top of page

Who Owns Financial Controls?

For many, this might be an easy question to answer – financial processes and controls have long been designed and executed by the professionals dedicated to and responsible for a specific area. After all, they are the most knowledgeable about their process risks, systems, control points, etc. But it's not always that straightforward.

For U.S. public companies, the web of financial processes and controls can get a bit tangled when you overlay the Sarbanes Oxley 404 (SOX) compliance requirement that necessitates: a compliance program management structure (led by Internal Audit or a separate financial controls department), detailed process and control documentation, control testing to support an internal opinion, control testing to support an external audit opinion, Board level oversight and public reporting. Confusion abounds over ownership and the often blurred lines, adding inefficiency to an already cumbersome process. In this article, we explore how to bring increased clarity to roles and responsibilities and improve ownership at the management and control owner level.

Process and Control Owner View

If you are a process owner, subject to financial controls testing in support of SOX compliance, you might have a constant stream of individuals reviewing or testing your process and controls, recommending control design changes, and requesting increased detail of control evidence. You might even start to think that these controls aren’t really yours anymore, but have been hijacked by auditors! This situation can cause a waning sense of ownership – a “going through the motions” approach that may turn down critical thinking and turn up “checking the box”, and an increasing sense that you are performing controls for the audit, and not for their primary purpose – to mitigate the risk of significant errors in the numbers and fraud.

Compliance Program Management

Too often, and with good intentions, the SOX compliance program assumes tasks that alleviate management’s responsibility for financial controls. If you are an internal SOX compliance auditor, you may have a wealth of technical knowledge and understanding to apply to the processes and controls you are auditing. Auditors don’t just look at the key control design on its own, but also consider the accuracy and completeness of the data used in the control, whether the person performing the control is independent and knowledgeable enough to perform the control, as well as the potential implications of their system access, etc. Process owners may come to lean heavily on this expertise and in the spirit of providing value and customer service, internal SOX compliance auditors may take on responsibilities that could be construed as “ownership” by a process owner. Auditors need be thoughtful in balancing adding value and providing great client service with the ownership message they may be sending.

Ownership Challenge

Such a multi-layer and multi-function compliance effort means it’s critical to be deliberate and transparent when it comes to roles and responsibilities. Deliberate – have a discussion with key parties and agree on who is responsible for what. Transparent – write it down and make sure it’s communicated to anyone with financial controls responsibility that intersects with SOX compliance, not only so they know their own role, but also how that plays with the overall effort.

Implications of Insufficient Management Ownership

Sure, it’s one thing to write it down and communicate it – but how do you make sure it happens? Below we provide example conditions that could indicate an insufficient level of management ownership and how you might address through improved processes.

Obviously, every company’s compliance effort is structured a bit differently but below, we offer an example of how roles and responsibilities might be allocated among numerous parties:

Audit Committee

  • Provides independent governance, guidance, and oversight on system of internal controls.

  • Reviews and advises on significant deficiencies and material weaknesses in internal control

CEO & CFO

  • Responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting

  • Responsible for an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting.

Management

  • Understand the financial statement risks within their area of responsibility and design internal controls that adequately mitigate that risk.

  • Document and/or review documentation of financial processes and controls and approve/accept.

  • Perform certain financial controls, with adequate evidence/documentation

  • Provide training on and monitor their employee’s performance of financial controls.

  • Oversee remediation of any financial control breakdowns

Control Owners

  • Understand the objective of the controls they are performing

  • Perform financial controls with adequate evidence/ documentation

  • Remediate financial control breakdowns

Compliance Program

  • Manage annual compliance calendar and scheduling of program phases, coordinating with external auditors

  • Perform financial statement risk assessment and develop testing scope

  • Review and walkthrough of process and control documentation

  • Develop test plans and test key controls

  • Identify, document, communicate and track control deficiencies

  • Provide control remediation consultation

  • Review with and recommend to the CEO and CFO the annual conclusion on effectiveness of internal controls

External Audit

  • Perform financial statement risk assessment and develop testing scope

  • Review and walkthrough of process and control documentation

  • Develop test plans and test key controls

  • Identify, document and communicate control deficiencies

  • Issue opinion on effectiveness of internal controls

 

​So how do you achieve these recommendations in the most efficient and effective way? Take the advice we commonly give as auditors – remediate by investing some up-front effort to 1) clearly define and communicate roles and responsibilities and 2) employ a process that leverages technology to facilitate increased ownership via proactive control owner approval, quarterly control owner review of control design and ongoing management monitoring of control performance.

For more information or advice on maximizing control ownership through communication and process, please reach out to us at info@bullpenfinancial.com or for technology at info@2020control.com


bottom of page