How mature are you?
Many companies are continuously working on their control baseline, which is great in many relations: being in control is essential to management, to improve basis for decision making and to avoid all kinds of accounting irregularities and misappropriation of assets. The control baseline also supports service level agreements (SLA’s) with shared service centers, which management loves. But, how mature should you really be?
Many companies think that they must improve their approach to internal controls all the time, but should they really spend that much time and resources on their internal controls?
Maturity – what is it?
There are several models that can provide the foundation for assessing a company’s maturity. The models vary greatly, both in relation to scope, area, etc. Some are aimed at various areas or functions while others are aimed at a specific task or area. Widely used models include COSO and COBIT.
COSO (The Committee of Sponsoring Organizations of the Treadway Commission) has established an internal control model that companies can use to assess their control systems. The COSO model is widely acknowledged and used for helping to improve organizational performance and governance. COSO provides guidance on enterprise risk management, internal control and fraud deterrence.
COBIT (Control Objectives for Information and related Technology) is an IT-management framework that seeks to help businesses develop, organize and implement strategies around information management and governance.
However, the question is: Should all companies be in the top of the scale in all areas? Or should there be a difference in the requirements to a pharmaceutical company and a company in the financial sector?
How mature are you?
Companies can measure their own maturity by using models like COSO and COBIT. The higher you are on the maturity scale, the easier it is to provide a foundation measuring the maturity. Therefore, if it is difficult to measure how mature your company are, then it’s probably not that mature.
How mature should you be?
Most companies are under the impression that it is desirable to reach a level where controls are documented, and the design and implementation is assessed the operating effectiveness of these controls. Just because it is a requirement to trust the controls – both for management, other stakeholders, auditors, etc. And trusting the controls is essential, no matter your relation to the control.
However, always keep materiality in mind! If the potential loss related to the risk is immaterial, then you may be better off with leaving the detailed, entity level controls at a lower maturity state and instead carry out monitoring controls at a corporate or consolidated level. Bear in mind that the risk of asset misappropriation is higher in some sectors, for instance in financial sector companies or in some pharmaceutical or high-tech companies.
Remember that spot checks or simple sample selection of low-level transactions could be part of your monitoring controls, and these may serve as deterring controls for those low-level entities and their employees. Not everybody needs the full control framework!
Creating a foundation for control self-assessment.
Impero is great for aligning and systematizing controls, which provides a standardized view of the controls and creates the foundation for control self-assessment; even for those of your subsidiaries, where the controls in themselves are somewhat immature. And once there is a common ground, then it’s easy to measure gaps between current state and target state – and with the possibility to share documentation in Impero, you may be able to live with those immature controls.