Internal Controls
The auditing of internal controls that provide assurance on the reliability of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations, should not be viewed as a part of the internal controls’ infrastructure, which includes control environment, risk assessment, information & communication, control activities, and monitoring (COSO, SOC, ISO 27001).
Process owners should guard against the temptation to wait and rely solely on the results of external audits to trigger considerations on the design and operating effectiveness of internal controls in their process.
External Audit of Internal Controls
External audits can be SOC 1 or SOC 2 engagements or they can be projects performed by the company’s Internal Audit function. These engagements are typically retrospective in their assessment and sometimes cover periods of substantial duration; for example, the past twelve months. Therefore, these engagements may be late in bringing to light items of significant consequence to the organization (SOC for Service Organizations).
Process Owner Responsibility
Process owners should instead focus attention on monitoring mechanisms in their process that are designed to assure process objectives are met and risks are addressed consistent with the organization’s risk appetite. That is, process owners should focus more on mechanisms that can detect and correct exposures instead of relying too heavily on external audits, which are meant to assess and opine to provide reasonable assurance to third-parties on the design, description, and operating effectiveness of process controls.
The good news for process owners ironically, is that external auditors can be a great resource to tap when considering internal controls design. For example, external auditors can provide valuable insight during an organization’s pursuit of an ISO 27001 information security management system development and implementation initiative (ISO 27001).
External Auditors
Although external auditors perform engagements to assess internal controls and must not perform the management function of internal controls monitoring, they, because of their garnered knowledge of internal controls, can nevertheless be a valuable resource to tap for recommendations on the design of internal control mechanisms.
Contact CompVisory with questions as we are always available to our current clients and to prospects considering engaging with us for our services.
