Recently, I discussed risk assessment in business, its importance and how to carry it out effectively. However, once a business has completed a risk assessment and risks have been identified, a plan is required to put controls in place to mitigate these risks.
A strong control environment is vital to the long-term survival of a business.
What to do once risks have been identified?
Introduce Policies and Procedures
Design and implementation of the control system that directly addresses each of the risks identified is the first set. The control system should be appropriate for the size and nature of the entity. Some common controls include the segregation of duties, physical controls of assets, review and authorisation of transactions and payments, reconciliations and the use of technology and integrated information systems. For the operational control mechanism to work effectively, they need to be a clearly documented in a policy and procedures document.
The internal control system introduced by the business must be monitored. This monitoring includes internal audits, reviewing reports and reconciliations completed, following up on errors made and addressing any deficiencies identified. For companies that not large enough to have an internal audit function and don’t require a statutory audit due to size, there are many advantages to a company to have an external consultant to review the controls system in order to safe guarding the company’s assets and setting the tone of the organisations overall control environment.
Communicate Policies and Procedures:
The policies and procedures documented must be clearly communicated to all employees and it is important that the employees understand their responsibilities in complying with company policy. A business can have an incredibly sophisticated control system that is undone due to poor understanding and lack of communication.
My Advice: Risk assessment and control monitoring is not a one off exercise, it should be completed, documented and reviewed periodically as the company and the environment in which it operates can be ever changing.