Design a program that evolves for changing needs

Responsible individuals, even if they have not had serious health issues in recent years, still have regular medical checkups. Similarly, companies whose ICOFR programs appear to be running smoothly should still periodically evaluate the health of their ICOFR program and controls portfolio. In addition to identifying and correcting potentially unhealthy aspects of the programs or control problems before they occur, a well-designed evaluation (health check) can provide significant insights:

• Assessing the total cost of controls, including an understanding of costs that are often hidden (such as the costs to perform the control activities), may identify opportunities for cost savings and better allocation of resources. These opportunities are growing as documentation requirements, particularly around completeness and accuracy, increase.

• An effective ICOFR program assessment  may identify specific areas that are less mature than others. A common example is ICOFR program governance, where there may be disconnects between who owns the overall program, who designs the controls, who performs the controls and who tests the controls. The result is often inefficiencies and/ or omissions.
  
  
• Defining an ICOFR strategy may reduce financial reporting risks without increasing spend by helping identify a company’s most critical areas. A strong, effective financial statement risk assessment process helps establish and support the ICOFR strategy, control selection, testing approach, and other program decisions. Companies can then focus both their control performance and testing efforts on the most critical areas.
  
  
• A more strategic and focused ICOFR program  allows internal audit resources to focus more on the broader risk assessment, process improvement and value-creation audits, leading to better organizational performance.

Future papers in this series will look at these points in detail. The rest of this paper will delve into how the evolution of Sarbanes-Oxley 404 (SOX) has impacted ICOFR programs and offer insights on how to evaluate whether your company’s ICOFR program is providing value as a mature, "healthy" program should.