Digital watchdog in the corporate milieu
The Hindu Business Line
By
Samiron Ghoshal
Partner and Leader, IT Advisory Services
Ernst & Young
Businesses globally are severely impacted by the cost of corporate frauds and regulatory non-compliance. Even isolated incidents have resulted in severe loss of stakeholder confidence.
The results of our recently completed fraud and compliance survey suggest that while there has been an increased focus on fraud prevention and regulatory compliance in the last five years, some companies still don’t see the benefits. To a large extent this seems to be the outcome of:
Dispersed set of controls in processes, which make it difficult to enforce them and check fraud;
Low awareness among employees of the regulatory compliance requirements. Employees across the organisations surveyed believe that stronger regulatory action is required to check fraud and improve compliance. Perhaps unsurprisingly, the economic downturn appears to have had a significant impact on people’s expectations of regulators.
Role of IT
Over the last 15-20 years, organisations in India have been enabling core business process through IT and then moving over to enabling management dashboards or decision support systems.
Use of IT in terms of transforming audit and controls was minimal and, in most cases, was limited to the IT department providing relevant reports to auditors. In the past decade many IT-based Governance, Risk and Compliance solutions have been deployed to address this hitherto largely untouched but important area of an organisation’s functioning. The entire model of fraud governance and internal audit will change from ‘detect and react’ mode to ‘prevent and pro-act’.
When implemented right, GRC solutions provide the following benefits:
Improved visibility across risk initiatives, thresholds, and appetites;
Fewer risk and compliance violations with automated monitoring of key indicators;
Reduced unauthorised access risk with centralised monitoring and management;
Minimised impact and duration of risk and fraud events;
Decreased cost and effort of compliance.
However, organisations must treat the implementation of such solutions at par with, if not more than, the core IT transformation or business transformation.
The implementation may not achieve the stated objective if it is not dovetailed into the overall ‘risk and controls’ agenda of the organisation. It also requires the following:
Involve the right stakeholders — Apart from the IT team, the involvement of key business and audit representatives, risk officers, and external and internal auditors is crucial to success. If treated as merely an IT product implementation, other departments are not likely to own the solution;
Select the right product — There are many GRC products in the market with varied capabilities. The key lies in selecting one that can integrate seamlessly with existing systems, and has the roadmap and strength to scale up as the organisation grows;
Change management — A ‘control conscious’ culture is essential to maximise benefits out of any GRC initiative. This calls for an extensive change management programme along with the GRC initiative.
IT enablement cannot prevent all frauds, but it can surely make it difficult to commit one by enabling early warning systems and robust prevention and detection mechanisms. The idea of IT enablement in the area of compliance and frauds is essentially to enforce a culture of control awareness and reduce cost as a by-product.
