It’s time to refocus your internal control lens on risks. Not benchmarks.

Transforming from a reactive to a proactive approach

When it comes to internal control over financial reporting (ICFR) programs, looking at what your peers are doing isn’t necessarily the best strategy. Neither is trying to determine how few controls you need to have in place in order to earn a passing grade.

So where should you begin? The starting point for evaluating the sufficiency of any ICFR program needs to be with a financial statement risk assessment. A risk assessment that integrates the right people, processes, tools, and techniques can identify the relevant risks of material misstatement. This can enable a company to report with confidence the number and types of controls necessary to have an effective ICFR system.

A risk assessment should also be proactive – not simply a knee-jerk response to a key stakeholder or performed only when issues arise. World-class organizations are utilizing innovative tools and techniques for performing and monitoring the risk assessment, such as data analytics and visualization tools. Innovative activities that can also alter the organization’s risk landscape include next-gen controls, such as continuous monitoring controls and robotics solutions.

The first paper in Deloitte’s new series on ICFR takes a closer look at financial statement risk assessments and provides a risk assessment diagnostic scorecard that can be used as a guide to help get you started. The paper also discusses how organizations are applying innovation to their ICFR programs as part of the risk assessment process.