Separation of Duty: A Case Study on the Value-add of Internal Audits
Part Four of our Control Freaks Series takes into the world of Internal Audit and Audit Readiness assurance and examines the value of Risk Management to an Internal Audit process.
Organizations that choose to operate with a separation of duties culture recognize reductions in wasted resources, drop-in omissions, and errors, and an overall decrease in duplication of effort.
Separation of duties(SOD) operates within a framework mandating a breakout of business functions, so no one party has complete control over the entire process. SOD became an important mandate by investors, external regulators, and the board of directors due to the government passing the Sarbanes-Oxley Act(SOX) in 2002. SOX compliance requires the CEO and CFO to sign the company's financial reporting statements each quarter to ensure the accuracy and reliability of corporate disclosures.
Learn more about C1Risk’s Internal Audit Platform and Service Packages
Organizations wanting to avoid fraudulent activities, and the potential for fraud, are increasing their investment in risk governance with the adoption of SOD workflows to align with SOX compliance requirements.
Organizations should break out the business processes to support ongoing internal audits including:
Initiate - One who initiates the business or technical option
Approve - One who approves the company or technical request
Record - One who records the company or technical request with various internet departments
With SOD workflow, organizations have several checks and balances for each request to meet SOX and other compliance mandates. Many small organizations do not have a business operation to sustain a detailed level of SOD. Many small firms will consolidate SOD into a two-person system divided between request/approval levels for fraud deterrence.
Internal Audits for managing internal control objectives
Internal audits serve several roles. Audits will validate if the organization follows business processes and internal controls. Organizations that implement enterprise risk management(ERM) need a framework to provide a consistent reporting, validation, and communication structure for all internal audits. A common framework used by organizations, including the Committee of Sponsoring Organizations (COSO) internal control framework.
COSO: Risk Management Controls
The COSO framework became widely implemented by organizations to help with reporting objectives and risk identification.
COSO precisely aligned well by providing a framework for internal auditing for several areas within the organization including cybersecurity. As more organizations deployed security adaptive controls to align with privacy and security compliance mandates, companies needed an internal audit framework that easily aligned with the security compliance frameworks. The framework can streamline organizations' ability to execute several internal audits from the original framework, reducing complexity, duplication, and cost savings validating separation of duties.
COSO supports risk management strategies and internal control processes
At the core of COSO is a well-defined framework supporting internal audit functions:
Determine risk and mitigation effectiveness across several business and technical operations
Validating the stable performance of business operations by reporting to upper management
Improvement of internal resources by identifying duplication, waste, and possible fraud
Determine the current state of business resiliency and make recommendations for improvement to executive management.
Organizations that implement COSO use the framework to centralize and consolidate the company under one structure leveraging sharing the same guiding principles for internal audit:
Consistency in risk assessments across the entire organization.
Reporting of internal control activities into a centralized reporting system
If possible, eliminate separate evaluations and the correctly misaligned auditing strategy.
Mandate compliance with all information and communications reports for risk governance.
Define the control platform for data collection and compliance processing with reasonable assurance
Ensure all business operations and technical systems monitor activities relevant to risk and audit requirements to support corporate governance and business strategy.
Achievement Your Objectives
Streamlining a universal framework helps organizations meet their compliance objectives and validate their business environment while helping determine the company's risk tolerance composite scoring.
Enabling COSO as the preferred internal auditing framework requires the following steps:
Planning - What parts of the organization will leverage the COSO framework?
Evaluate - What business process and technical operations, including cybersecurity, will be evaluated by the COSO framework?
Remediate - Identify business processes and technical controls that pose a risk to the organization.
Test and Report - Part of the internal audit, validate the remediation stage is completed and report into the centralized risk management platform tasks completed. The auditing team should also inform all unresolved issues not remediated and the overall risk impact on the organization.
Internal control optimization - Are the COSO internal audit controls optimized or too complicated and costly for the organization to leverage? Are the internal controls easily bypassed or have no safeguards? Is the accountability of performance measured and reported along with all the operations objectives supporting the guidance of enterprise risk?
Automation - Are there elements of the COSO framework that could automate to help optimize and streamline business and security operations auditing within the organization?
Leveraging centralized risk management to align with COSO
A vital component of a successful implementation of a COSO framework is a centralized risk management platform. Without a centralized system, organizational departments could have separate compliance collections depositories, separate reporting, and COSO remediation workflows. Unifying the internal auditing workflow with a centralized management layer will reduce the cost of COSO, eliminate duplication of data collection and reporting, and stream the organization's risk status with a higher degree of accuracy and simplicity.
See how it all works seamlessly at C1Risk
C1Risk is a fully integrated, automated SaaS Platform with a full-suite of GRC capabilities. Internal Audit programs, workpapers, reporting and issue management can be quickly and efficiently established, mapped and tracked on the platform. Track your performance and testing, resolve any issues and be ready for external audit with complete assuredness.
C1Risk is highest rated by its customers: See our reviews here