Take control - strengthen your financial controls, master governance
INSIGHT ARTICLE |
This article is part six of a seven part series providing a practical playbook for today’s CFOs
Taking control has long been a function of planning, design, ownership and culture. More than 30 years ago, Mark DeLong, then chief internal auditor at a national bank, said, “There is no substitute for a controls-conscious management, and we have one.” This sentiment was echoed recently at a presentation to the Chicago Federal Reserve’s Annual Risk Conference when the president of a well-known bank stated, “We expect and direct our teams to take risks every day—we make it our business to accept carefully defined and measured risk in order to profit from our deposit and credit businesses.”
Both of these leaders not only demonstrated understanding of the importance of a balanced approach to risk and controls, their words underscore the foundational nature of a well-defined risk appetite. Across today’s business landscape, audit and risk management professionals emphasize the criticality of controls awareness and sensitivity, while governance has progressed from a predominantly change-control focus to a more engaging approach for owners, stewards, producers and consumers. To strengthen controls within an organization, the following seven methods should be executed:
1. Set sights on the end-to-end landscape. Scoping governance is a daunting task best accomplished using management-defined risks to narrow the focus and establish priorities. While small, midsized and large businesses all face comparable risks across their operational, management and executive functions, the differences are often defined by industry rather than size. Developing management controls and governance support requires a sustained set of activities that produce timely insights into intended business risks and those that occur beyond this threshold.
2. Architect the environment. Once the risk appetite is defined, appropriate measures can be applied (e.g., key risk indicators), and matrices for risk and controls can be developed. This integrated approach allows for operational risks and controls to be parsed and addressed across manual processes, external services and automated systems, which is essential for change control over critical master and reference data as well as complex ERP and performance management systems.
3. Leverage technology to enable processes. As companies continue to move toward making their business processes more digital to remain competitive, internal controls should be constantly evaluated to ensure they are keeping up. In addition to staying apprised of emerging risks such as new cybersecurity threats, cloud computing and automation tools, companies should employ technology to both test controls and enhance their performance.
Organizations that have been leveraging data analytics and governance risk and compliance (GRC) tools to evaluate full populations of data and monitor key risks are now looking to leverage these tools in all aspects of the audit cycle, including using data analytics to predict risk events before they occur. Leading-edge risk departments are also beginning to leverage automation tools to perform manual, time-intensive tasks such as testing for Sarbanes-Oxley (SOX) compliance.
4. Be proactive, not reactive. The old adage, “an ounce of prevention is worth a pound of cure,” applies perfectly to internal controls and should be instilled within the organization. Ensure that each line of defense plays its part in maintaining proper control. Operational management must believe they are truly the first line of defense and treat the second and third lines as risk consultants. If the first line of defense can do its part, the job of the second line (risk management and compliance functions), and the third line (internal audit) becomes much easier and less expensive.
Consider data governance, for example. If an error is allowed to occur within the customer setup process, it could proliferate into hundreds of issues at the individual transaction level, which in turn could result in thousands of hours of work in corrections. Ultimately, this could potentially cost an organization millions of dollars.
Yet by being proactive, companies can incorporate risk professionals early in strategic projects, such as the implementation of ERP systems. In this manner, they serve as a consulting resource to the project team to help ensure that risks and controls are being properly considered and built into the overall strategy and design requirements, helping to avoid costly remediation and rework after the fact.
5. Challenge manual and time-consuming processes. Organizations should leverage data analytics and automation wherever possible to enhance both the performance and validation of internal controls. In addition, manual controls should be constantly challenged to determine if they can be fully or, at least partially, automated. Knowing the lineage of a manual control is an important step in the process because, in many cases, they are used for the wrong reasons.
For example, manual controls are often implemented as a temporary Band-Aid to remediate a Sarbanes-Oxley issue, then never revisited. In other situations, they continue to operate because process owners are afraid to challenge or change the control, believing it will upset external auditors or regulators. However, both parties are generally open to reasonable control changes.
6. Leverage internal control experts. It is a healthy exercise for an independent third party to review and challenge a control design, as these subject matter experts know what is required by the applicable laws and regulations and can help an organization right-size its controls. They also bring an unbiased perspective regarding what works and what doesn’t, which can help streamline a control environment. In addition, control advisors have knowledge of changes in laws and regulations that can help a company stay ahead of the game.
7. Focus on what is most important. Not all risks are created equal. Those responsible for designing and operating an organization’s controls should have a good perspective on risk. Without it, controls can be over- or underengineered, leaving an out-of-balance control environment; for instance, where 80% of resources are focused on 20% of the risk.
Companies should leverage technology to manage the risk assessment process and data analytics to predict where changes may be necessary. This focus relies on a well-stated, timely and updated risk appetite that reflects the regulatory and market environments, as well as management’s appraisal of the risk and controls balance versus the risks required for the business to thrive.