Implementing a 'SOX Lite' Entity Level Controls (or Risk and Controls Matrix) in your business
Following the The Brydon Review in 2019, there is a real chance that UK listed companies could be required to implement a Sarbanes–Oxley (SOX) equivalent. As per the ICSA website, amongst the recommendations following the review, there was a clear stand out in regards to internal controls:
That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.
Similar to finance and IT controls, entity level controls should be in place for any organisation, regardless if they are required by SOX or not; its simply best practice. These Entity Level Key Controls are there to corporate processes, such as whistle-blower help lines and mandatory training such as the code of conduct training, are all performing / being undertaken as expected.
To assist smaller organisations, we have complied a base 10 entity level key controls which would be expected as a minimum.
You can view an example of the Entity Level Key Controls Database (or Risk and Control Matrix), below:
You can view the free version of the database here.
Alternatively, you can purchase the database here.
Members with a paid subscription can download the template via the Members Area.
How was this list of controls built?
We considered basic Entity Level Controls that are most likely already operating in some form or another within a business. As such, depending on the size, nature, and risks applicable to your business, some of these controls may need to be adapt to be more robust. Nevertheless, these controls are great starting point for any small or medium business.
How do we assess the risk of each control?
For each control, we need to assess the risk. Assessing the risk, in its simplest form, is considering the likelihood of the risk occurring, and the impact if the risk did eventuate. On top of this, we then need to consider the risk appetite of the business. For example, the risk of something occurring might be high, but the impact considered low, as it will only result in a financial loss of say $100 which would be below the company's loss threshold.
How do we know the controls are working?
Our database has been designed so that for each control, there is a supporting control worksheet. Within this control worksheet, the auditor (or member of the business area or other relevant function), must document the nature of the control, and the process which the control is a part of. The frequency and nature of the control (i.e. Automatic or Manual) are captured in this detailed control worksheet, along with the control owner, control risk and accounts relevant to the control.
The audit team must then map the process and embed the process flow into the control worksheet. They must then perform both design and implementation testing, with all workings documented, and an assessment completed at the end which evaluates if the control has been designed and implemented appropriately.
The relevant business area will then perform testing on a monthly basis (or other frequency as already documented) to ensure the control is working as expected.
Internal Audit will then perform both interim and year end testing to also validate the operating effectiveness of the control.
The results from the testing performed by both the business area and Audit are summarised into the overall control register, allowing the business area to easily see their results which can support their annual attestation regarding the controls.
For audit, the results are also summarised into the overall control register, which can be used to provide independent assurance to both the Audit Committee and Board.
When should these controls be implemented?
If not already, they should be implemented now. Control implementation and effectiveness is also an evolving thing; meaning as the business begins to implement controls, they will likely need to be refined and engineered to make sure they are appropriate and robust for the business. By implementing these controls now and refining them over the next 6 to 12 months, both the relevant business areas and Audit can work together to ensure good controls are in place and operating effectively before the UK SOX equivalent becomes a requirement.