Does any statement below sounds familiar to you?
- You are Internal Control team, so you are controls owner.
- You are Internal Control team, so we cannot tell you what is wrong with our processes, cause you will put that into official audit report.
- You are Internal Controls team, so need to tell me how to perform controls.
There is a lot of confusion and misunderstanding in terms of split of responsibilities between business process owner, Internal Control and Audit.
These can be easly explained by 3
level of defense in the process of internal controls. Here is what the differences are:
1) Control Owner is the owner of the
process or sub-process (eg. Acoount Payable Manager), and is responsible for identifying risks
& control objectives, along with specifying controls and effectively
implement control activity while performing it.
2) Internal Control team is to support
creating process documentation and validating its accuracy. The team also propose new controls
or changes to existing ones, and help the wider team to prepare for an audit. Internal Controls also actively search for synergies and improvements within company processes. It is an advisor and consultant for Control Owner.
3) Internal Audit is an independent function
from both business and Internal Control. It is not acting as advisor or
consultant. Internal Audit is testing controls design, effectiveness and
completeness of evidences. IA designs controls methodology and tools (Chart of
Controls, ICFR) and conduct audits as per annual plan.
No comments:
Post a Comment