be separate in between finance and risk management to help with communication between teams and organize the documentation of each process in more detail. The ICFR core team is responsible for planning and conducting the annual risk assessment and the testing and evaluation of the design and operating effectiveness of key controls.
Pooja:
I just wanted to add a quick comment here Kristina. I think sometimes it’s always good to sort of weave some historical context to see why something like this is so relevant even today. So I think if you jog your memory back to say the Enron scandal that happened in the 2008 financial crisis, we saw that cascading impact of having weak controls or no ICFR frameworks in place for several years even after that incident took place and it just shook investor trust and value across the board. So it’s really a stock reminder why a concept like having an independent and dedicated ICFR team is necessary and it’s not just necessary for compliance, but it is that linchpin for economic stability and whereas Kristina was mentioning, organizations having this can help support. But anyway, thanks, Kristina. I’ll leave it to you to shed some more light on I think the workflow that these teams do.
Kristina:
Absolutely, and we’ll go into all of that just a couple of slides later when we dig deeper into SOX compliance how that act got created, and the importance of it. However, I just want to put a bit more emphasis on the workflow because it’s so good to talk in theory about the ICFR teams. ICFR is important, but I believe that by getting an understanding, okay, what is their day-to-day responsibilities when it comes to the ICFR program. It just can help the audience here get an understanding of the ICFR framework. We start with a strategy companies set up an ICFR internal controls over financial reporting strategy to establish the policies and procedures for the internal controls. We talked on the previous slide about the board audit committee and senior management, which will be the ones probably responsible for assessing that strategy. Then the specific ICFR teams finance departments or internal audit teams sometimes will go through the process of risk assessment.
The risk assessment is done to assess key risks of material misstatement of financial statements. Undetermined materiality as we were explaining earlier, finance departments are already so busy they handle financial day-to-day operations starting from normal cash transactions to mergers and acquisitions and even though the ICFR program is important, it really cannot cover a hundred percent of the population. What does that mean? That means that to come up with the key areas, we need to identify the risk and we need to identify that through a reality. In short, we can say that we have a look at the financial statements which might be the balance sheet in this case and we can see that cash, is one of the higher balances and for those reasons, we will have more broader assessment of the risk of the material misstatements when it comes to the cash balances. With that, then we come up with a control selection.
Now that we have agreed that cash is an important account balance for our financial statements and we want to make sure that what we are presenting to internal or external stakeholders is accurate, then we continue with the control selection because even within that cash balance, I’m sure that there is a lot of operation that happens from the finance team as part of their responsibilities. However, we want to make sure that we assess the control environment to identify any gaps in existing controls and also to assess the control selection that has been previously done. And when I say previously done, I just want to emphasize the fact that the ICFR program, it’s continuous same way as financial statement preparation never stops because an organization will continue to have transactions. The same thing happens with an ICFR program. It clearly follows the same pattern. We have the financial year end and we’ll conclude on ICFR program at the same time.
But there is a continuation and clearly, some of the controls will not change from year to year. As part of the ICFR, we will continue to test those controls but also just to be a bit more prepared, we come up with a new control selection or an assessment of those controls to identify any gaps or if something has been not considered material for the upcoming year. Once we had all this work done, we came up with another acronym, which is RCM (risks and control metrics), that cover the financial risks as well as their controls to mitigate the risk. Normally testing is completed. Testing of controls includes reviewing documentation, concluding on design effectiveness, and the operating effectiveness of the controls. Internal audit teams will complete walkthroughs, which means they will sit now probably virtually with the director of finance and, the director of cash and gain an understanding of the policies and procedures for a specific control.
Once they have gained that understanding, they will be requiring a sample of one, which is a documentation listing that proves the performance of that control in the same way as it was explained during the walkthrough. The next step is the operating effectiveness of the controls. Depending on the frequency that the control happens, which might be quarterly, it may be monthly as well, or even in a day-to-day basis. We want to have a bit more trust. We want to provide more credibility on reporting as part of the ICFR program, which means we need to test another instance or a couple more instances depending on the control frequency and the sample selections to say that yes, the control has been designed effectively, the control, it’s also operating as such during the year as part of our sample selection.
In the end, we have reporting, which means issuance of the ICFR report certification by the CEO and CFO signing on certification. It’s mostly a requirement for SOX compliance and external auditors determine if deficiencies to the extent of material weaknesses in internal controls exist. That means when we go through the issues and the issue resolution process, we go back to that materiality and do an assessment. These issues that we have found during this year, do they have a significant impact on the financial statements, or we can say that we do trust that financial statements are showing the reality of the organization?
Even though the ICFR program sounds great we have a lot to talk about it. Being realistic, I believe we all have worked in different organizations where we may have heard about ICFR practices or probably nothing at all on this slide. We have categorized material maturity levels into three. The first one is level one regulatory compliance, which means we’ll do it only if we have organizations consider ICFR as a regulatory burden and mainly focus on compliance with regulatory compliance. ICFR exercise is considered as a cost center and the perception of minimal value addition. Moving on to level two, which is process efficiencies. Organizations take ICFR as an opportunity to bring process efficiencies through control optimization, elimination of redundant or duplicate controls, and extend control automation for these companies. ICFR is considered as a business process early engineering project just to eliminate duplication and introduce efficiencies.
So it’s more so to make sure that if we have some improvement in terms of our process, let’s go ahead and do it. However, my favorite one, it’s materially level three, which is value enhancement organizations. I can focus more on controls to come up with new projects and ventures as existing controls get monitored, putting it in other words these companies think about ICFR and organize their processes around it, but also utilize ICFR reports for this decision-making. ICFR exercise in this case is taken as an opportunity to enhance value by introducing leading practices in the existing control environment, but also always challenging that control environment and thinking that better decisions can be taken if we put more focus on effective ICFR frameworks.
Pooja:
Awesome. So we have our second poll question of the day. We’re hoping to gauge what level of maturity of your ICFR program you experience in your organization. So option number one would be non-existent. You don’t have an ICFR program in place. Option two is you’re at maturity level one, which is regulatory compliance where you’re simply burdened with regulatory needs and you’re focused on maintaining compliance. Option three is you’re at level two, which is process efficiencies. So that’s where you’re actively leveraging ICFR and you’re using it as an opportunity to improve efficiency in your organization. Finally, you are at maturity level number three, which is certainly the best place to be value enhancement where you’re now turning your focus away from all the existing controls and existing controls monitoring and you’re doing this with the help of technology. So I’ll just give the audience a couple of seconds to fill in their answers.
Kristina:
Great. As the audience continues submitting their answers for the poll, I just want to continue with another addition to this topic, which is SOX compliance. A big reason why ICFR frameworks are getting so much attention is because of SOX compliance and as Pooja mentioned earlier, if we recall 2008 and the financial crisis with major accounting scandals such as Enron and WorldCom that trick investors and inflated stock prices, we learned a big lesson which is we trust our finance department and senior management but would love some more accountability to ensure us that the numbers they are showing are complete and accurate. The Servants Oakley Act is a US federal law that aims to protect investors by making corporate disclosures more reliable and accurate. How can we achieve that by having a functional ICFR program for the company, which means the organization follows that ICFR workflow?
We talked earlier about the strategy to control selection to senior management signing on ICFR certifications. The main difference between ICFR and SOX is that ICFR is required for SOX compliance by public companies to detect material errors and fraud in financial statements filed with a sec. So yes, SOX is a requirement only for public companies. While all other companies are more than welcome to use the ICFR program to enhance their organizational excellence to help streamline the process better, the committee of sponsoring organizations of the Trade Way Commission or COSO issued a framework for internal controls in 1992 and 2013, which includes control environment, risk assessment, control activities, information, and communications, as well as monitoring activities.
However, SOX compliance is a mandatory regulatory environment for US public companies. To conclude, we just want to add that the Canadian equivalent of SOX is 52-109 or Bill 198, which focuses on financial practices and corporate governance and it’s a regulatory requirement for Canadian public companies going through globalization and mostly understanding how important SOX compliance has been in us. There has been movement when it comes to the UK regulations, UK SOX and or UK corporate governance code is the unofficial name given to new corporate governance reforms and post-Brexit. The UK’s financial reporting console has initially proposed a SOX lead regime via the corporate governance code. However, now it’s planning to publish a significantly revised code in January 2024 moving away from the rigorous internal controls seen in the US. There is a lot of ambiguity in there. However, I just want to mention that UK regulations are just another step to bringing more awareness to the ICFR programs and getting an understanding of the importance of having policies procedures, and documentation in place, especially when compiling financial statements.
SOX compliance has had a huge impact, mostly on two sides of the corporate governance as well as financial disclosures. Now that there is a mandatory requirement for the senior management to sign on ICFR reports, it gives way more credibility to those financial statements. SOX encourages a majority of independent directors on corporate boards, which gives that board independence because these financial statements are more reliable now, which will then lead to better decision-making from the board. Also, the audit committee, it’s music to their ears because this enhances the role and the responsibility of audit committees.
Now they have their team which will provide the testing completed as well as issues and remediation processes for specific controls. It also has a great impact on whistleblower protection because protects employees, and reports corporate misconduct, and then going into the financial disclosure impact transparency is a huge one because SOX compliance requires companies to provide timely and accurate financial information. We have importance given to effective internal control systems as well as documentation to complete these internal controls. And as I mentioned earlier, this holds top executives accountable for financial reporting accuracy.
Pooja:
Sorry, I just wanted to add a very quick point before you move on, Kristina. I think things like board independence, maybe you want to go back to the previous slide, but things like board independence, whistleblower protection, they really just go above those simple legal requirements. They help to create this environment in an organization where employees start to feel a lot more empowered to take action. So they’re starting to feel secure and on the financial disclosures front, you’re now empowering the customer side. So this whole culture of integrity is being created across the board, which is pretty great to see. But yes, it’s nice to break down the key differences between ICFR and SOX in this fashion.
Kristina:
Amazing. I’m glad and I know that we have already covered a lot of information, but what better moment than now it’s to talk about some of the common ICFR or SOX challenges that we face based on the day-to-day operations that ICFR teams complete? Starting with resource constraints, there are limited resources in terms of personnel and technology, which can impact the testing implementation or even coming up with those issue resolution processes and in more detail with high turnover rates, but also the complexity of the ICFR. There are challenges to knowledge transfer, which is also related to that training and awareness challenge that the organizations may not have been paying so much attention to when it comes to educating not only the finance department, not only the ICFR teams but even senior management or the organization in total. When it comes to the importance of ICFR scope and complexity, it’s mostly faced when organizations have diverse business operations and complex structures.
For example, mergers and acquisitions or going through big changes in their manufacturing process. Things like that would just make the changes to the ICFR existing controls more often. That brings more complexity when it comes to the scope and the risk of material misstatement and coming up with the control selections. Also reliance on third parties, vendors can introduce additional risk to the control environment. Document management challenge, I don’t get even me started on that, but as much as the finance departments are aware of proper documentation procedures, reality might look a little bit different.
So, for example, even when the Director of Finance has reviewed the budget, the budget or some other reports, there is no written documentation of this review and that result in ICFR teams or internal audit teams struggling to validate this information, struggle to really go through that review or go through that report and assess whether the review has been completed or not. This also related with the communication gaps because sometimes there is no clear communication between different groups of teams, which might be between the finance team risk team operation teams. As it comes to the ICFR program at last, I want to mention there are regulatory changes such as the ones we saw earlier on potential UK stocks where companies need to get informed on these changes and especially when changes are so unexpected, there are teams that need to continue to get informed to compile with those regulations.
Let’s go through some practical strategies for internal controls. The first thought that comes in my mind is we should all follow that ICFR workflow, identifying risks to conduct a comprehensive risk assessment to identify potential threats to financial integrity and regulatory compliance. It should be a tone at the top, an established strong tone at the top for the leadership. To promote a culture of compliance, the team should develop and communicate a clear code of conduct that emphasizes ethical behavior, and segregation of duties. It helps to prevent a single individual from having complete control over a process if we’re talking about a cash reconciliation, then the cash analyst should prepare it and the director of cash should be the one reviewing the cash reconciliation, and hopefully, both signing on it, which will document the review process. The teams should establish effective communication channels for reporting control issues and gaps.
Communication channels normally come through emails, but also as we’ll see later, there are some great tools that the teams can use to enhance the communication channels across different teams. ICFI teams should provide regular training on internal controls and compliance for employees at all levels. And lastly, if control failures occur, which is something normal because that’s why ICFR teams exist. If things were expected to be perfect all the time, then why do we need an ICFR framework? So when identifying these issues and coming up with a resolution process, it is a whole process or I should say a whole documentation that needs to happen to show that accountability, to show that accountability between the finance department as well as the internal audit teams who have completed the testing. What happens is that once we have come up with a timeline saying that this control, which is a quarterly control, will get fixed on Q1 of 2024, then once Q1 of 24 comes around, we need to go back as internal auditors and ask for that proper documentation that ensures that the issue resolution process has been followed as required or at least as promised.
I would also love to talk, even though it might be high level, that for a complete ICFR program, attention should also be directed to the relationship between enterprise risks and ICFR. We talked so much about finance departments, but what is the role of risk teams in ICFR programs? Risk teams normally follow a top-down approach. They identify the risk universe by starting with strategic goals and objectives. Risk teams also complete key performance metrics to identify areas of improvement. But maybe talking from a personal perspective here, when I was working as an internal auditor, there was ambiguity in terms of what the risk team was completing because that top-down approach and missing the communication challenges, made it difficult for the teams to get the insight from each other. When the internal audit teams complete their ICFR programs, they will normally be following a bottom-up strategy.
They take the financial risk and identify all the components of that risk and also validate the information. In short, it is suggested that these teams communicate and share insight to create organizational excellence. An integrated ERM on an internal control program provides awareness of an agency’s full risk portfolio by aligning the top-down and bottom-up perspectives on risk. So this one kind of sums up the importance of risk teams in an organization and their relation when it comes to the ICFR program because I know that most of the focus might seem to be between finance departments and risk teams and ICFR programs, but this kind of makes it more clear as to why getting that information from risk and identifying those high-risk areas. Maybe creating a risk heat map might help both teams help the risk team share the information with the internal audit, which then will focus on the specific high-risk areas.
But at the same time, the internal audit team helps the risk team because whenever they choose this area, they’ll be so focused on it, that they’ll break it down detail by detail. And not only that, but they’ll provide a report at the end. So especially the financial risk as it relates to the ICFR program, now we have so much documentation that we can provide to the risk team, which is valuable information because it’s tested and it’s credible and we have issued resolution process for areas that require improvement and the risk team now can utilize this information when creating that top-down risk universe and identifying maybe some areas of risk that previously it wasn’t as obvious.
Pooja:
Can I just say that this is one of my favorite slides because I like how this visual shows the relationship between enterprise risk and ICFR being so dynamic? You can tell that you must have those continuous monitoring processes in place so that you can, when you’re faced with risks, you’re looking at it more positively and you’re able to use it to your advantage and take a much better business decision. So you’re actually cultivating this whole concept of risk intelligence by integrating the data between your enterprise risk and your ICFR. So yeah, I just wanted to drop that comment, Kristina. And I know that there’s some amazing work that lots of technology companies are doing and similar to that resolve ourselves where there’s much going on in the space and a lot of development on our audit tools and having enhanced ICFR through some automation that can help alleviate that continuous control monitoring.
Kristina:
Absolutely. I do think that having an audit tool can enhance this process so much. And again, maybe talking here from a personal level, if I had the Resolver app when I was working on internal audit, it would have enhanced and given me a much better experience as it comes to documenting my work as an internal auditor and having that ICFR framework really in front of my eyes to get a better understanding on it.
As we see here, technology and automation are crucial elements to even bring that maturity level that we talked about earlier to level three, which is like value enhancement because I believe by now it is clear how much technical and complex but also administrative work needs to get done by the ICFR teams. They must document everything starting from not only the strategy, not only the risk but going all the way through the reporting.
There is a lot of communication that needs to happen between the finance department and internal auditors to ensure that documentation is in place and workflow automation tools to standardize and streamline the process. It reduces manual errors, improves its efficiency, and provides a clear audit trail.
An example is provided here where we have automated workflow starting with a scope walkthrough, testing issues, and actions certifications, audit committee, dashboard management dashboard as well as manage assessments utilizing cloud platforms for centralized data storage, facilitating data access, and ensuring data integrity. It’s also important. And what does that mean? That means that as an internal auditor, I don’t need to be saving the emails or the documents that I receive through emails. So continuously and even from a manager’s perspective, I’m not the one who knows for sure that the information that is saved in this cloud-based solution, is the most updated and I don’t have to go to my staff or senior and continuously ask them, okay, is this the latest version? Can you upload the latest version?
Things like that happen more often than you think and that’s why having the cloud-based solution where both audit clients, which in this case is the finance departments and also the internal audit teams can communicate with each other. Dashboard and reporting are absolutely where we talk about compiling information. Now, if we take a step back, let’s give an example here we have the finance team, which we have identified 10 processes within the finance team, which are crucial and we’ll make a difference if errors in there are shown because it’ll indicate that financial statements that we will present to internal and external stakeholders are not accurate. So within those 10 processes for each of them, we have identified at least five controls that the internal audit team will be working on or will be testing. So 10 times five equals 50 controls.
Now we imagine the work that needs to get done for those 50 controls on the steps for both walkthroughs, which includes design effectiveness and operating effectiveness. And then I need to give a status saying whether the control has passed or failed in each of these stages or phases. And that’s why dashboard and reporting means that I’m not doing that in Excel anymore. I have this real data, I have my team which uses technology, which uses automation, and they can all work at the same time and my dashboard and my reporting tool will give me that information that I’m no longer tracking manually. I’m not going through Excel and making sure that the number of controls ties or the status ties or whether the client has provided documents. It just streamlines the process much, much, much better. But also access controls and identity management because we can, through all the trails track the history and see what clicks have been done on each of these workflow states.
We can investigate more details and say, okay, Kristina worked on this control on this date, and now that gets tracked through a system. I don’t have to question whether it was Kristina, or it was somebody else. That gives me that identity management. It provides more accountability not only with the ICFR team but also with the finance department the risk team or whoever is using the software for whatever reason it’s required. Within the ICFR program.
Another amazing advantage that technology provides is creating document management systems and enhancing documentation with control owners through workflow automation. I know that for the people who work on internal audit, this is so amazing because what happens traditionally is that remember those 50 controls we were talking about earlier, I had to send an email or multiple emails for that specific control. I had to send emails when it came to assigning the control owner requesting the document listing for that sample of one, requesting a meeting for the walkthrough, and then requesting additional documents for operating effectiveness when the control continues to frequently be performed. So all that work used to get done on individual emails especially when it comes even to knowledge sharing. If my staff internal auditor left throughout the meet through the year, then someone had to go through his entire email list and make sure that the documentation was saved or that there were things that needed to be followed up.
Now with software such as Resolver’s, we have these document requests completed so easily through the platform, which means here I create and prepare the document request to send to the audit client. Email notification gets sent automatically that the finance department team member, which might be the director of finance, not only receives the emails saying that Kristina has created this request for you through the resolver platform, but they have access to the platform and they can go in there and they can upload the documents we requested or they can also add comments if they had any comments as it relates to a specific document request or even for the control in general.
What does that mean? That means that now the entire information is saved through the software by using the technology and even if the staff or even if there is a high turnover rate within my department at least it gives me some more insight in terms of the information being saved properly and organized automatically for the various controls that I’m testing. I know that I said 50 controls, but for one of the banks that worked for we had 800 controls. So you can only imagine the importance of having a document request organized this way and the value that it brings for that organizational excellence through ICFR programs.
Pooja:
Awesome. So I think we can wrap this up with our final poll of the day. Which of the following automation advantages that Kristina just mentioned, do you consider the most impactful to enhance ICFR initiatives that your organization?
Are you looking for a cloud-based solution dashboard or reporting tools? Of course, there’s a lot of pressure to report to the board and provide critical insights. So that could be one of your important factors. Having a document management system, I can bet Kristina, that’s your choice and automated workflow management. Just give it a few more seconds. Awesome. Alright, so maybe we could take a couple of questions. Hopefully, we have a few minutes. Awesome. Okay, so I’m looking at the chat. We have a question, is there a risk for potential reduction in human judgment and intuition if ICFR teams are using these automation tools?
Kristina:
Wow. That’s a good question and it kind of aligns perfectly with the fact that we were just talking about automation. Is there a risk when it comes to human judgment? I feel like this question more comes with now talking about AI integrations and specifically I didn’t mention that when it comes to our Resolver’s platform, but also automation in general. Just because based on my personal experience, ICFR teams, or internal audit teams, there are very traditional teams at least so far, which means that their role, is to use that human judgment, their role. It is to receive those documents and ensure that that documentation, is accurate and it’s complete. And we have all sorts of information that ties in between an invoice and a general ledger. So my answer to that would be probably no, just because these automation tools, at least for now are used mostly to streamline the process, mostly to, because they are so complex in terms of the steps of that ICFR workflow, the goal of the audit tools has been to streamline the process and especially to have a repository library where all the different teams can organize the information, can collaborate and can reduce those communication gaps.
But if we talk later, maybe in two years, three years, or four years from now, it’ll be an interesting topic to discuss when we have more insight into AI and how AI can enhance all the tools. But also where is that fine line? Because at the end of the day, we cannot give senior management reports generated from AI and say, okay, here you have that information, which there is no human judgment on it, but we believe it aligns with our financial statements. So that seems like an odd concept, at least in a very traditional CPA world. So probably the answer would be no, but you never know.
Pooja:
Definitely can speculate quite a bit on that one. All right, so go to the next question. What are the key differences between internal auditors and external auditors as it relates to the ICFR program and how can internal audits complement external audit processes for ICFR?
Kristina:
Absolutely. Starting with the fact that I know that I didn’t mention the external auditors on this webinar much just because I didn’t want to confuse the audience, but the work that external auditors complete relates, and it doesn’t relate to the ICFR when the teams or when finance departments have a strong internal controls environment, whenever, for example, if they have SOX compliance for public companies, that means that probably they’ll have a strong ICFR program and they can present this information to external auditors, which means those reports, those findings, those issue resolution process, they give that status to the external auditors saying that we know that our internal controls are strong and the external auditors can use that information.
But the report that the external auditors come up with, it’s something completely different because that is an opinion which is from a third party, which is hopefully completely independent from the organization. And yes, the work that gets done by the ICFR team can have a significant value added to the external auditor report because now what happens is that the external auditors will receive the information and they will write on their report that they have assessed the ICFR program and whether they align with that controlled environment the company has or not. So they’re related to each other. Absolutely. However, it’s more specific when we talk about SOX compliance and public companies.
Pooja:
Right? Definitely. No world exists where the internal and external auditors are not speaking to each other. Alright, so I think we’re on top of time. I just want to take an opportunity to share to thank everybody who attended today and I’d like to pass it over back to Melissa.
Melissa:
Great, thank you, Pooja. I’d like to thank both Kristina and Pooja for joining us today to provide valuable insights and practical guidance to navigate this complex landscape of ICFR and SOX compliance. And to our audience, we’d love to have you join us for other upcoming OCEG webinars. Please watch out for emails from OCEG regarding these future events. This concludes our webcast today. Thank you so much for joining us, everyone.