Creating risk awareness and streamlined processes while improving efficiency, and overall compliance

Strengthening Internal Controls

Annual internal audits are a standard practice for any large-scale corporate organization. However, receiving a negative "Ever Red Finding" from the Corporate Audit department is neither expected nor a desired outcome. Despite the client's continuous efforts to shape their organization in line with internal controls, their clients’ needs, and regulatory requirements, critical shortcomings were still identified. This unexpected outcome highlighted the need for external support and an optimization of their Internal Control System (ICS)- the foundation of their internal audit framework.

The client has been a global player in the automotive industry since the beginning of the 20th century with headquarters located in Europe. They offer a variety of products like passenger cars, sportier vehicles, electrical vehicles and even trucks, vans and buses. But, as is widely known, the automotive industry is facing significant challenges, like declining sales, shifting customer preferences, and even supply chain disruptions. Next to these market challenges, also regulatory changes and obligatory legislation have increased the need for compliance. All these factors led to a request for support in both their Risk Department and Tax, Treasury and Invoicing (TTI) Department.

Such a global business requires compliance with legislation, as for example the US-based Sarbanes-Oxley Act of 2002. This legislation, also known as “SOX”, is mandatory for all publicly listed companies in the United States and was established to protect investors and prevent fraud, mismanagement and other accounting errors. It aims to improve the accuracy, transparency and reliability of corporate financial reporting and is crucial for corporate governance. This legislation has taken the objectification through the client’s own set up, namely the “Internal Control System” (ICS). Altogether, it covers 15 aspects of the business:

Buy Back, Compliance, Common Functions, Credit Risks, Expenditures (P2P), Financial Reporting, Incentive Pay, Inventory Management, IT, Legal, Payroll Services, Revenues (O2C), Service Contracts, Income Tax & Transfer Pricing and Treasury.

Optimizing Risk Assessment and ICS Compliance

In addition to ICS managed by the Risk Department, other risk-related tasks also required support. For example, the risk assessments, which involved estimating and documenting any risks and/or opportunities beyond the pre-calculated budget, along with appropriate countermeasures. But also, the abstracts, a checklist to ensure that processes and procedures were properly documented and up to date, for example in procurement, inventory management, sponsorships, credit management, and invoicing.

In response to the “Ever Red Finding” from the Corporate Audit department, the client sought support in their Risk Department to evaluate ICS with a critical external eye. The negative finding from the internal audit was two-sided. On the one hand, the capacity of the Risk Department was insufficient to meet the ICS quality requirements from headquarters due to a lack of allocated resources. On the other hand, the operational execution and follow-up of the ICS project was lacking quality, awareness, and understanding. Therefore, the client reached out to TriFinance not only to provide support in terms of resources, but also to ensure a smooth execution of the operational processes.

Tailored support sessions

At the start of the project, it became clear that there was a lack of knowledge and understanding of the Internal Control System (ICS) across the organization and among various stakeholders. The communication sent out for the Initial Self Assessment (ISA) between June and July 2024 was a key reflection of this gap. It was overly detailed, somewhat detached, and not always relevant for the intended recipients. The core issue was a top-down, impersonal communication style that missed the mark. The expectations and compliance requirements weren't clear, and the large amount of information in one email overwhelmed stakeholders. The underlying issue had to be addressed.

Therefore, Margot Van Kildonck suggested the idea of a physical training session with some general “Rules & Guidelines”. This created a connection between the operational personnel of the topic, who were responsible for the control execution, and the more managerial personnel who were overviewing ICS. But also creating general awareness and spreading knowledge about the ICS-topic was created via this way. Margot and her team planned this after the deadline of the Initial Self Assessment (ISA) in July 2024 and before the launch of the Final Self Assessment (FSA) in October – November 2024.

Strengthening the collaboration

In addition to the general training sessions offered to all stakeholders, Margot introduced a new concept: individual support sessions tailored to those directly responsible for executing and delivering the ICS outcomes during the Final Self Assessment (FSA) in October – November 2024. The aim was to clarify deadlines, expectations, and the effective use of documentation and templates. Given that each individual was responsible for different controls - each with its own set of supporting documents - thorough preparation was essential. In total, approximately 400 controls were distributed among 65 individuals requiring guidance. These one-on-one sessions not only helped clarify the process, but also created mutual understanding. Stakeholders gained a clearer sense of the support being provided, while their unique needs and working styles became more apparent. This approach enabled more targeted guidance, a stronger connection to the topic, and a tailored way of working that aligned with their specific responsibilities.

“Together with the client, we organised these so-called “doctor sessions,” explains Margot Van Kildonck. “Full-day on-site support in a dedicated meeting room. Colleagues were free to drop in at their convenience, which made it easier for people to ask questions and made the support more approachable and flexible. The informal moments during lunch and coffee breaks also created opportunities to connect with the team on a more personal level. This strengthened the relationships and led to smoother collaboration throughout the rest of the project.”

Not just a checkbox exercise

Besides the operational support, a check-up of the control Design Documentation (DD) and the respective Effectiveness Testing (ET) of controls was necessary to guarantee the overall quality of the output of ICS. In the past, there had been issues with incorrect or even missing documentation in the system due to insufficient knowledge about the required documentation and use of the system. When comparing the submitted documentation of the ISA in July 2024 and the documentation of the FSA in November 2024, significant improvements were visible. For controls with no documentation found during the ISA, everything was in place during the FSA. The right documentation was used, all the necessary fields were filled in, and the testing was done correctly. These positive developments were encouraging to Margot and her team, as they showed that a shift in mindset within the organization was not only possible, but happening.

This project demonstrated that a combination of pragmatic action, clear communication, and tailored support not only resolves compliance challenges but also fosters an enduring culture of risk awareness. The successful transformation within both the Risk Department and the TTI Department reinforced the principle that effective project management depends on bridging strategy and operations. A key insight emerged: compliance is not merely a checkbox exercise, but an opportunity to future-proof processes.

Photo by Freepik