Reducing the Cost, Burden of Internal Controls through Automation

In the seven years since Sarbanes-Oxley first struck fear into the hearts of CFOs at public companies nationwide, testing and monitoring of internal controls has transitioned from chaotic to a much more standardized process, creating the opportunity for internal controls automation.  Indeed, for the right organizations, automating management of internal controls can reap a number of rewards including cost savings and enhanced resource utilization.

“When SOX first started, [internal controls] were not automated.  It was like the Wild West; we didn’t even know what formats were needed.  It was very chaotic,” said Doug Morin, an internal audit manager who has worked both as a corporate internal auditor and consultant specializing in SOX compliance since 2003.  “As things matured, it was a lot easier to standardize [then] automate.”

The earliest forms of automation – many of which remain popular today – included flow charts, control matrixes and narratives created in Microsoft Excel, Access and even Word.  Most were little more than databases that tied controls to objectives and generated pass/fail reports.  Because there was little standardization, it was difficult to achieve higher levels of automation.

That all changed with the 2007 passage of Accounting Standard 5 (AS5), which directed auditors to use a risk-based approach and focus only on areas that could harbor material misstatements.  This allowed many organizations to reduce the number of controls tested and scale back on the numbers of locations where testing is done. 

In fact, less than one year after passage of AS5, a survey by the consulting firm Protiviti found that 75 percent of internal audit departments had realized declines in the number of key controls documented and tested, while 68 percent realized declines in total controls documented and tested. 

“Controls were very detailed and more extensive in the early days…Things weren’t standardized.  You could have 10 controls that were the same at different locations, but they worked or were managed differently,” said Morin.  “When we moved to AS5, there weren’t as many controls…People were also a lot smarter at that point and not as scared when they heard ‘SOX’…It’s still a bit of the Wild West, but definitely more controlled today.”

The Emergence of Automation

Heightened standardization and a reduction in compliance costs have led more companies to explore automating the internal controls monitoring processes.  Yet despite the promise they hold for streamlining internal controls management and monitoring, as well as for further cost reductions while mitigating the risk of non-compliance, adoption of sophisticated automated solutions remains limited.

“The true automation of controls is probably at 15-20 percent.  It’s probably even less so at non-profit and government entities,” said Ronald Suffers, senior principal consultant with Lumigent Technologies, Inc., which offers solutions that automate compliance monitoring and reporting in such heavily regulated industries as financial services, healthcare, manufacturing and government.  “When we talk about automated management of internal controls, most organizations are still relying on traditional controls.  Most of those, probably more than 75 percent, are manual.  People are doing auditing, referencing and checking on spreadsheets.”

However, Suffers notes that automated controls is a business that is rapidly emerging as risk management and compliance requirements become even more stringent.  Further, by mitigating the risk of non-compliance and reducing the time and costs associated with compliance, expectations are that automated solutions such as Lumigent’s AppGRC will enjoy a surge in popularity in the coming years.

Lumigent’s AppGRC runs alongside a business application, identifying which rules, controls and data require monitoring.  That information is then utilized to create a baseline for measuring application changes over time, allowing organizations to evaluate activities and ensure alignment between the SOX compliance software and corporate policies.  Finally, business process and controls are implemented and the system continuously monitors the application’s source data and key controls, reporting on any application changes and providing automated alerts when improper actions are detected or policies are violated.

“Automation is growing in popularity by necessity because [companies] don’t have adequate dollars or people resources,” said Suffers.  “There is still the obstacle of companies seeing just the initial cost...However, companies should evaluate the cost in the context of not monitoring controls.  Failure to monitor under SOX can result in reporting to SEC, which can hurt reputations and crash stock prices.  [Non-compliance] can also carry significant fines and penalties and, if data is breached, the cost can be in the millions.”

Suffers reports that most of Lumigent’s clients have a pay-back period of less than one year – typically one audit cycle – and, in some cases, realize an ROI as high as 300 percent.  Much of that is due to the elimination of the need to bring in outside consultants or auditing firms, as well as the ability to repurpose internal resources toward more valuable core duties. Other advantages of automation include:

• Automated controls are deemed superior and more robust than manual ones because they are reliable and repeatable
• Continuous monitoring allows companies to identify if any key controls are altered at any point in the process and by whom
• Automated monitoring looks at 100 percent of control changes rather than just a sample
• External auditors can limit their testing to whether control owners are reviewing any alerts or reports of changes and taking appropriate action when necessary
• When employees are aware that monitoring software is in place, instances of fraud are significantly reduced

Not for Everyone

Morin, the internal audit manager, notes that despite the benefits and advantages of sophisticated automation systems, they aren’t for every company.

“If you’re small, why bother?  Put your narratives up someplace online.  If you have 100 controls or less, why do you even care?  That’s manageable,” he said.  “…You don’t need all the bells and whistles [since] we shifted over to AS5 and external auditors aren’t checking work… But if you’re a multinational, then I would say yes [to] automation.”

Suffers concurs that for very small, private companies, automation may not make financial sense.  However, there are companies that should consider automatic monitoring of internal controls that go beyond financial, particularly those that fall under HIPAA and other operational regulations.

“Controls can be changed by human error or fraud, which can affect manufacturing, safety, quality, etc.,” he said.  “These vulnerabilities can be reduced with products that continuously monitor controls.”

What is most important is for companies to do their homework before deciding which vendor offering will meet their unique needs.  Suffers recommends seeing a demonstration of system capabilities with live or test data to determine if the features and alerts are appropriate.  Also, talk with prospective vendors about the ease with which the system can be installed, what internal resources will be required, whether or not live support is available and how well the solution can handle future needs.

Finally, he said, make sure that the internal audit department is actively involved in the evaluation.

“They are the ones who need to be convinced,” he said.  “And what they really want to be convinced of is the confidence and peace of mind that the controls for which they are accountable are really well-controlled and that the application is really capable of doing all the things” the vendor claims.
 

Also in this month's issue:

IASB Responds to Demand with Publication of IFRS for Small, Medium-Sized Businesses

Interview Experiences Survey