控制——加强你的财务控制，掌握治理

Taking control has long been a function of planning, design, ownership and culture. 30多年前, 马克德龙, 然后是一家国家银行的首席内部审计员, 说, “有控制意识的管理是无可替代的, 我们有一个.” This sentiment was echoed recently at a presentation to the 芝加哥联储年度风险会议 when the president of a well-known bank stated, “We expect and direct our teams to take risks every day—we make it our business to accept carefully defined and measured risk in order to profit from our deposit and credit businesses.”

Both of these leaders not only demonstrated understanding of the importance of a balanced approach to risk and controls, 他们的话强调了明确定义的风险偏好的基本性质. 纵观当今的商业格局, audit and risk management professionals emphasize the criticality of controls awareness and sensitivity, while governance has progressed from a predo最小值antly change-control focus to a more engaging approach for owners, 管家, 生产者和消费者. To strengthen controls within an organization, the following seven methods should be executed:

1. 将目光投向端到端景观.

Scoping governance is a daunting task best accomplished using management-defined risks to narrow the focus and establish priorities. 虽然小, 中型和大型企业在运营过程中都面临着类似的风险, 管理和执行职能, 这些差异通常是由行业而不是规模来定义的. Developing management controls and governance support requires a sustained set of activities that produce timely insights into intended business risks and those that occur beyond this threshold.

2. 构建环境.

一旦确定了风险偏好，就可以采用适当的措施.g.(关键风险指标)，以及风险和控制的矩阵. This integrated approach allows for operational risks and controls to be parsed and addressed across manual processes, 外部服务和自动化系统, which is essential for change control over critical master and reference data as well as complex ERP and performance management systems.

3. 利用技术来启用流程.

As companies continue to move toward making their business processes more digital to remain competitive, 应不断评估内部控制，以确保它们能够跟上. 除了 to staying apprised of emerging risks such as new cybersecurity threats, 云计算和自动化工具, companies should employ technology to both test controls and enhance their performance.

Organizations that have been leveraging data analytics and governance risk and compliance (GRC) tools to evaluate full populations of data and monitor key risks are now looking to leverage these tools in all aspects of the audit cycle, 包括使用数据分析在风险事件发生之前进行预测. Leading-edge risk departments are also beginning to leverage automation tools to perform manual, 时间密集型任务，例如测试Sarbanes-Oxley (SOX)的遵从性.

4. 要主动，不要被动.

古老的谚语, 一盎司的预防胜过十分的治疗,” applies perfectly to internal controls and should be instilled within the organization. 确保每一道防线都发挥作用，保持适当的控制. Operational management must believe they are truly the first line of defense and treat the second and third lines as risk consultants. 如果第一道防线能发挥作用, 第二线的工作(风险管理和合规职能), 第三条线(内部审计)变得更加容易，成本也更低.

以数据治理为例. 如果允许在客户设置过程中出现错误, 在单个事务级别上，它可能会扩散到数百个问题, 这反过来又会导致数千小时的纠正工作. 最终，这可能会使组织损失数百万美元.

但是通过积极主动, 公司可以在战略项目的早期加入风险专家, 例如ERP系统的实施. 以这种方式, they serve as a consulting resource to the project team to help ensure that risks and controls are being properly considered and built into the overall strategy and design requirements, 帮助避免昂贵的修复和事后的返工.

5. 挑战手动和耗时的流程.

Organizations should leverage data analytics and automation wherever possible to enhance both the performance and validation of internal controls. 除了, manual controls should be constantly challenged to deter最小值e if they can be fully or, 至少部分是这样, 自动化. Knowing the lineage of a manual control is an important step in the process because, 在很多情况下, 它们被用于错误的目的.

例如, manual controls are often implemented as a temporary Band-Aid to remediate a Sarbanes-Oxley issue, 然后再也没有重访. 在其他情况下, they continue to operate because process owners are afraid to challenge or change the control, 相信这会让外部审计机构或监管机构感到不安. 然而，双方通常对合理的控制权变更持开放态度.

6. 利用内部控制专家.

It is a healthy exercise for an independent third party to review and challenge a control design, as these subject matter experts know what is required by the applicable laws and regulations and can help an organization right-size its controls. 他们也带来了一个公正的观点，什么是有效的，什么是无效的, 哪些可以帮助简化控制环境. 除了, control advisors have knowledge of changes in laws and regulations that can help a company stay ahead of the game.

7. 关注最重要的事情.

并非所有风险都是平等的. Those responsible for designing and operating an organization’s controls should have a good perspective on risk. 没有它, 控制可能是过度设计或设计不足, leaving an out-of-balance control environment; for instance, 80%的vwin娱乐场官方集中在20%的风险上.

Companies should leverage technology to manage the risk assessment process and data analytics to predict where changes may be necessary. 这种关注依赖于一个良好的陈述, timely and updated risk appetite that reflects the regulatory and market environments, as well as management’s appraisal of the risk and controls balance versus the risks required for the business to thrive.