Is your fiduciary risk management program strong? Are your controls effective? Does your first, second and third line work in concert to strengthen and improve control, or do audits create anxiety, a fear of failure, or of extra work? Most importantly do your audit results demonstrate appropriate oversight and meet regulatory expectations?
After risk has been assessed at an enterprise level, the real work begins. The control environment is the foundation on which system and internal controls are built. The audit of these controls provides internal and external stakeholders confidence that appropriate controls are in place and are effective. A successful audit requires that controls are thoughtful, specific and testable. Reliability of controls, maintainability of these controls and testability of specific control points are closely related and are essential to a solid risk management program. Control activities are the unique policies, procedures, techniques and mechanisms used by your management to validate that risks have been mitigated.
Some of the most common control activities are:
- Authorization limits and levels
- Review and approval
- Segregation of duties
- Physical security and control over assets
- Education, training and coaching
- Performance evaluation
Organizational flows do vary and are often layered with vendor outsourcing which necessitates both internal control and external control oversight. We can assist in the development and documentation of a testable control program that considers your firm’s uniqueness and leverages control work already being done by third parties. We will work with you in considering your organizational interfaces (both internal and external) and developing and documenting effective and testable control activities and ensuring they are incorporated into the following:
- Sequences and combinations of procedures
- Assignments of duties, responsibilities, and authorities
- Physical arrangement of processes
We can assist in the development and documentation of a program plan that considers both preventable and detective control activities: Preventable – Controls designed to deter the occurrence of an undesirable event. These controls involve predicting potential problems before they occur and implementing procedures to avoid them. Detective – Controls designed to mitigate events that do occur and alert management to them proactively. This allows corrective action to be taken promptly.