Internal Control from ComplianceNow is designed to make the process of internal controls focused, documented, responsive and effective.
Focused because we see that companies might have the ambition to execute controls in their organisations but lack the framework to carry them out and stay on track. The ability to Document is crucial since the IT control process is a continuous and repeatable process with layers of documentation requirements, from initial control description through to the control, approval and possible later external audit of the control.
Responsive is an important element since a lack of responsiveness is probably the most common reason for not getting the control process running or concluding it. Therefore, the framework must facilitate a responsive process through the timely delegation of controls to the right people, issuing reminders when tasks are not completed automatically moving the controls along for final approval. Internal Controls is not a priority task for most people in an organisation, if any; which is why this process must be as effective as possible, thus easing the workload of the involved personnel.
What is internal Control from ComplianceNow?
Internal Control is a SAP-integrated framework supporting the documentation and execution of your company’s controls. Controls related to your SAP processes as well as controls relevant to other applications or even non-IT controls could be included in the scope. Internal Control comes with a predefined control library covering standard controls supporting Finance, Procure to Pay, Order to Cash, HR & Payroll, Basis & Security and more. The controls can be configured with a Control Executer, frequency and Approver. The pre-defined controls can easily be maintained, or you can extend the control library by defining your own controls.
Is Internal Control a challenge?
The challenges related to Internal Controls are centred around getting the job done. So why isn’t the job getting done? Today the general focus on IT Compliance is increasing rapidly and even though internal controls are not a new thing to most organisations, their scope is increasing and external auditors are calling for a process to support the requirements.
We might not all see the challenges of internal controls equally but for most companies this is either new territory or it is an area that is getting more and more attention. The topics listed below provide an overview:
- Focus on protecting business criticalities is increasing as a consequence of more legal regulation and extended internal and external audit requirements, not to mention GDPR.
- No central framework is used to document and execute controls. Controls are well hidden in Excel sheets by local control owners around the organisation.
- Executing controls is time-consuming as it is carried out continuously throughout the year, often with multiple follow-ups to the delegates who are getting the controls done.
- What is the overall control picture, what has been done, and what is outstanding? Supporting the auditor is time consuming and in general an unsatisfying process.
Why should I focus on Internal Controls?
Defining your control framework will give your organisation confidence that relevant actions have been put in place to control the company’s assets. The actual execution of the controls will provide certainty that the controls defined are not compromised (or that they are). Finally, having a structured and documented control process will allow smoother audit processes.
Why we build it?
In our many touch-points with companies around compliance, we experienced that companies in general have an ambition to strengthen their efforts in risk management through implementing internal controls. Some companies have documented a sub-set of controls and execute these through a manual process. This is a good start but when addressing the actual operation of internal controls, there is less room for optimism.
The efforts related to documenting, distributing and approving controls often appear inappropriate and time consuming. Secondly, how do we get started – do we need to create our control base ourselves? With these observations in mind, it was obvious to extend ComplianceNow to deliver a platform supporting companies in accelerating the process of internal controls. This comprises a control framework including a control library to get the companies started, a workflow to deal with the distribution and approval part, and, finally, a control archive and dashboard to gather documentation, thus allowing auditors and management one-stop reviewing.
The Control Library
- Predefined Control Library
- Upload and download function
- Change log registering all changes to the individual controls
Documentation and Dashboard
- Control approval documentation log
- Control execution archive
- Download the full execution documentation PDF/Excel, e.g. for external auditors
- Link to Risk in CN Access Control
- Dashboard – visual overview of the control situation: finding, overdue, in process and executed controls
- Reporting framework and search functions
- Secure four-eyes principle with defined Administration, Approver and Executer access definition
The Control Engine
- Individual workplaces for Control Administrator, Executer and Approver
- The individual control is defined in a template describing how to execute, document and react to findings
- Individualised distribution of controls based on frequency
- Controls are delivered with a time to execute and an email reminder is sent when control is overdue
- Workflow interacting Control Executer and Approver (comment box)
- Files (Excel, Word, JPG, TIFF, etc.) can be uploaded to the individual control
- Send back to Executer for Rework control function