Modernizing your internal controls programs

Lindsay Rosenfeld is a managing director with Deloitte & Touche LLP and leads Deloitte’s Governance, Risk & Controls service offerings. She helps public and private companies with SOX readiness and modernizing SOX and internal controls programs, with a focus on technology solutions and program enhancements.

Q How can companies modernize their internal controls programs?

A SOX modernization includes various activities associated with operating model optimization, program enhancements, and technology and automation. Different activities within each of these pillars may be implemented to drive a modernized approach that is tailored and most suitable to the company. A first step when considering opportunities for modernization is to revisit the regulatory requirements compared to any preconceived beliefs of what is required. Sometimes these beliefs don’t align with the actual requirements, and over time, they can begin to be accepted as facts and become roadblocks. Challenging some of these beliefs may lead to refreshed ideas and provide opportunities to develop new ways of working and drive higher-quality outcomes.

Q How are companies using technology to optimize their internal controls programs?

A Companies with the most innovative internal controls programs are leveraging technology by digitizing manual processes through the implementation of automated controls and digitized monitoring controls. They may also automate the controls testing process itself, which is accomplished through utilizing the full capabilities of existing IT systems and leveraging new systems or tools where there are gaps in existing IT infrastructure. The benefit may be a more reliable and efficient internal controls program, as well as the potential to extract valuable insights for the business. Additionally, companies can implement a governance, risk, and control (GRC) tool, which has the ability to enhance visibility and increase accountability by serving as the single source of information in all aspects of the management of their internal controls program.

Q What are the risks to an organization that adopts a “check the box” compliance mentality toward its internal controls program?

A Without a thoughtful and risk-focused internal controls program in place, companies can be lulled into a false sense of assurance. The resulting complacency can lead to inefficiencies, including the maintenance of obsolete controls. Inefficiencies can be a drain on resources and can divert efforts away from the areas that companies would rather prioritize. This may result in unexpected deficiencies, which suggests the ultimate breakdown of a control program — one that neglects to achieve reasonable assurance over the operating effectiveness of internal controls over financial reporting. SOX modernization drives higher-quality outcomes and provides a refreshed perspective.

This publication contains general information only, and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. We may be unable to provide certain non-attest services to audit clients.