Reference case

Documenting Internal Controls for Korean SOX: a pragmatic approach to overcoming resistance

24 October 2024

When taking a closer look at a company’s processes for an internal audit, resistance can be expected. But how can this be tackled efficiently so that the timeline of the project won’t be put at risk? 

This reference case gives an outlook on TriFinance’s pragmatic approach in the field of internal audit. Addressing resistance while successfully achieving compliance, is an important aspect of internal audit.

A little bump in the road

With a European turnover exceeding 300 million euros, this company operates in the industrial machinery sector, offering a broad portfolio of construction equipment. The European headquarters are located in Belgium, while the global headquarters are based in Asia. 

To mitigate their risk of financial fraud, the implementation and documentation of the Korean Sarbanes-Oxley Act (K-SOX) was obliged from the client's headquarters. An internal control framework and corresponding documentation had to be developed to implement this K-SOX legislation. 

Initially, this was done by another consulting firm, but issues soon emerged. The K-SOX internal control framework was not efficiently nor accurately handed over to the employees. People who played a crucial role in this framework did not receive any guidance on filling in documentation or how to provide evidence for the internal controls. 

Additionally, the context and importance of the K-SOX framework were not fully communicated to the teams. This created challenges in aligning the process across departments. Combined with communication from headquarters that was insufficient and at times last-minute, these factors caused delays in the delivery of internal control evidence. While there were challenges, addressing these issues is key to improving the overall compliance and efficiency of the internal control process moving forward.

Formalizing and streamlining with work instructions and manuals

Because of these fundamental issues, the client wanted to further formalize and streamline the K-SOX internal audit process. And this is where TriFinance comes into play. Documentation like work instructions and comprehensive manuals needed to be set up to support team members in gathering the right information for each internal control, but also to give future employees a solid foundation for upcoming internal audits. 

This way, it would become clear which evidence was needed, where it could be found, and how it could be retrieved. The manuals had to cover all critical aspects of the internal audit process, including risk assessment, control evaluation, and compliance verification. A manual should serve as a comprehensive reference for both internal auditors and employees, helping them understand the controls and execute their responsibilities effectively.

The need for change

Despite the clear necessity of the documentation of work instructions and comprehensive manuals for the K-SOX internal audit, the project faced two significant hurdles: on the one hand the resistance from employees to contribute, and on the other hand the challenge of maintaining discipline in the documentation process and structure.

During a project where processes and procedures are evaluated by an external party, it can be challenging to gain understanding and cooperation from employees. They may hesitate to engage in the documentation process for different reasons. Some see it as an extra burden on top of their regular workload, while others may worry that documenting processes in a detailled way could expose inefficiencies or even errors in current practices.

Comfort with the current way of working can also hinder business improvements.. "They had their way of working for several years, and when someone external interrupts this, it can be hard to accept changes," says Margot Van Kildonck, project consultant at TriFinance. "“Why is someone, who does not know this company, going to comment on my way of working?” This is a question that has to be tackled with care and vigilance," she explains. The framing of the project to the employees was crucial to emphasize the importance of their contributions. This then created some understanding about why procedures needed to change, and it also highlighted the added value the employees had to the company.

Improving K-SOX Controls

Next to the interpersonal aspect of resistance, also the technical aspect should be taken into consideration. Accurate and comprehensive documentation requires discipline and attention to detail. It can be hard to maintain this if employees do not understand the bigger picture of the framework. Again, clarifying the goal of the K-SOX internal control framework, explaining why manuals need to be provided and defining roles and responsibilities are essential.

Next to that, it was sometimes hard to receive information or get time from employees to explain internal controls. To anticipate these two difficulties, it was important to thoroughly prepare meetings with employees by looking into existing documentation and information about the respective internal controls. This facilitated asking the right and more in-depth questions so that the process could be accurately described, but also so that both existing and new issues could be identified. Showing sincere interest in people’s work was appreciated and even made sure employees were more eager to explain what and how they were executing certain processes and tasks.

Delivering a streamlined K-SOX internal audit process

To address these challenges effectively and execute the project in a successful way, it was crucial to establish good communication and ensure the right documentation, next to the in-depth preparation for the meetings. This made it easy to adjust the delivered manuals where necessary and react quickly if things didn't go as planned.

Because of co-creation between us and TriFinance, a beautiful foundation has been created for our next internal audit and compliance process

The Accounting Manager at the client

The principal deliverables for the client were work instructions and manuals for each internal control that provided the necessary steps to obtain the evidence required by the internal auditor. In total, there were 107 controls, divided into the following eight (8) categories:

  • Purchase to Pay;
  • Order to Cash;
  • Treasury;
  • Financial closing;
  • Tax management;
  • Fixed assets;
  • Inventory management;
  • Payroll and HR services.

The project also included streamlining the general K-SOX internal audit process, having a critical view on the procedures, and ensuring overall compliance of the client. Supporting this aspect of a company shows how vital compliance and accurate financial reporting is for any organization.

Along the way, the frustrations from the employees gradually diminished as it became clearer what was expected from them and how important their contributions were to general K-SOX compliance. This was made possible through effective communication with the team on one hand, and by receiving their feedback on the other. By continuously improving our way of working, we managed to deliver a streamlined K-SOX internal audit process with accurate documentation on the internal controls. This collaboration is another excellent example of TriFinance’s international reach and successful partnerships across borders.

The high-level view of processes within a company that internal audit offers, is one of a kind

Margot Van Kildonck, Project Consultant at TriFinance

Image by Freepik