Skip to main navigation

Building value through control efficiency - Competitive advantage through internal controls - Ernst & Young - Global

Building value through control efficiency

Competitive advantage through
internal controls

  • Share

Rationalization approach

Optimization approach

Compare the differences: rationalization, optimization and redesign

Rationalization:

  • Create formal criteria for assessing whether controls should be considered critical
  • Challenge existing key controls for design effectiveness
  • Benchmark key controls with peer companies or standard control templates to identify potential efficiencies
  • Identify and leverage “power controls,” which are key controls that may mitigate multiple risks

Optimization:

  • Review process documentation with process owners and IT staff to understand control structure within applications supporting specific processes and other potential controls that may be available
  • Standardize business and IT processes
  • Challenge existing manual key controls to determine if alternative application or automated controls exist
  • Challenge the number of controls identified that address the same risk

Redesign:

  • Review of industry-leading practices and available options including new, proven approaches such as continuous monitoring
  • Process design sessions with process owners and other stakeholders
  • Cost/benefit analysis and assessment of residual risks
  • Implementation and change management


Control environment improvements add ongoing benefit.

Summary: Improve your internal control systems and those improvements can drive competitive advantage. Like other functions, internal control must build its value proposition by increasing efficiency and/or by generating large cost savings.

Historically, the controls environment has had a bad reputation. Some find the time and costs associated with control improvement programs prohibitive and not justifiable.

Such perceptions take away from the benefits of control improvement efforts that are focused on three key elements:

  1. Focusing on risks that really matter to the business, particularly those that align with key business and overall corporate strategies
  2. Improvements that provide both risk coverage and improved business processes

Getting tangible benefits from the investment in control and optimal use of automation.

Small investment can yield big results

It is not necessary for control environment improvements to require major investments in time and resources to generate positive impact.

There is a high correlation between complexity and difficulty in control environment improvements and their resulting rewards (cost savings, improved efficiencies, etc.).

Even at the lower end of the cost/investment scale, companies can still generate significant improvements in operational and compliance process efficiencies, as well as a variety of cost savings.

Substantial rewards with an investment in improving the control environment

The potential benefits arising from a control rationalization, optimization and improvement program include:

  • Fewer controls; lower costs
  • Better aligned risk coverage, including the identification of stronger, more pervasive controls
  • The identification and standardization of efficient and effective controls
  • More effective and efficient risk-based assessment process
  • Better use of technology through the use of applications controls rather than manual controls
  • A reduction in the internal compliance effort
  • A more sustainable compliance process
  • Improved alignment between the IT, business and internal audit functions
  • Coordinated IT risk management activities

Different roads, same destination

There are three main routes companies can take to reach increased control efficiency:

  1. Rationalization: the removal of unnecessary, insignificant or redundant controls or processes
    This option requires the least amount of resources and overall effort.
  2. Optimization: the potential replacement of certain controls in exchange for others that are more efficient
    Replacing a manual control with automation is an ideal optimization. Or standardizing controls across business units and geographies.
  3. Redesign: modifying, redesigning or re-engineering a process and its underlying control structure to drive operational efficiency
    This is the option that requires the most resources and effort. It usually requires redefining organizational design such as tasks, roles and responsibilities. However, it also provides the greatest potential for impact and return.

Removing unnecessary controls

Correctly identifying controls that are central to enterprise business processes is critical in creating increased benefit. For the right testing impact, companies need to target the right controls.

Many companies rationalize all of their controls using a “bottom-up” approach and may find significant opportunity to reduce their total population. Companies that are diligent in their focus on internal control and used a “top-down” approach may find fewer opportunities to reduce their control population.

The following steps should be considered during the rationalization process:

  1. Identify and reduce risks that are not relevant to internal control over financial reporting
  2. Review financial assertions for each significant account to determine relevance
  3. Review key application end-user information security controls, particularly as they relate to user authentication, access and auditing
  4. Review significant accounts and related components to determine if insignificant components are included in scope
  5. Review population to identify redundant or insignificant controls
  6. Identify opportunities to centralize activities that are currently done at multiple locations
  7. Review adjusted control population with external auditors

Rationalization
approach

Swapping controls

Controls optimization is the process of standardizing and centralizing controls and selecting controls that are more efficient to test than others that potentially reduce the same risk. To do this, it is important to have an understanding of the different classes of controls:

  • Manual controls depend on a person to perform without reliance on IT tools or the company's overall IT environment.
  • IT-dependent manual controls have both manual and automated aspects.
  • Application controls are processed by the entity's IT applications without input from a person and are focused on procedures used in the critical path of transactions or other financial data. Application controls help ensure that transactions are authorized and accurately recorded and processed. When operating properly, IT application controls typically provide more effective risk reduction and are more efficient to test (sample size and leverage).

Application controls can typically be classified as:

  • Edit checks, which limit the risk of inappropriate input, processing or output of data due to field format.
  • Validations, which limit the risk of inappropriate input, processing or output of data due to the confirmation of a test. Examples include tolerances, duplicate checks and matching.
  • Calculations, which ensure that a computation is occurring accurately.
  • Interfaces, which limit the risk of inappropriate input, processing or output of data being exchanged from one application to another.
  • Authorizations, which limit the risk of inappropriate input, processing or output of key financial data due to unauthorized access to key financial functions or data and include segregation of incompatible duties, authorization checks, limits and hierarchies.

The use of application controls rather than manual controls allows for more sensitivity and reliability in the processing of transactions and activities. Also, greater leveraging of application controls better aligns an organization with the significant investments that it is making in IT systems to support and transform its businesses.

Optimization
approach

Redesigning controls

Examples of what some companies have done in the name of controls redesign include:

  • Implementation or expansion of shared services organization
  • Migration to standard general ledger or ERP platforms
  • Standardized policies and procedures across all business units or subsidiaries
  • Integration of acquisitions or business units that are similar in form or function
  • Process simplification around financial reporting and disclosure processes
  • Implementation of continuous process monitoring
  • Implementation of global standard access control and user identify management processes and supporting technology

Compare the differences

 

<< Previous | Next >>

Content

Back to basics: your internal controls checklist

  • Have you prioritized risks identified from internal audit, internal control and risk assessment findings?
  • Have you identified process and control performance gaps or deficiencies?
  • Do you have documented current-state processes including key tasks, performance metrics, handoffs and controls?
  • Do you have a full and detailed understanding of the cost associated with your current processes?
  • Have you engaged your security personnel to understand the potential benefit of improvements and the hazards of standing still?
  • Have you benchmarked your current processes against leading practices to assess performance and identify improvement opportunities?
  • Have you determined whether supporting technology meets business requirements?
  • Have you involved those integral to the controls process in helping to identify and design improvements?
  • What role can your internal audit function have in business improvement?
  • Are process improvement efforts built into your audit plan?
  • Does your internal audit department have strong skills in data analytics, problem solving, benchmarking, etc.?
  • Does internal audit have appropriate business process skills?
  • Do you have a program to monitor process and control changes for the sustainability of recent improvements?
  • Is your organization prepared to make the necessary investment in building these competencies and changing the culture?

Download

Publication coverBuilding control efficiency as a printable document

Related content

See what our IT Risk and Assurance people can do for you.


Back to basics: your internal controls checklist

Back to top