Insights - MetricStream
Home > Insights > SOx Compliance

Make Internal Controls a part of your organizational DNA

In the past, internal control was perceived as an arena reserved for accountants and controllers. Today chief executives and audit committees are required to confirm that an appropriate control environment exists and are charged with remaining in control of that environment. Much of the internal control focus today is on one aspect - internal controls over financial reporting for Sarbanes-Oxley 404.

Most companies have hired external consultants and allocated internal resources to document, test and upgrade internal controls to get a passing grade on their SOx compliance. However, without a cultural change and appropriate investments in technology that automates the documentation, assessment, remediation and change control process, an organization would need to allocate the same amount of resources year after year to be compliant with SOx 404. Organizations need to make the focus on internal controls, a part of their organizational DNA, if they want to reduce their cost of compliance.

Here is a checklist to ensure that internal controls are a key part of an organization's DNA:

  • Do senior and line management executives demonstrate that they accept responsibility for internal controls rather than just delegate the responsibility to financial and audit staff?

  • Does Management routinely monitor controls while running the operations of the organization?

  • Does management clearly assign responsibilities for training and for monitoring of internal controls?

  • Are periodic, systematic evaluations of control systems conducted and documented?

  • Are such evaluations carried out by personnel with appropriate responsibilities, business experience and knowledge of the organization's affairs?

  • Is the criteria used to evaluate controls detailed and specific to the process, as well as comprehensive?

  • Are control deficiencies reported to upper management and corrected on a timely basis?

  • Are appropriate controls built in as new processes and systems are designed and brought on stream?