You decided to set a share function - Internal Conrol & SOX compliance, under your SSC. This is what is absolutely worth to do, as risk and compliance has a future as a centralized function.
This is still a very niche topic, and many managers from SSCs prefer to keep Risk and Compliance in HQ. I totally agree with approach that – due to its strategic importance – Risk & Compliance needs its stable and direct link to “top” of the organization.
Nothing stops us from making it customer-oriented, efficient, integrated, collaborative, technology-driven, though. Risk and Compliance is a great “product” to be shared as a function, act as-a-service and bring value in terms of standardization to the wider business.
The below is a draft of Internal Control Framework that may be used as a set of principles.
1. INTRODUCTION
Internal
Control is a process for assuring achievement of an organization's objectives
in operational effectiveness and efficiency, reliable financial reporting, and
compliance with laws, regulations and policies.
- Company publicly traded on the NYSE is subject to Sarbanes Oxley (SOX).
- Under Section 404 of the Sarbanes Oxley Act (“SOX”), management is required to produce an "internal control report" as part of each annual Exchange Act report. The report must affirm that adequate internal control structure and procedures for financial reporting are maintained.
- Company should maintain appropriate Internal Control (“IC”) system, in line with the COSO framework.
2. SCOPE
Internal Controls are the integral
part of Company’s financial and business policies and procedures. Internal
controls consist of all the measures taken by the organisation for the purpose
of:
- protecting its resources against waste, fraud, and inefficiency,
- ensuring accuracy and reliability in accounting and operational data;
- securing compliance with the policies of the organisation and relevant laws.
SSC IC framework should be the document
to set the roles and responsibilities in accurate internal controls implementation
across services provided by SSC.
3. ROLES AND RESPONSIBILITIES
Everyone within organization has some role in internal
controls. The roles vary depending upon the level of responsibility and the
nature of involvement by the individual. The chart of responsibilities in
Internal Controls are set as below:
Audit and Finance Committee
|
The
Committee oversees the integrity of the Company’s financial reporting process
and systems of internal controls, including the integrity of the Company’s
financial statements; as well as compliance with the laws and regulations.
|
Chief Financial Officer
|
Chief
Financial Officer establishes minimum control requirements and principles
that have to be adopted across the organization.
Chief
Financial Officer delegates responsibility for internal controls and SOX
compliance to the finance directors.
Finance
Directors are expected to delegate responsibility for individual processes to
a named Process Owners, i.e. senior managers usually within their own
organisation or in SSC organisation.
|
Process Owners
|
Process
Owners are responsible for delivering controls compliance, making whatever
resources are required available and utilising the support provided by the
Internal Control & Compliance effectively.
For
complex processes that cut across organisation structures a Process Owner may
appoint Sub-Process Owners who are responsible to the process owner but may
work in different departments/teams. SSC
may be a sub-process owner.
Process
and Sub-process Owners are designated individuals who ensure that processes
and controls are duly documented and kept up to date.
Finance Directors
are ultimately accountable for internal controls within their financials
processes. They attest to the existence and effectiveness of the controls on
a quarterly bases.
|
SSC Internal Control &
Compliance
|
Internal Control & Compliance is fully authorized and has
unrestricted access to organization records and information when performing
internal review. All employees are requested to assist the internal control
activity.
Internal Control & Compliance is responsible for ensuring the successful
implementation and review of the internal controls framework, especially:
Implement,
direct and oversee the Internal Controls Framework and compliance programs in
SSC.
Conduct ongoing
reviews of organization controls, operating procedures (SOPs), and compliance
with policies and regulations.
Review and
appraise the soundness, effectiveness, efficiency, and proper application of
accounting and financial controls, compliance procedures and controls and
timeliness of documentation generation.
Care of
quality of the controls documentation and its timely review by respective
Process Owners, acts as the process narratives custodian, means no changes
can be implemented to the control procedures without Internal Control review.
Provide
recommendations for control improvements and proactively seek for synergy and
automation opportunities .
Report
progress and status of internal controls readiness to senior management,
incl. Global Process Owners and Finance Directors, and Local Markets.
Coordinate
activities with Internal Audit and compliance personnel, and liaison with
External Auditors; support SSC teams in preparation for audit, and monitor
the addressing of audit findings and control deficiencies.
Recommend
and conduct mandatory employee training, and provide ongoing compliance
support and advisory for the employees in SSC.
Support process
owners in the Process Test of Design and update / archive of Process
Documentation (Process Maps and Narrative, and Risk and Control Matrix).
|
Internal Audit
|
Internal
Audit is an independent function. Internal Control & Compliance is not a
part of Internal Audit.
Internal
Audit role is to test controls design and effectiveness. On an annual basis
they assess and report to the Audit and Finance Committee on the controls
effectiveness. In case control
deficiency is identified, Internal Audit classifies them as Deficiency,
Significant Deficiency or Material Weakness[1]
and maintain records of controls’ deficiencies and associated action plans.
Internal
Audit reports Significant and Material deficiencies to the Audit and Finance
Committee.
|
[1] Deficiency exists when the design or operation of a control does
not allow to prevent or detect misstatements on a timely basis.
Significant Deficiency exists when there is a merit risk of
misstatement of the company’s financials, with no impact on company’s audit
opinion.
Material Weakness exists when there is a
reasonable possibility that a material misstatement of the company's annual or
interim financial statements will not be prevented or detected on a timely
basis.
No comments:
Post a Comment