Organizations that use an Internal Control System for risk management typically perform four related activities:

  1. Identifying and documenting business processes
  2. Maintaining a risks and controls framework
  3. Periodically scheduling internal controls
  4. Keeping track of current and past controls and their results

Internal controls define the periodic tasks for identifying and handling risks. In an Internal Control System, each control includes additional attributes, such as:

  • Frequency – how often the control is performed, e.g. monthly or quarterly
  • Type – a classification for related controls, e.g. for Sarbanes-Oxley compliance
  • Owner – the person responsible for defining the control
  • Performer – the person responsible for performing the check
  • Reviewer – the person responsible for reviewing the result of the check

After documenting business process, managing this information is the next step in implementing active risk and control management.

Periodically scheduling internal controls

A well-managed Internal Control System defines controls and relates them to identified risks, but doesn’t do anything by itself. The benefits come from actually applying the controls.

You can use workflow automation to automatically schedule internal controls by automatically creating and assigning control tasks as described in a risks and controls framework. This automated approach makes the process more reliable and reduces the cost of scheduling.

Keeping track of control measures

An additional benefit of using workflow automation to manage control measures is that software-based reporting capabilities give managers the information they need to be effective, including:

  • Currently open control cases that identify tasks that have not been performed yet
  • Cases performed during a previous month that demonstrate compliance with procedure
  • Control cases where issues were found, which can serve as input for risk management meetings

Flexible reporting allows risk managers to choose their own feedback mechanisms. This feedback is vital input for improvements to the underlying Internal Control System and overall risk management approach.