Many organizations are currently spending valuable time on agreeing with internal and external stakeholders on a control baseline for their internal controls. Once the baseline is created, however, it is often forgotten and left to itself. Many organizations overlook the importance of maintaining and updating the control baseline so that it reflects the organization’s development, current needs and the onward strategy.
Maintaining the control baseline is crucial
Creating a control baseline is a requirement for several stakeholders including the audit department and the management. The audit department needs the control baseline to plan the audit task while the management often need it for information within monitoring and reporting. In cases where tasks within administration and production are being outsourced, the need for baseline controls increases because they can help ensure a streamlined and precise process no matter where employees are located.
Though maintaining the control baseline is important, it is often not a prioritized task. The control baseline should be evaluated continuously to ensure that the controls are still reflecting the organization’s risks and needs. Moreover, if the control baseline is not updated, it cannot serve its purpose of providing an accurate overview of the organization’s risks and needs, nor monitor the process of the onward strategy.
Inflexible control baseline in subsidiaries
Adjusting the control baseline can be a specifically difficult task when dealing with subsidiaries because many organizations are struggling with an inflexible control system where subsidiaries are locked in a specific size group. If a subsidiary’s size grows significantly, it may still be locked in the previous size group though it may need other (and more) controls due to the change in size. Other potential issues include changes in the client base or sales volume, new production sites or growth in unexpected markets.
An inflexible control system poses a line of risks: There may suddenly be too many or too few controls and they may have the wrong focus. Some controls may therefore become redundant and organizations can end up wasting precious time performing unnecessary controls. When not updating their control baseline, organizations also run the risk of missing crucial controls that can be essential for business.
Implementing a dynamic approach to the control baseline
Impero is a cloud-based compliance solution that is used in various areas to achieve compliance. In Impero, organizations can with a few clicks move an entity from one size group to another. In the individual groups, controls can be added, adjusted or altered without spending money on consultants, etc.
Impero is intuitive and can be used by everyone, as it only requires a minimum of training, and it is easy to be a control framework owner – even if you don’t have immersive IT competencies. The control performers will not notice changes in the baseline in relation to the performance of the system, or in relation to how they will work with the system. They just receive the controls so that they can perform them.