Skip to main navigation

Building value through control efficiency - Building value through control efficiency - Ernst & Young - Global

Insights on IT risk, April 2011

Building value through control efficiency

  • Share

Duplication of risk and control activity

Framework for control environment improvement

Typical results before and after a top-down, risk-based approach

Case study: pharma company achieves automation and globalization

Situation

A global pharmaceutical company decided to align and redefine the risk and controls in connection with a global SAP implementation. The company asked Ernst & Young to help them optimization of controls to achieve enhanced automation and globalization.

Actions

To build the business case, we used a single business process — Requisition to Payment (RTP) — for a pilot review. This process covered the capital expenditures, goods receipt/invoice receipt, inventory and receiving sub-processes.

We compared the RTP risk and control framework against leading practices, combining the knowledge of the company's environment with third-party resources with extensive knowledge and experience with SAP control functionality.

Through this process, the company identified several opportunities, including:

  • Potential reduction in the number of risk points associated with the business process
  • Potential replacement of manual controls by application controls
  • Reduction of the overall testing effort by management and internal and external auditors, freeing up resources for other activities and potentially reducing the external cost of compliance

Results

The pilot demonstrated how the company could be more efficient while improving risk coverage.

Benefits the company realized included:

  • A reduction in controls from 25 to 19
  • A 24% reduction in the number of tests
  • Better use of SoD, user access and user change management controls around SAP

The company is now expanding its optimization project to include other processes supported by SAP.



Address today's internal control issues to better position your company for tomorrow.

Summary: The economic landscape is settling, slowly, and economic uncertainties are less severe. Now is the time to take a fresh look at your internal controls and ensure their effectiveness.

The last five years, a one-two punch

The past five years delivered a one-two punch that has left internal controls departments reeling. After Sarbanes-Oxley and the recession, many are finally regaining their footing.

The increased reporting requirements have forced internal controls functions to do more; and the global recession mandates to do more with less.

The upside?

The global economic landscape is settling, slowly, and economic uncertainties are less acute.

The time is ripe to refocus on internal controls

If you're responsible for internal controls, you should take advantage of this recovery period to make your control frameworks as efficient and effective as possible.

By refocusing your efforts on controls optimization, rationalization and control redesign, you can more efficiently leverage technology to meet the expectations of their demanding stakeholders.

Benefits of an optimized control environment

  • Lower costs due to a reduction in the number of controls, enhanced standardization, reduction of effort related to (internal) compliance and enhanced coordination and alignment between functions
  • More appropriate risk coverage with a keen focus on the risks that really matter
  • Improvement of the risk assessment process through a risk-based approach
  • Better return on IT investments due to use of application controls rather than manual controls

The struggle: balancing cost with risk

If you knew that the cost savings of a more effective control environment would eclipse the cost of the risks, you would not question the investment. Yet companies are still struggling to create optimal control environments that balance cost with risk.

Here are three major explanations of why companies have remained stuck in inefficient control environments:

  1. Duplication of risk and control activity
    Reporting and compliance are a core part of doing business. As such, significant effort and cost are expended to build controls that address potential risk.

    But often, the correlation, intersection and duplication of controls across different groups are not clearly visibly or easily understood because of multiple, overlapping and sometimes conflicting lines of reporting and responsibility.

    Duplication of risk and
    control activity
  2. Too much of some, not enough of others
    Most organizations have too many controls to address some areas, and not enough controls to address others. Control activities tend to be added over time, but not taken away or reduced when the need has been extinguished.

    Also, to comply with regulators' requirements, a lot of effort goes into controls around the daily transaction processing without properly addressing the higher-risk areas.
  3. Failure to sufficiently leverage technology
    A company may invest significantly in enterprise resource planning (ERP) systems. But there still may be a systematic lack of controls automation. This leaves a significant portion of the ERP investment unrealized — a missed opportunity to increase efficiencies.

A better way to efficiency

Recently, companies have pushed for control efficiency by improving their approach and their corresponding frameworks. The objective has been to:

  • Remove redundant controls
  • Identify and deploy controls that address multiple risks
  • Replace multiple manual controls with more efficient application controls

Five-step framework

By leveraging a robust five-step framework, you can be confident of the value you'll achieve from control environment improvement activities. The steps will identify, diagnose, design, deploy and sustain a company's control environment improvements.

Framework for control
environment improvement

Assess current state

To find efficiencies:

  • Have a clear view of the current number of processes, risks and controls.
  • Understand the composition of controls (manual vs. automated) and the nature of the IT applications supporting those controls.
  • Gather information related to the level of effort around performing, documenting and testing current controls. This will help identify high-impact areas (effort, cost and potential benefits) for prospective pilots.

Establish the scope

Scoping prior to the project begins reduces unnecessary and wasted effort. For example, it's wasted effort to optimize locations and processes not relevant to the organization's overall risk management requirements.

Take a top-down, risk-based approach

A risk-based approach involves identifying and assessing material financial reporting risks and allocating resources and efforts based on the severity and likelihood of those risks.

Typical results before and after
a top-down, risk-based approach

Management will need to:

  • Determine what is material to the consolidated financial statements
  • Conduct a thorough risk assessment that considers the likely sources of potential misstatement with significant enterprise-wide processes
  • Associate the nature, timing and extent of testing of the corresponding control that can most efficiently monitor it

The benefit of a top-down, risk based approach is illustrated in the graphic below. Allocating control attention and effort where risks are highest is a more efficient and effective use of available control environment resources.

See how this pharma company achieved automation

Next >>

Content

Back to basics: your internal controls checklist

  • Have you prioritized risks identified from internal audit, internal control and risk assessment findings?
  • Have you identified process and control performance gaps or deficiencies?
  • Do you have documented current-state processes including key tasks, performance metrics, handoffs and controls?
  • Do you have a full and detailed understanding of the cost associated with your current processes?
  • Have you engaged your security personnel to understand the potential benefit of improvements and the hazards of standing still?
  • Have you benchmarked your current processes against leading practices to assess performance and identify improvement opportunities?
  • Have you determined whether supporting technology meets business requirements?
  • Have you involved those integral to the controls process in helping to identify and design improvements?
  • What role can your internal audit function have in business improvement?
  • Are process improvement efforts built into your audit plan?
  • Does your internal audit department have strong skills in data analytics, problem solving, benchmarking, etc.?
  • Does internal audit have appropriate business process skills?
  • Do you have a program to monitor process and control changes for the sustainability of recent improvements?
  • Is your organization prepared to make the necessary investment in building these competencies and changing the culture?

Download

Publication coverBuilding control efficiency as a printable document

Related content

See what our IT Risk and Assurance people can do for you.


Back to basics: your internal controls checklist

Back to top