Summary

Internal Control is a process designed to provide reasonable assurance regarding achievement of objectives in the following areas:

  • Effective operations
  • Reliability of financial reporting
  • Compliance with laws and regulations

Especially in large and distributed organizations, it is crucial to get an overview about whether internal controls are being applied properly. Furthermore, it is important to have an audit proof framework to see who submitted which controls at what time. For this purpose, an internal control checklist is often established. There are different persons responsible for different internal control areas inside an organization. These persons get a questionnaire on a regular basis, in which they answer which controls have been (or which have not been) met. All answers are then collected and consolidated by a central unit in order to get an overview about which areas face the biggest risks.

What to collect?

What to collect depends very much on the type of business. Banks will have completely different internal controls than manufacturing companies or retailers.

For this use case a few typical internal control checks for back office processes are used, which can be applied to almost all industries. However, they can of course be adjusted or enhanced to the individual need.

The following four areas of internal controls will be covered:

  • Segregation of Duties (COO)
  • Physical Controls (IT)
  • Business Continuity (COO)
  • Transaction and activity reviews (Accounting, HR)

Each area will consist of a few questions which can be answered with yes / no / not applicable. A comment can be entered as well, in case a “no” needs to be explained.

Each person is responsible for different areas and therefore needs to answer different checks. The assumption is, that the information on internal controls will be collected once a year.

How to build?

In order to start collecting this example on a yearly basis, a new collection needs to be created and configured. The reporting interval needs to be set to “yearly” as this is the desired one.

Define Reporting Interval
Define Reporting Interval

In order to collect data, a Matrix widget will be used, containing the question itself split in the separate areas in the rows, and Check-boxes for each question in the columns. Moreover, a comment can be entered for each row.

Define View of Questions
Define View of Questions

Due to the fact that each area can be assigned to a different (responsible) persons, the areas are defined as reporting units. Therefore, the required questions need to be mapped to one specific area.

Configure Mappings
Configure Mappings

When editing a combination, individual mappings can be activated via the context menu.

Mannage Mappings
Mannage Mappings

In addition, also the reporting unit needs to be configured. As data is collected from multiple entities, and single persons are responsible for certain areas in those entities, the reporting unit will be two-dimensional. One dimension will be the location itself, the other the respective areas. Consequently, the configuration of the reporting unit will look as following:

Manage Reporting Unit
Manage Reporting Unit

In this example, each region needs to report all four internal control areas and each area can have a separate responsible person submitting the answers.

How it looks like for your users

The only thing the receiver needs to do is to open the link and fill in the required information before he/she submits the data.

Entry view for a user permitted to submit two areas
Entry view for a user permitted to submit two areas

The central unit can watch the submissions coming in and can start analyzing the data immediately with their preferred analysis tool (e.g. Power BI, Tableau, Excel etc.).