7 Steps to Ensure Adequate Business Controls

7 Steps to Ensure Adequate Business Controls

Business internal controls should be considered as an integral part of financial system implementation. Why? On one hand, controls generate costs to the organization. On the other hand, a lack of controls may also result in substantial tangible and intangible costs.

 

It is essential to ensure that adequate controls are implemented, sustained, evaluated and even subject to continuous improvements following their implementation. We have designed an approach inspired by the CoSO (Committee of Sponsoring Organizations) methodology. This approach integrates the following three axes: process, risks, controls.

 

How will you the application risks of a solution thanks to internal control?

 

Business internal controls vs application risks: PlanAxion’s approach

The next lines will explain to you our approach to decrease application risks of a solution using internal controls. Following these steps will help you maximize your new business solution. It will also make its implementation easier.

 

1 – Identify the business processes included in the implementation (scope).

 

2 – Determine the required control objectives, such as :

  • Availability of the information;
  • The integrity of the information;
  • Confidentiality of the information;
  • Safeguard of assets;
  • Compliance to norms/regulations;
  • Etc.

 

3 – Match each process to applicable control objectives.

 

4 – For each «process/control objective » match, identify potential risks. Don’t consider actual controls (i.e. inherent risk).

 

5 – For each risk identified above, determine and qualify the actual/desired controls. Controls can be assessed based on the following criteria :

  • Key / Secondary
  • Manual / Semi-automated / Automated
  • Detective / Preventive
  • Centralized / Decentralized

 

6 – Evaluate each of the risks identified. This evaluation can be calculated as follows :
Calculated Risk = Impact x Probability of Occurrence. You have to consider the evaluation of the controls in place.

 

To illustrate this approach, let’s look at the risks related to fire: On one hand, a non-smoking policy will decrease the risk of fire occurrence, without decreasing the potential damage caused by fire. On the other hand, the installation of sprinklers will not affect the probability of a fire, but decrease the value of potential damages.

 

Example of Calculated Risk :

 

7 – Shift to « Sustainability » mode

  • Implement a process to evaluate risks on a periodic basis
  • Implement a continuous control improvement process

 

By showing foresight, it is possible to reduce application risks by implementing internal controls. Our proven approach allows us to experience great success in implementing solutions (business, ERP, Oracle, etc.).


Jean-François Oligny is Program Manager at PlanAxion Solutions.
He can be reached at jean-francois.oligny@planaxion.com