I believe you’d be surprised at the number of organizations that do not have a fully structured approach to evaluating the effectiveness of their system of controls. Whether their approach is not formally defined and communicated, inconsistently applied and/or inefficiently managed and monitored, they are at risk of not fully understanding whether their controls are meeting their stated objectives or worse, being completely caught off guard by a critical control failure that could lead to much more serious issues. To that end, we offer the following considerations as you evaluate the effectiveness of your control testing program.
Organizations stand to benefit from building a standardized control library. Even the simplest data points you capture can become part of a very compelling story about how well (or poorly) your organization is meeting its objectives. And organizing this library in a systematic and structured way allows you to keep that critical knowledge at your fingertips and answer compelling questions at a moment’s notice.
We hear a common frustration from clients: They have internal controls distributed across their enterprise, managed by various groups and at many levels of maturity. They have processes and activities in place to help the organization manage performance, efficiency, risk and compliance. What they don’t have is a clear picture of what’s working, what’s not and who is responsible.