EY - Stone-stack-on-large-ocean-rocks-among-the-waves
EY - Stone-stack-on-large-ocean-rocks-among-the-waves

How do you decrease the cost of controls without increasing risk?

The ACE approach (automate, centralize, eliminate) rationalizes the controls environment without compromising risk coverage.

In brief

  • Automate to better leverage new and existing controls technology.
  • Centralize to remove redundant controls developed in organizational silos.
  • Eliminate to identify controls no longer relevant to the business or regulatory environment.

As compliance becomes increasingly complex and the pandemic is putting pressure on budgets, control costs are increasingly being scrutinized for value. According to an EY survey on Sarbanes-Oxley compliance, about half of responding companies reassess their controls annually. But are they tackling that analysis intelligently? And what about the other half of companies that aren’t taking action?

Re-examining your controls environment

For nearly two decades, regulatory demands have been increasing. Many companies have spent small fortunes on ERP software and other tools to try and keep pace with regulators and meet stakeholder expectations. Too often though, those systems are not utilized to their fullest potential — far from it. The promise of controls automation has given way to the reality of manual processes that accumulate haphazardly, scattered across the organization.

That gap between automated and manual processes or controls is not necessarily due to failings of the tools themselves. Many companies found they did not have the right talent stack to make the most of the software. And when it comes to compliance, inertia enters the equation. There’s a mindset that assumes “more controls equal less risk.”

When it comes to compliance, inertia enters the equation. There’s a mindset that assumes “more controls equal less risk.”

The pandemic has upended that complacency. A new set of business challenges and a treacherous macroeconomic environment are compelling companies to closely re-evaluate where they are spending money and the return on that spending.

Beyond COVID-19, there are other factors and events that can trigger a close examination of controls. When an internal process is outsourced or co-sourced, for example, the overall responsibility for managing the risk still lies with the company even though certain control activities could shift to the third party. Management still needs to scrutinize the third party’s ability to perform these control activities to avoid any risk gap.

Looming organizational changes, including M&A activity, are also ideal times to take stock of controls. Finally, like any system, an aging control framework must be updated if it’s not keeping pace with the changing regulatory environment.

Getting started with ACE

The goals of a controls rationalization initiative should be multifold. Increasing the efficiency of your internal controls environment can:

  • Reduce costs by rationalizing the number of controls
  • Ease administrative burdens on process owners, freeing them to focus on strategic work
  • Better align the controls environment to business risks
  • Create cross-organizational synergies that add business value

To achieve these goals, companies should view the controls rationalization process as a three-part endeavor. With an automate, centralize and eliminate (ACE) approach, they can rationalize the number of controls while still maintaining adequate risk coverage.

The ACE approach is ideal for rationalizing so-called “over-controlled” environments — which, ironically, can also have risk gaps. In an over-controlled environment, seven controls might be mitigating the same risk, when a single control could be sufficient.

ACE your controls

The automate phase of the ACE methodology first involves improving the utility of existing IT tools and systems, where applicable. As mentioned, many companies fail to get the most “bang for their buck” when it comes to existing controls-related technology.

Newer technology, such as RPA and advanced analytics, can also play a major role in improving controls automation. These tools use bots to regularly analyze and test the controls environment. Auditors then examine the results and manage only the exceptions, as needed. With this advanced technology, companies create an environment of continuous, automated testing — instead of a labor-intensive, manual one.

The overarching goal of the centralize phase is to harmonize and align the disparate, decentralized set of controls that many companies have accumulated over time. Controls at fast-growing companies, in particular, can become decentralized quickly.

When centralizing, companies identify common controls developed in multiple organizational silos and then shift them to a central execution point, such as a shared services center. As they eliminate these redundancies, companies are better able to harmonize governance, risk and compliance functions.

The eliminate phase of ACE involves identifying and removing redundant controls and those that are no longer relevant to the business. Given constant waves of new regulation, certain controls can become outdated quickly and are ideal candidates for elimination. Another trigger during this phase can be to evaluate whether existing management review controls can be tested at a precise enough level that will allow management to designate some of the transaction-level controls as “non-key.” 

Before and after ACE

The ACE approach is ideal for rationalizing so-called “over-controlled” environments — which, ironically, can also have risk gaps. In an over-controlled environment, seven controls might be mitigating the same risk, when a single control could be sufficient.

By automating, centralizing and eliminating controls, a company harmonizes its business with the regulatory environment. Risks have the optimal number of controls and can be continuously monitored as needed, while outdated controls are removed entirely. The streamlined risk and control framework saves time and money and aligns with a company’s overall risk profile.

Summary

The ACE approach (automate, centralize, eliminate) for reassessing internal controls helps organizations reduce the burden on process owners, align controls with business risks, increase testing efficiency and manage the cost of control-related compliance.

How EY can help

  • Assurance services

    Learn more about how our Assurance teams serve the public interest by promoting trust and confidence in business and the capital markets.

    Read more

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.