How to design a compliance-focused control environment

In an era of increasing regulatory complexity, an effective control environment is essential. This article guides you through the design of a control environment that helps your business manage key finance-related regulatory requirements in accounting and taxation.

The challenge of establishing an effective control environment is a complex task. This is due to increasing regulatory complexity – with rules becoming more extensive and intricate – as well as changes in business activities driven by factors such as competitive pressures, geopolitics, and macroeconomic conditions, which reshape the company’s compliance landscape.

You may be familiar with the challenge of continuously updating the control environment to effectively address a changing risk landscape; new risks emerge, others disappear, and the relative significance of current risks shifts. This challenge is further compounded by the fact that your organisation also evolves regularly. All of this means that control tasks must be closely monitored to ensure they are carried out by the right employees, with the necessary competencies and within a cost-effective organisation of roles and responsibilities.

When we talk about risks, they can broadly be defined as the circumstances and conditions that threaten the achievement of the company’s established objectives, whether they are operational, reporting or compliance-related. Many risks are general, while some can be highly industry-specific, driven either by business activities or regulatory conditions.

In this article, you will gain insights into finance-related compliance risks – particularly those related to accounting and taxation – and how you can manage them through an effective control environment.

It is a topic that demands immense focus and diligence. Failure to comply with legal requirements in your finance department can result in resource-intensive corrections, the need for costly advisory assistance and damage to your company’s reputation.

Figure: Financial Controlling & Compliance circle

Financial Controlling & Compliance framework

The figure illustrates that financial controlling forms the foundation for the finance function’s responsibilities in reporting and compliance, which consist of a range of core tasks. To achieve a high level of quality and efficiency, these must be tailored to the company’s specific circumstances as well as the framework conditions shown in the outer ring of the circle.

In the figure, we have highlighted the area of Control Environment. This is because these are precisely the tasks you can learn more about in this article.

Basico can provide advice and assistance in all areas of the model.

Understand the company's activities and compliance landscape

A prerequisite for designing an effective control environment is a deep understanding of the company's business activities – both commercial and internal. It is important to analyse activities at the entity level, as the legal requirements entities are subject to vary depending on their jurisdiction. Additionally, intra-group transactions and dealings with related parties are also subject to regulatory requirements. Another key consideration is that risks must be defined as precisely as practicable to avoid implementing unnecessary controls. For example, specific risks associated with a customer or product segment should not influence other revenue segments that have a different risk profile.

Once all the company’s activities have been mapped, you can begin identifying the relevant legal requirements. The challenge here is often twofold: you need to know the regulations to ask the right questions within the "business," and conversely, you need to understand the activities to determine which regulations are relevant to address.

This process often becomes iterative. First, you map the activities at a high level, then explore the relevant legislation with curiosity about the "border areas." With greater regulatory insight, you revisit your understanding of the activities to grasp the finer details. Depending on whether you are operating in a grey area – for example, where conclusions require support from case law or other inputs for rule interpretation – you may need to repeat this iterative process.

To ensure the necessary quality and efficient use of resources, it can be advantageous to involve specialists in the relevant legal areas. These experts can more quickly identify the key risks, provide a detailed understanding of how legislation should be translated into practical application and highlight potential pitfalls.

Managing complex risks in three key areas

Accounting

To design effective controls targeting external reporting, it is crucial to tailor them to the regulatory framework applicable to the specific activities and transaction types.

The Danish Financial Statements Act regulates the accounting requirements for Danish non-financial companies with differentiated requirements depending on the company’s reporting class (A-D) based on the so-called building block model. While it is voluntary for non-listed companies, listed companies are required to prepare their annual report in accordance with the International Financial Reporting Standards (IFRS) as approved by the EU. In such cases, this is supplemented by certain specific additional disclosure requirements from the Danish Financial Statements Act.

Complex transaction types in accounting may include, for example, customer contracts where multiple goods and/or services are combined, segmentation by customers, products or geography, inventories with indirect production costs, derivatives, convertible loans, lease agreements, pension obligations, share-based compensation and the treatment of business acquisitions.

Furthermore, it is worth noting that the preparation of consolidated financial statements adds further complexity due to, for example, the treatment of intra-group transactions and regulatory effects resulting from acquired companies, including the treatment of goodwill.

Risks can arise for various reasons: For example, because the contractual basis of the company is complex to translate into accounting requirements, because accounting rules are complicated and may lead to errors if not applied correctly, or because a large volume of transactions requires precise structuring of the chart of accounts and accurate bookkeeping. It may also be due to the fact that the treatment involves accounting judgments or estimation uncertainty.

Tax

Most companies are subject to the Corporate Tax Act, but there are exceptions. Some are tax-transparent, such as partnerships, where taxation occurs at the owner level. Others are subject to special industry-specific tax rules, such as tonnage tax for shipping companies or special taxation rules for financial institutions.

The tax treatment of complex transactions often depends on legal judgments and court rulings. For example, pricing transactions with related parties – known as transfer pricing – requires a deep business and tax law understanding, despite the OECD guidelines.

Bookkeeping forms the foundation for determining taxable income. This is where the necessary tax adjustments, such as deduction limitations and tax depreciation, are made. Your chart of accounts must therefore support these adjustments, and controls must ensure accurate posting. Some tax adjustments are mechanical in nature, for example, reducing the deduction value to 75%, while others involve complex legal judgments. Additionally, the aforementioned transactions with related parties are priced, but this is reflected in the bookkeeping basis. As new business models become more widespread, tax authorities increasingly need to regulate, for instance, through documentation and reporting requirements. This leads to continuous changes in legislation and case law, which impacts the risk landscape.

VAT and duties

The structure of your chart of accounts must also ensure that your company handles VAT and duties correctly. Your chart of accounts should therefore support the accurate completion of the respective VAT and duty fields in the reporting to tax authorities.

For example, if your company imports goods subject to duties, where the duty base is derived from non-financial data, this introduces an additional risk factor to address. These risks may arise if incorrect product codes are used or if data is outdated. In such cases, the duty base should, for instance, be validated through product master data protected by controls.

Other risks may arise if your company’s activities are only partially covered by VAT legislation. This requires a distinction between VAT-liable and VAT-exempt activities. It may involve judgments in allocation keys and the risk of incorrect posting of expenses. A potential solution could include using profit and cost center structures for VAT-liable and VAT-exempt activities, respectively. However, these also involve risks ‒ especially if the data foundation is unreliable.

Identify and assess your risks

Once you have a clear overview of the company’s activities and compliance landscape, the next step is to identify significant risks for all your various transactions. After that, you need to assess them based on quantitative and qualitative materiality as well as likelihood.

It would be logical to link your risks to, for example, the respective financial statement line items, the tax return and the VAT/duty filings in the respective reporting fields. However, the vast majority of risks actually arise at the transaction level. Therefore, you need to address these risks with controls integrated into the underlying financial processes, such as Order-to-Cash, Procure-to-Pay and Record-to-Report. Dependencies on, for example, non-financial master data and customer/supplier master data must also be identified.

A good approach is to map your risks to process chains that record data all the way from its origin in, for example, production systems to bookkeeping and later reporting. This involves identifying all process flows. For instance, revenue might be broken down by sales channels, products and geography, while inventories could be divided into raw materials and finished goods, and payroll processes could be split between hourly workers and salaried employees. This helps to clarify and narrow down the risks, ensuring that controls are also targeted with efficiency in mind.

Once the risk landscape has been mapped ‒ preferably using well-documented process flows ‒ you can identify and quantify the unique risks based on their characteristics, enabling you to design an effective control framework.

How to design effective controls

Once you have identified and assessed the risks, you can design appropriate internal controls. It is essential to consider whether the controls should be preventive or detective ‒ broadly speaking, whether they aim to prevent or detect errors. Likewise, you need to decide whether the controls should be automated or manual. The choice depends on the nature of the risks, the volume of transactions and the balance between resource consumption and risk tolerance.

Segregation of duties is a key control measure designed to ensure that the same person does not both prepare and review tasks. It is crucial that segregation of duties is system-supported, with user roles and access rights carefully managed to avoid overlaps and unintended permissions.

The control design must reflect legal requirements and specifically address the identified risks. For example, if risks relate to the occurrence of revenue, the control design should support a reconciliation of bookkeeping transactions with underlying documentation, such as agreements and shipping documents.

Your chart of accounts should also be structured to minimize manual adjustments. This will ensure a direct transaction trail from the reports submitted to authorities back to the bookkeeping.

Additionally, risks can be mitigated by using accounting manuals, work instructions and internal training, which increase the likelihood of accurate entries.

Monitoring and reassessing the control environment

An important component of your control environment is ongoing monitoring. This ensures that control activities are performed correctly and provides the opportunity to take corrective actions when necessary.

Through monitoring, you can also continuously assess whether the controls effectively address your current risks. It may be necessary to redesign controls if you identify new or increased risks, and new controls may be required in response to changes in business activities or legal frameworks. We often see that new risks are not adequately addressed and that companies perform redundant control activities because they have not regularly reassessed the risk landscape used to adapt their control activities.  

Establishing a control environment that effectively addresses all risks of non-compliance with financial regulations is a comprehensive task. In practice, it is likely impossible to achieve this without encountering some weaknesses in the control environment. However, by following the approach outlined in this article, you can ensure a robust and compliance-friendly environment that reduces the most critical risks and strengthens legal compliance.