Building value through control efficiency
Improvement through rationalization, optimization and redesign
Summary: Understanding the value of building a control environment that balance cost, compliance and risk is critical. The mindset is proactive, generating competitive advantage through enhanced efficiency, clarity, transparency and confidence.
Through improvement of their control environments, companies are better able to increase efficiency and effectiveness of their controls and potentially reduce overall compliance costs. It is a forward-leaning method of doing more to address today’s concerns to be better positioned to conquer tomorrow’s.
Areas to watch closely
Areas where organizations must be sure to apply the rationalization, optimization and redesign framework include:
- User access provision (including leavers, joiners and movers)
- Emergency access management
- Privileged user access, especially at the infrastructure, database and application levels
- Annual reauthorization of access
- Segregation of duties (SoD) definition and implementation
- Authentication and access self service
- User access monitoring
- Application usage monitoring
- Incident management and escalation
The best time to review controls efficiency
Ideally, you’d review and improve control efficiency when your company is:
- Undergoing a new ERP implementation or upgrade, or undergoing some business transformation (merger and acquisition, divestitures, restructuring, cost reduction initiative, etc.)
- Moving to a smaller set of standard business or IT management processes
- Addressing concerns the management team has with the success of system integration or the ability of the development team to properly assess risk or implement appropriate controls
- Facing new regulatory factors that may drive new risk or force improvements in the control environment
- Discovering material weaknesses and misstatements related to financial reporting, which may have resulted from an inadequate ERP control environment
- Implementing a major information security improvement program
- Led by a risk function individual who is dynamic, thought-provoking and not afraid to make bold moves
Back to basics: your internal controls checklist
- Have you prioritized risks identified from internal audit, internal control and risk assessment findings?
- Have you identified process and control performance gaps or deficiencies?
- Do you have documented current-state processes including key tasks, performance metrics, handoffs and controls?
- Do you have a full and detailed understanding of the cost associated with your current processes?
- Have you engaged your security personnel to understand the potential benefit of improvements and the hazards of standing still?
- Have you benchmarked your current processes against leading practices to assess performance and identify improvement opportunities?
- Have you determined whether supporting technology meets business requirements?
- Have you involved those integral to the controls process in helping to identify and design improvements?
- What role can your internal audit function have in business improvement?
- Are process improvement efforts built into your audit plan?
- Does your internal audit department have strong skills in data analytics, problem solving, benchmarking, etc.?
- Does internal audit have appropriate business process skills?
- Do you have a program to monitor process and control changes for the sustainability of recent improvements?
- Is your organization prepared to make the necessary investment in building these competencies and changing the culture?
See what our IT Risk and Assurance people can do for you.