Internal Control and SOX Compliance - procedure elements for your SSC

There is no such thing as a perfect control system. There are certain elements which may negatively impact on its effectiveness, such as staff size limitations, system configuration, human error, misunderstandings, fatigue, or stress.

Internal Control system is to reduce these risks through ongoing review and validation of controls design and effectives.

The main elements of this procedure, frequency of execution and responsibility are set out below:

Procedure Element	Description	Responsibility
Financial Risk Map, Risk Evaluation	Annual high level assessment of financial reporting risks mapped and calculated at the Company level.	Vice-President and General Auditor presents to Audit and Finance Committee.
Self-Assessment of Control Design and Effectiveness	Ongoing preparation and update of Process Documentation. Ongoing supervision and validation of quality of control activities. Update as per changes, e.g. organisational changes, system set-up.	Process Owners supported by the Internal Control & Compliance, especially where processes are newly brought into scope or where there are significant changes to processes.
Internal Control Review	Periodic walkthrough of the Process Documentation to identify presence and proper design of controls.  Eventually missing controls and weaknesses are identified and remediation actions agreed.	Internal Control & Compliance
Attestation	Finance Directors attest to the existence and effectiveness of internal controls over their In-scope Processes as a component of the year end close process.  This attestation is based on attestations from Process and Sub-Process Owners based on their Process Test of Design and Documentation, Control Test of Design and knowledge of the functioning of the process throughout the year.	Local CFOs make attestation based on Process Owners input, Internal Control & Compliance facilitates the attestation process
Control Test of Effectiveness	Testing of the operating effectiveness of controls are conducted on a sample basis. Test of operating effectiveness is carried out on Key Controls on an annual basis and Non-Key Controls on a three year rotation.	Internal Audit Internal Control & Compliance coordinates and facilitates audit process
Deficiencies Report	Weaknesses identified on controls are assigned to respective Process Owner actions with a target date for implementation. All Significant and Material Weaknesses are reported to the Audit and Finance Committee.	Process Owners and Internal Audit Internal Control & Compliance is informed on the report
Corrective Actions	Remediation actions are conducted in order to close the action within a due date.	Process Owner Internal Control & Compliance monitors action Internal Audit evaluates action closer
External Audit Exchange Act report	External Auditor performs independent tests on internal controls. Internal Control report is signed-off by CEO and publish to the market.	CEO and CFO External Auditor

Internal Control documentation - guide for your SSC

Internal Control documentation is owned by the Process Owner, who ensures its content is aligned with both SSC and Local Markets teams. 

Process Owner is ultimately responsible for ongoing preparation and update of relevant process documentation, which includes:

· Process Maps and Narratives

· Risk and Control Matrix

· Controls Activities Procedures

Internal Control & Compliance in SSC is the custodian of the process narratives as well as Risks and Controls Matrix, which means that no changes to the documentation are allowed before review of the Internal Control person.

Process maps and narratives provide a high level overview of the process as well as a detailed description of its risks, associated controls and required evidences, while risks and controls are summarised in a Risk and Control Matrix with controls classified as Financial Reporting (SOX) and Operational Controls, as well as Key Controls and Non-Key Controls.

The process or control documentation need to be concise however explicit enough to allow employee to perform the control accurately. The optimal level of control activity documentation should include:


Sub Process - Sub-process for the Tower / Stream, which determines the Control Owner

Risks - Risk which is mitigated by the control

Control Objective - Objective that is achieved by the control

Control Reference no. - Reference ID to identify the control in process documents. The naming convention is combination of Control Category, Tower & number in chronology' i.e. OAP01, OAP02

Control Activity - Detailed procedure on who, how, what and when will perform in the proper sequence to execute the control activity. Description should clearly define all parties involved and interconnection, or dependences between them.

Control Documentation - Type and form of documents which are used to evidence the control performance.

Upstream Dependency - Activities that are performed by the Local Markets and have a bearing on the activities being performed in the SSC, eg. reports, checks, information exchange.

Control Category (Financial/Operational/Compliance/SOD) - Financial (control is associated with risk over financial statements), Operational (control is associated with risk with respect to business operations), Compliance (controls associated with key regulations e.g. FCPA) and SOD (control ensures segregation of duty)

Control Performance (Automated/Manual) - Automated (control is performed in the system without any manual intervention - e.g. 3 way match for invoice processing) and Manual (control is manually - e.g. approval of MJE)

Control Method (Preventive/Detective) - Preventive (control is performed before the process activity is completed) and Detective (control is performed after the process activity is completed)

Control Frequency - Control frequency is based on the number of times a control is performed in a calendar year, i.e. yearly, half-yearly, quarterly, monthly, daily, as & when (on occurrence)

Criticality (Key/Non Key) - Identify the control as Key / Non-key:
Key-Control - It is required to provide reasonable assurance that material errors will be prevented or timely detected
Non-Key Control - It is also referred as sub-process, secondary, activity or operative control.

SOX - Internal Controls determines if control is SOX or Non SOX

Control Owner - Ownership of the control needs to be clearly identified. Need to be the position details and NOT the name of the individual

Applicable Countries - Countires to which the control applies

Country Nuance - Nuance for the exception country

SOD - Specify segregation of duty to be maintained in control activity

Reference Documents - Documents / templates used in control performance

Metrics - SLA/KPI agreed to be reported applicable to the control activity

Systems / Tools - Systems and tools used for control performance 

SSC Internal Control Framework - set the principles

You decided to set a share function - Internal Conrol & SOX compliance, under your SSC. This is what is absolutely worth to do, as risk and compliance has a future as a centralized function.

This is still a very niche topic, and many managers from SSCs prefer to keep Risk and Compliance in HQ. I totally agree with approach that – due to its strategic importance – Risk & Compliance needs its stable and direct link to “top” of the organization.

Nothing stops us from making it customer-oriented, efficient, integrated, collaborative, technology-driven, though. Risk and Compliance is a great “product” to be shared as a function, act as-a-service and bring value in terms of standardization to the wider business.

The below is a draft of Internal Control Framework that may be used as a set of principles.

1. INTRODUCTION

Internal Control is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

• Company publicly traded on the NYSE is subject to Sarbanes Oxley (SOX). 
• Under Section 404 of the Sarbanes Oxley Act (“SOX”), management is required to produce an "internal control report" as part of each annual Exchange Act report. The report must affirm that adequate internal control structure and procedures for financial reporting are maintained.
• Company should maintain appropriate Internal Control (“IC”) system, in line with the COSO framework.

2.  SCOPE

Internal Controls are the integral part of Company’s financial and business policies and procedures. Internal controls consist of all the measures taken by the organisation for the purpose of:

• protecting its resources against waste, fraud, and inefficiency,
• ensuring accuracy and reliability in accounting and operational data;
• securing compliance with the policies of the organisation and relevant laws.

SSC IC framework should be the document to set the roles and responsibilities in accurate internal controls implementation across services provided by SSC.

3. ROLES AND RESPONSIBILITIES

Everyone within organization has some role in internal controls. The roles vary depending upon the level of responsibility and the nature of involvement by the individual. The chart of responsibilities in Internal Controls are set as below:

Audit and Finance Committee

The Committee oversees the integrity of the Company’s financial reporting process and systems of internal controls, including the integrity of the Company’s financial statements; as well as compliance with the laws and regulations.

Chief Financial Officer

Chief Financial Officer establishes minimum control requirements and principles that have to be adopted across the organization. Chief Financial Officer delegates responsibility for internal controls and SOX compliance to the finance directors.  Finance Directors are expected to delegate responsibility for individual processes to a named Process Owners, i.e. senior managers usually within their own organisation or in SSC organisation.

Process Owners

Process Owners are responsible for delivering controls compliance, making whatever resources are required available and utilising the support provided by the Internal Control & Compliance effectively. For complex processes that cut across organisation structures a Process Owner may appoint Sub-Process Owners who are responsible to the process owner but may work in different departments/teams.  SSC may be a sub-process owner. Process and Sub-process Owners are designated individuals who ensure that processes and controls are duly documented and kept up to date. Finance Directors are ultimately accountable for internal controls within their financials processes. They attest to the existence and effectiveness of the controls on a quarterly bases.

SSC Internal Control & Compliance

Internal Control & Compliance is fully authorized and has unrestricted access to organization records and information when performing internal review. All employees are requested to assist the internal control activity. Internal Control & Compliance is responsible for ensuring the successful implementation and review of the internal controls framework, especially: Implement, direct and oversee the Internal Controls Framework and compliance programs in SSC. Conduct ongoing reviews of organization controls, operating procedures (SOPs), and compliance with policies and regulations. Review and appraise the soundness, effectiveness, efficiency, and proper application of accounting and financial controls, compliance procedures and controls and timeliness of documentation generation. Care of quality of the controls documentation and its timely review by respective Process Owners, acts as the process narratives custodian, means no changes can be implemented to the control procedures without Internal Control review. Provide recommendations for control improvements and proactively seek for synergy and automation opportunities . Report progress and status of internal controls readiness to senior management, incl. Global Process Owners and Finance Directors, and Local Markets. Coordinate activities with Internal Audit and compliance personnel, and liaison with External Auditors; support SSC teams in preparation for audit, and monitor the addressing of audit findings and control deficiencies. Recommend and conduct mandatory employee training, and provide ongoing compliance support and advisory for the employees in SSC. Support process owners in the Process Test of Design and update / archive of Process Documentation (Process Maps and Narrative, and Risk and Control Matrix).

Internal Audit

Internal Audit is an independent function. Internal Control & Compliance is not a part of Internal Audit. Internal Audit role is to test controls design and effectiveness. On an annual basis they assess and report to the Audit and Finance Committee on the controls effectiveness.  In case control deficiency is identified, Internal Audit classifies them as Deficiency, Significant Deficiency or Material Weakness[1] and maintain records of controls’ deficiencies and associated action plans. Internal Audit reports Significant and Material deficiencies to the Audit and Finance Committee.

[1] Deficiency exists when the design or operation of a control does not allow to prevent or detect misstatements on a timely basis. 

Significant Deficiency exists when there is a merit risk of misstatement of the company’s financials, with no impact on company’s audit opinion.

Material Weakness exists when there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.