It's a coming of age for internal controls. Programs once designed to stay compliant with financial reporting laws are now maturing to protect organizations from critical enterprise risks. Many organizations have also evolved "how" they assess internal controls over financial reporting as well. It's a stark evolution from the early days of Sarbanes-Oxley (SOX) and a shift that's changing the landscape for audit committees.
Until recent years, organizations have approached "internal controls" from a SOX compliance perspective; that is, dedicating a lion's share of their focus on controls over financial reporting. This stemmed from the introduction of new and expanded financial reporting requirements in 2002 following a number of public corporate scandals.
Now, 15 years later, organizations are seeking to extract more value from their internal controls programs by streamlining effort and adopting new technological efficiencies. Some have expanded their internal control programs beyond financial reporting risks and re-examined internal controls through an enterprise and operational risk lens.
In short, the focus is evolving; and the resulting challenges (and opportunities) are requiring audit committees to consider technologies, reporting processes, and risks beyond their conventional financial scope. As advancements in robotic process automation, artificial intelligence, and data analytics continue to re-shape control environments, audit committees are becoming fluent in the new tools of their trade. As organizational silos give way to centralized structures, they are increasing their awareness around internal controls related to all manner of risks, from cyber to fraud and beyond.
Cost-saving pressures are also influencing audit committees' approaches to internal controls. More and more organizations are leaning on all departments to extract greater value from their SOX programs. As such, audit committees are among those being asked to streamline their approach while maintaining the integrity – and budget – of the organization.
All told, it's a new day for internal controls. And as organizations embrace new approaches to traditional programs, it falls on audit committees to become familiar with their new landscape and move beyond their SOX foundations.