Technologies which were considered emerging until recently are now mature and widely adopted, enabled by cloud-based platforms, their adoption accelerated by the COVID-19 pandemic. The 2020 KPMG Global Emerging Technology Survey reported 59 percent of companies have accelerated their digitalisation agenda. Speaking at a KPMG event in November 2020, Microsoft CEO Satya Nadella stressed that the pandemic has seen years’ worth of digitalisation accelerated into months.
On the other side, firms must now comply with regulatory frameworks that are significantly increasing in scope, complexity and pervasiveness; new ESG reporting requirements are already in place, and a UK version of the US SOx regulation is soon to come in force, with a white paper to be published by the government imminently.
What does this mean for controls?
These trends have led to two main issues to address:
Control fatigue – The elevated risks have also increased the demand for controls. With increasing demand to cover new risks, new technology and new regulations, existing resources are spread too thin and will be asked to operate more controls to satisfy emerging requirements. Without a strategy to rationalise the demand, avoid duplications of effort and prioritise the risks to cover, the burden and cost of controls can become quite unbearable.
Need for more control visibility – With a broader scope and a greater number of stakeholders, there is a need to provide different levels of the organisations with visibility of the control status. This should be timely, appropriate and relevant for the receiver. Emails, spreadsheets, manual data extracts, reports and shared folders are things of the past and just no longer enough to deal with this level of complexity.
Automating the control lifecycle
There is a misconception that control automation only relates to the testing of controls. The truth is far from that. Opportunities for automation can be found across the whole risk and controls lifecycle, and benefits can be created for all three lines of defence, each responsible respectively for operating, monitoring and auditing the controls.
High-effort, low-efficiency tasks that are at risk of human error are overall just no longer sustainable; we are all too familiar with the pain points of these manual activities:
- Conducting painstaking questionnaire-based surveys or interviews to identify risk;
- Designing controls that are more detective than preventive in nature;
- Executing controls that are captured in spreadsheets and system screenshots; and
- Auditing the effectiveness of controls through manual procedures and techniques.
But fret not, different technologies are available to move away from these challenges and start realising the benefits of automation.
Advanced controls, which are more digital, real-time and intelligent, are already in place. Fraud controls over employee expenses, for example, have gone a long way from the manual, sample-based invoice checking that was always very time consuming. Today employees upload their expenses via a mobile app, and the receipts are read in real time by embedded optical character recognition (OCR) software, which can even be taught to recognise handwriting. It can simultaneously check the validity of the receipt and the vendor, amount, and service against policy, and reject the payment on the spot if any exception is noted.
Similarly, the usual controls around password security – something auditors and employees are very familiar with – may soon be obsolete as biometrics and two-factor authentication become the norm for authentication. Many organisations have already adopted it and you may have noticed that more and more apps allow for authentication options not based on username and password.
How to start the journey to automation
A careful analysis of the business requirements and use cases is needed to identify the right solution.
There are a range of technologies that can be utilised for automation. These are now widely adopted across organisations, starting from the simple semi-automated controls (e.g., exception report to be reviewed), to configured controls, data analytics-based controls, and more sophisticated controls enabled by robotics and Artificial Intelligence.
Getting it right – the first time
There is no one-size-fits-all when implementing automation; different organisations benefit from different automation models and technologies, based on the nature of their business, the different challenges they experience, the complexity of their IT landscape and many other factors.
When starting the journey towards control automation, I recommend following a structured methodology to identify the needs and the underlying issues.
Starting from the definition of the problem, as opposed to the solution, is a key success factor to nail a sustainable automation transformation.