When it comes to compliance, inertia enters the equation. There’s a mindset that assumes “more controls equal less risk.”
The pandemic has upended that complacency. A new set of business challenges and a treacherous macroeconomic environment are compelling companies to closely re-evaluate where they are spending money and the return on that spending.
Beyond COVID-19, there are other factors and events that can trigger a close examination of controls. When an internal process is outsourced or co-sourced, for example, the overall responsibility for managing the risk still lies with the company even though certain control activities could shift to the third party. Management still needs to scrutinize the third party’s ability to perform these control activities to avoid any risk gap.
Looming organizational changes, including M&A activity, are also ideal times to take stock of controls. Finally, like any system, an aging control framework must be updated if it’s not keeping pace with the changing regulatory environment.
Getting started with ACE
The goals of a controls rationalization initiative should be multifold. Increasing the efficiency of your internal controls environment can:
- Reduce costs by rationalizing the number of controls
- Ease administrative burdens on process owners, freeing them to focus on strategic work
- Better align the controls environment to business risks
- Create cross-organizational synergies that add business value
To achieve these goals, companies should view the controls rationalization process as a three-part endeavor. With an automate, centralize and eliminate (ACE) approach, they can rationalize the number of controls while still maintaining adequate risk coverage.
The ACE approach is ideal for rationalizing so-called “over-controlled” environments — which, ironically, can also have risk gaps. In an over-controlled environment, seven controls might be mitigating the same risk, when a single control could be sufficient.
ACE your controls
The automate phase of the ACE methodology first involves improving the utility of existing IT tools and systems, where applicable. As mentioned, many companies fail to get the most “bang for their buck” when it comes to existing controls-related technology.
Newer technology, such as RPA and advanced analytics, can also play a major role in improving controls automation. These tools use bots to regularly analyze and test the controls environment. Auditors then examine the results and manage only the exceptions, as needed. With this advanced technology, companies create an environment of continuous, automated testing — instead of a labor-intensive, manual one.
The overarching goal of the centralize phase is to harmonize and align the disparate, decentralized set of controls that many companies have accumulated over time. Controls at fast-growing companies, in particular, can become decentralized quickly.
When centralizing, companies identify common controls developed in multiple organizational silos and then shift them to a central execution point, such as a shared services center. As they eliminate these redundancies, companies are better able to harmonize governance, risk and compliance functions.
The eliminate phase of ACE involves identifying and removing redundant controls and those that are no longer relevant to the business. Given constant waves of new regulation, certain controls can become outdated quickly and are ideal candidates for elimination. Another trigger during this phase can be to evaluate whether existing management review controls can be tested at a precise enough level that will allow management to designate some of the transaction-level controls as “non-key.”
How EY can help
Internal controls effectiveness
Investors, management and stakeholders across the globe are seeking higher standards around internal controls, risk management programs and communication. Our internal controls effectiveness review can uncover controls that are not effectively designed and provide improvement recommendations.
Read moreBefore and after ACE
The ACE approach is ideal for rationalizing so-called “over-controlled” environments — which, ironically, can also have risk gaps. In an over-controlled environment, seven controls might be mitigating the same risk, when a single control could be sufficient.
By automating, centralizing and eliminating controls, a company harmonizes its business with the regulatory environment. Risks have the optimal number of controls and can be continuously monitored as needed, while outdated controls are removed entirely. The streamlined risk and control framework saves time and money and aligns with a company’s overall risk profile.
Summary
The ACE approach (automate, centralize, eliminate) for reassessing internal controls helps organizations reduce the burden on process owners, align controls with business risks, increase testing efficiency and manage the cost of control-related compliance.