Call me lazy if you wish, but something that always infuriates me is to be asked to perform a tedious manual task like reviewing a data point in a system even though I know pretty well this can be automated.
In many cases, the documented procedure says that it’s OK since it will only take you 10-15 minutes, which isn’t a lot in any given month I will give you that.
But that’s assuming you recall how to connect to the system, what report to run, what column to look at… And that you don’t receive an urgent request in between that would derail you. Usually, these 15 minutes tasks take me a good double if not more.
But this increased scrutiny goes in hand with an inflation of regulatory requirements. And in many cases, this simply translates into new controls being created as, often times, there is no check made as to whether an existing control could be leveraged for a new compliance fulfilment.
As a result, not only do the 15 minutes transform into double at least, but that’s just for one control. Add to that the fact that you now receive more controls to perform, and the original assumption that it’s manageable because it’s a quick and easy task to perform becomes a much heavier burden. And a burden that many control owners feel is not really part of their core job.
This is where things can get messy and that issues can occur and get undetected: when people feel these controls are useless, become too repetitive, and that they no longer pay attention to them…
It’s time for Internal Control 2.0
Let’s take mitigating controls in the access governance area. Access control – who has access to what – is really a critical part of any company’s internal control framework.
In some cases, you can’t remove an access risk due to the nature of the process, the organizational structure, etc. So you put in place a mitigating control to make sure that the access risk is acknowledged and managed.
Now, let’s go back to the original situation where people simply stopped performing controls with the level of care they require. By mistake – or maybe deliberately, someone’s flawed action could pass under the radar… That would be problematic. And mitigating controls are just one example.
But there’s good news: many controls can be automatically performed. And contrarily to a human, a machine never gets bored. It will always execute the control to the highest of standards – strictly according to the documented procedure. So why not leverage this option?
This will help in creating an “exception based internal control” where the test procedures constantly run in the background, so there is no gap in time to uncover anomalies, and control owners are only notified in case an issue has been detected. Usually, when an issue is raised – and since it’s not routine, control owners will pay attention to it.
This removes the burden from the shoulders of the control owners without sacrificing the control performance. They still get done, just not by a human.
Not letting anything fall in the cracks
Now, let’s assume that the control was performed, either manually or automatically but that an issue hasn’t been detected. This can be because the procedure was no longer applicable or for whatever other reason.
The other good news is that, in the digital world, Internal Audit has access to tools that enable them to run forensic detection patterns on the entire data set and therefore truly act as the third line of defense to catch hidden issues.
What’s more, they will be able to compare their findings to the results of the controls. Not to reprimand the control owner, but rather to try and understand what went wrong. Maybe the definition of the control was at fault, maybe the testing procedure itself was inadequate.
This will lead to a continuous improvement cycle and therefore better protects the business.
Now, if we combine both methods: automated controls and a forensic approach from the audit team, the company will be equipped with digital radars to catch any UFO – A.K.A. Unexpected Failures in Operations. Note: this is a term I just made up, but one can’t deny that it sometimes feels in our jobs like the “truth is out there”!
Doesn’t this sound much better than the original picture depicted at the beginning of this blog?
Would you like to hear more about it?
Should this be of interest, I would recommend attending the virtual event taking place on May 27th – Transform Business Internal Control in a Digital World, that Deloitte and SAP are co-hosting.
During this webinar, Tank Tang Ke – Partner, Deloitte Risk Advisory will be sharing his industry expert views on the current situation and how talent, processes and tools can support the enablement of such strategies and work in tandem to achieve effective Governance, Risk, and Compliance.
We are then fortunate to have Hong Zhou Wong, Senior Vice President – Group Controllership at Sinarmas Agribusiness & Food and Michael Liu Shaoshun – Vice President Internal Control, Internal Audit & Compliance at Xiaomi Group who will be explaining their challenges in this area and the steps they took to remediate them.
Last but not least, my colleague Amit Verma – Regional Director, Finance and Risk Solutions, Asia Pacific & Japan (APJ) and yours truly will have the pleasure of providing a rapid overview of SAP’s solution offerings to help companies drive their Governance, Risk and Compliance agenda for a safer and more compliant organization.
The event will of course be recorded in case you can’t attend in person.
I look forward to seeing you – virtually that is – at this event, and reading your thoughts and comments either on this blog or on Twitter @TFrenehard