Question time with Paul Wood: ‘Well maintained and effective control suites’ ✍

How can firms better demonstrate to the auditor that their control suite is well maintained and most importantly effective?

This can be best answered across a number of key points.

Ownership

To ensure such frameworks are well maintained and kept up to date, it’s crucial for all control owners and risk managers to adopt the firm’s approach from the outset and be directly responsible for the content. More often than not, such frameworks are significant in size, and complexity and span multiple teams, business units, and sometimes even separate entities under a larger group structure.

By establishing ownership at the point of becoming active, a control and process that is subject to continuous review and challenge and therefore be subject to update, is more likely to be accurate. When reinforced with regular attestations, firms can quickly evidence a continuous process of care and maintenance across such frameworks. Subsequently, these attestations can be used to evidence to auditors the degree to which such frameworks are cared for.

Documented proof

It’s essential for firms to maintain comprehensive documentation of control procedures, including policies, standards, and guidelines. Risk and compliance teams must ensure that these documents are up-to-date and easily accessible to auditors. Furthermore, audit engagements that require controls effectiveness testing and substantive testing, rely upon easy-to-access and understood data, information, and documents that can range from underlying data, reports and system-generated information to third-party transactional data and third-party contractual terms. Firms must consider the most effective way of maintaining such proof, ensuring no gaps or omissions, whilst also ensuring it’s readily accessible. For high-frequency processes, such as completed regulatory reconciliations, the evidential burden is higher to ensure a firm has the complete suite of supporting documents to evidence the performance of the process and the confirmation of end controls.

Horizon Scanning

Regulated firms are subject to significant regulatory exposure and must therefore consider the most efficient way to ensure its obligation management is kept current at all times. Where possible firms should consider leveraging technology to support its review and update of internal policies and procedures to align with changes in regulations, industry standards, and best practices.

Internal Control Testing

Firms should consider performing regular testing of controls to ensure their ongoing effectiveness. This may include walkthroughs, simulations, or substantive testing of control activities. Document the testing procedures, results, and any remediation actions taken to address control deficiencies, should be considered as part of this process.

Want to know more?

If you’d like to know how Grath’s technology can help you with an effective and well maintained control suite, then we’d love to talk.

Get in touch with us at Grath | Reinventing Regulatory Compliance