Digital age in internal controls From stone age to digital age in internal controls

Smaller companies and larger organizations alike are discovering innovative ways to cut the cost of controls, increase control quality and make internal controls more attractive.

“Our control framework consists of more than 8’000 controls and we have 300+ internal control officers in place; 80% of our controls are manual, the quality is low and we have many overlaps between control frameworks: It feels like we are still in the Stone Age with our internal control system.”

As Technology Risk Partner, I often receive messages like this from clients. If you work in Finance, Risk or IT, you’ll probably sympathize.

Individual controls can be very expensive. One client recently revealed that a single (financial reporting related) IT General Control (ITGC) costs about 50’000 CHF per annum. It doesn’t take a data scientist to calculate that the costs of ITGCs alone can run into tens, even hundreds, of millions at a larger company with 100+ systems, each with 25 ITGCs. Then there’s the cost of designing, maintaining, executing, testing and auditing. And that’s just ITGCs – imagine the total cost of control if you also consider process-level controls, entity-level controls over financial reporting and requirements for additional controls in compliance, cyber security, GDPR, quality control.

KPMG’s survey Governance, Risk and Compliance 2019 shows that most internal control frameworks consist primarily (>80%) of manual controls, while automated controls make up the minority. A rationalization process often reduces the total volume of controls in a first step, by eliminating 10% to 20% of obsolete, duplicate or ineffective controls. A further 20% to 25% of the manual or IT-dependent manual controls can be automated by new technologies.

With budgets already stretched, many companies wonder how they can afford to automate.

Let’s take the example of a control framework with 800 controls, of which 80% manual. If the number of manual controls is reduced to 60% of the total population and we calculate on the basis of CHF 25’000 per control per annum, we end up with CHF 3 million per year available to replace the 160 manual controls with automated controls.

Today there are solutions available that enable control automation, either within your IT landscape or in the cloud. These solutions replace the patchwork of systems often currently in place. They combine data extraction, analysis and workflow functionality of different areas in one integrated (cloud) platform.

Traditionally, the budget holder approves the invoice before payment by comparing the invoice with the order and service/goods delivered (3-way match). Often this control is supported by an ERP system, such as SAP, which automatically compares the invoice with the goods received and the order, and blocks the invoice for further review if differences are encountered.

To test this control, management and internal/external auditors use a combination of invoice sample taking and testing of automation and user authorizations/segregation of duties. This approach is relatively time-consuming and not cost-effective.

But there is a better way. Data-driven approaches using bespoke software enables all the invoices, goods received documents and order documents to be extracted and compared. The result is higher quality and lower costs.

With a controls automation solution, the transaction data (orders, invoices) and control configuration (tolerance setting for accepting differences between orders and invoices) are automatically extracted, compared in the cloud platform and exceptions (such as the invoice has been approved by the same employee as who entered the order) are pushed into a workflow for follow-up.

The examples above are for large enterprises with obligations to their stakeholders to maintain a robust ICS. But the concepts and technologies are just as valid for smaller companies. In fact, given the low entrance costs for control automation cloud services, they’re even more relevant. Advantages include:

• Subscription-based pricing for better cost management and planning
• No IT infrastructure or larger internal control organization
• Services are scalable and modular – e.g. authorization and master data management
• Effective solution for new compliance requirements affecting smaller companies (e.g. GDPR)

Many companies today have hundreds (or more) of controls. The result is frustration for those charged with execution and testing, and high expenses with little perceived value-added. Executives concerned about the cost of optimizing internal controls should really be asking if they can afford not to take action.