Part 17 in the “Controls and Risk Management” series
Call me lazy if you wish, but something that always infuriates me is to be asked to perform a tedious manual task, like reviewing a data point in a system, even though I know pretty well it can be automated.
In many cases, the documented procedure says that it’s OK because it will only take 10-15 minutes, which isn’t a lot in any given month. I will give you that.
But that’s assuming you recall how to connect to the system, what report to run, what column to look at… And that you don’t receive an urgent request in between that derails you. Usually, these “15-minute tasks” take me a good double that, if not more.
You might have guessed: I am talking about internal control here. As I tried to illustrate in a previous blog post (Can Internal Control be the Key to Longevity?), I sincerely believe that internal control is crucial to ensure the good functioning of the business environment. And regulatory – and public – scrutiny makes it ever-more important for an organization to meet compliance standards and provide assurance to stakeholders on the continuity and sustainability of the business.
But this increased scrutiny goes in hand with an inflation in regulatory requirements. And in many cases, this simply translates into new controls being created as, oftentimes, there is no check made as to whether an existing control could be leveraged for a new compliance fulfillment.
As a result, not only do the 15 minutes transform into double that at least, but that’s just for one control. Add to that the fact that you now receive more controls to perform, and the original assumption that it’s manageable because it’s a “quick and easy task to perform” becomes a much heavier burden. And a burden that many control owners feel is not really part of their core job.
This is where things can get messy and where issues can occur and be undetected: when people feel these controls are useless, become too repetitive, they no longer pay attention to them.
It’s time for internal control 2.0
Let’s take mitigating controls in the access governance area. Access control – who has access to what – is really a critical part of any company’s internal control framework.
In some cases, you can’t remove an access risk due to the nature of the process, the organizational structure, etc. So you put in place a mitigating control to make sure that the access risk is acknowledged and managed.
Now, let’s go back to the original situation where people simply stopped performing controls with the level of care they require. By mistake (or maybe deliberately), someone’s flawed action could pass under the radar. That would be problematic. And mitigating controls are just one example.
But there’s good news: many controls can be automatically performed. And contrary to a human, a machine never gets bored. It will always execute the control to the highest of standards – strictly according to the documented procedure. So why not leverage this option?
This will help in creating an “exception-based internal control” where the test procedures constantly run in the background. There is no gap in time to uncover anomalies, and control owners are notified only in case an issue has been detected. And since it’s not routine, control owners will pay attention to it.
This removes the burden from the shoulders of the control owners without sacrificing the control performance. They still get done, just not by a human.
Not letting anything fall in the cracks
Now, let’s assume that the control was performed, either manually or automatically, but that an issue hasn’t been detected. This can be because the procedure is no longer applicable or for many other reasons.
The other good news is that, in the digital world, internal audit has access to tools that enable them to run forensic-detection patterns on the entire data set and therefore truly act as the third line of defense to catch hidden issues.
What’s more, they will be able to compare their findings to the results of the controls, not to reprimand the control owner, but rather to try and understand what went wrong. Maybe the definition of the control was at fault, maybe the testing procedure itself was inadequate.
This will lead to a continuous improvement cycle and therefore better protect the business.
Now, if we combine both methods – automated controls and a forensic approach from the audit team – the company will be equipped with digital radars to catch any UFO, a.k.a. Unexpected Failures in Operations. Note: this is a term I just made up, but you can’t deny that it sometimes feels in our jobs like the “truth is out there”!
Doesn’t this sound much better than the scenario depicted at the beginning of this blog?
If this is of interest, I recommend attending the virtual event taking place on May 27, Transform Business Internal Control in a Digital World, that Deloitte and SAP are co-hosting.
During this webinar, Tank Tang Ke, partner, Deloitte Risk Advisory, will be sharing his industry-expert views on the current situation and how talent, processes, and tools can support the enablement of such strategies and work in tandem to achieve effective governance, risk, and compliance.
We are also fortunate to have Hong Zhou Wong, senior vice president, Group Controllership at Sinarmas, and Michael Liu Shaoshun, vice president Internal Control, Internal Audit & Compliance at Xiaomi Group, who will be explaining their challenges in this area and the steps they took to remediate them.
Finally, my colleague Amit Verma, regional director, Finance and Risk Solutions, Asia Pacific & Japan (APJ) and yours truly will have the pleasure of providing a rapid overview of SAP’s solution offerings to help companies drive their governance, risk, and compliance agenda for a safer and more compliant organization.
The event will, of course, be recorded in case you can’t attend in person.
I look forward to seeing you – virtually that is – at this event, and reading your thoughts and comments on Twitter @TFrenehard.
This article originally appeared on SAP Community and is republished by permission.