Finance Key Controls.
Implementing a ‘SOX Lite’ Finance Key Controls (or Risk and Controls Matrix) in your business Following the The Brydon Review…
4 Feb 21•
My Audit Spot
Implementing a ‘SOX Lite’ Finance Key Controls (or Risk and Controls Matrix) in your business
Following the The Brydon Review in 2019, there is a real chance that UK listed companies could be required to implement a Sarbanes–Oxley (SOX) equivalent. As per the ICSA website, amongst the recommendations following the review, there was a clear stand out in regards to internal controls: “That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.”
Finance controls should be in place for any organisation, regardless if they are required by SOX or not; its simply best practice. To assist smaller finance functions, we have complied a base 30 key controls which would be expected as a minimum.
You can view an example of the Finance Key Controls Database (or Risk and Control Matrix), below:
You can view the free version of the database here.
Alternatively, you can purchase the database here.
Members with a paid subscription can download the template via the Members Area.
How was this list of controls built?
Our list of controls what would be considered material accounts as per the financial statements, or material by nature (i.e. cash). These are only generic controls, and would be easily adaptable to any organisation.
How do we assess the risk of each control?
For each control, we need to assess the risk. Assessing the risk, in its simplest form, is considering the likelihood of the risk occurring, and the impact if the risk did eventuate. On top of this, we then need to consider the risk appetite of the business. For example, the risk of something occurring might be high, but the impact considered low, as it will only result in a financial loss of say $100 which would be below the company’s loss threshold.
How do we know the controls are working?
Our database has been designed so that for each control, there is a supporting control worksheet. Within this control worksheet, the auditor (or member of the finance team), must document the nature of the control, and the process which the control is a part of. The frequency and nature of the control (i.e. Automatic or Manual) are captured in this detailed control worksheet, along with the control owner, control risk and accounts relevant to the control.
The audit team must then map the process and embed the process flow into the control worksheet. They must then perform both design and implementation testing, with all workings documented, and an assessment completed at the end which evaluates if the control has been designed and implemented appropriately.
The finance team will then perform testing on a monthly basis to ensure the control is working as expected.
Internal Audit will then perform both interim and year end testing to also validate the operating effectiveness of the control.
The results from the testing performed by both Finance and Audit are summarised into the overall control register, allowing Finance to easily see their results which can support their annual attestation regarding controls over financial reporting.
For audit, the results are also summarised into the overall control register, which can be used to provide independent assurance to both the Audit Committee and Board.
When should these controls be implemented?
If not already, they should be implemented now. Control implementation and effectiveness is also an evolving thing; meaning as the Finance team begins to implement controls, they will likely need to be refined and engineered to make sure they are appropriate and robust for the business. By implementing these controls now and refining them over the next 6 to 12 months, both Finance and Audit can work together to ensure good controls are in place and operating effectively before the UK SOX equivalent becomes a requirement.
My Audit Spot can help discuss your financial key controls matrix with you. Please email us at email@example.com if you would like to discuss further.