Audit Programs
AuditNet Links
AuditNet Library
Sarbanes-Oxley Page
AuditNet Newsletter
Ask the Auditor
AuditNet Career Center
Search the Site
Our Sponsors
Advertise
AuditNet Home Page

Getting Controls Right and Automating Them

By Karen Titus

Protiviti contributing writer

Call it a meeting of great minds: the right mix and number of controls with automated technology solutions. Done properly, the alliance can produce an elegant model for Sarbanes-Oxley compliance and cost savings. Of course, handled the wrong way, the alliance can be a bruising collision.

Now is the right time to get controls and automation technology on track. First-year Sarbanes-Oxley endeavors were, by necessity, somewhat limited in terms of efficiency and effectiveness. “Companies had to establish a baseline,” explains David Hartley, Protiviti director, St. Louis. “But that first year, and even the second year, were very expensive. Now companies need to figure out a better way to do it.” Otherwise, companies will continue to see only minor decreases in their costs related to internal controls and compliance.

The current Sarbanes-Oxley approach remains somewhat ad hoc in nature, with excessive emphasis on testing manual controls. The result? Personnel are tired and overwhelmed and play a continual game of catch-up to manage important tasks. And, as noted, costs remain high thanks to sole reliance on independent tests of controls. For a bigger impact, says Hartley, “You have to take a fresh look at what you’re doing from a Sarbanes-Oxley perspective.”

In Hartley’s view, such a look should include migration toward automated controls. The math is simple. A weekly business process, for example, provides a yearly population of 52 weeks. “Let’s say you decide to sample 10 of them,” he says. “That means somebody has to pick a sample, the samples need to be pulled, the auditors have to do their work, which may involve asking for more details—and you have to do that 10 times.” It can all add up to some hefty figures, he continues, noting that companies may have hundreds or thousands of key controls, all of which need to be tested.

That’s why a new approach to controls is in order.

Hartley puts it in succinct terms:

• As organizations eliminate nonessentials, they will eliminate the need for redundant controls.
• As companies eliminate rework and build quality control into processes, they will streamline their controls and reduce the need for manual, detective controls.
• As companies simplify, standardize and automate their processes, they can expect to improve the mix of controls, leading to more efficient controls testing.

Striking a balance

“What we’ve found is companies, as part of their first-year Sarbanes-Oxley efforts, were quite conservative, and probably included more controls than were needed, designating them as key,” says Hartley. “We’re encouraging companies to scrub down those controls—not too few, not too many,” he says. Think of it as a Goldilocks approach.

The next step is automating controls. It’s a step, Hartley is quick to point out, that takes place over time as companies move from a manual, detective and ad hoc approach to one that is systems-based, preventive, and managed. Along the way, he says, optimizing controls through automation will improve transparency. Companies will increase their self-assessment and monitoring as manual testing gives way to automation, which in turn will lead to improved sustainability of the control environment.

“The biggest driver for automating controls and moving towards balance, I think, are the improvements in understanding what’s happening with your internal controls,” Hartley says. “In testing manual controls, you don’t know until the end of the year if they’ve been working. But with more self-assessment and more monitoring, you’ve got more accurate information, more real-time information, and you can make better decisions.”

Put another way, extensive independent testing of manual “detect and correct” controls should be trumped by a more balanced approach to compliance. There is a direct correlation, says Hartley, between the type of SOX testing and the degree to which the business process is automated.

Hartley likes to point to the purchase-to-pay process as an example of how automated controls can benefit companies. A 2005 benchmarking study by the IOMA (The Institute of Management & Administration) noted that in a non-automated environment, the average cost-to-process payment is $12.82; in a highly automated environment, that figure drops to $6.81. For a company that cuts 100,000 payments a year, the savings can be substantial: $681,000 versus nearly $1.3 million. “That, in and of itself, is a great business case for automating your processes.

“On top of that,” he continues, “you improve your process quality and control structure. People can’t circumvent the system, and it’s going to be easier to test.” Likewise, automation can reduce exceptions and their related Sarbanes-Oxley testing costs.

Companies have had trouble seeing the benefits of automation up to now because Sarbanes-Oxley has been viewed as a separate silo, as a set of various compliance initiatives. “You’ve got to start looking for the synergies between them,” Hartley insists. “Basically, if you’ve got automated processes that have preventive controls built in, Sarbanes-Oxley compliances should almost be an outcome of your process. It shouldn’t be something special you have to do—it’s baked into everything that you do.”

It’s a visionary approach, to be sure, but one that can be handled in increments. Hartley points to a process maturity model adapted from Carnegie Mellon’s Software Engineering Institute Capability Maturity Model to help clients think about their processes and their developmental stage. At the lowest stage of maturity, called the initial stage, control is not a priority, and capabilities are ad hoc and chaotic. Hartley likes to give as an example a payroll department that runs successfully on one staff person’s energy and experience. “That one person is doing heroic things and is a tremendous asset to the company, but it’s not a process,” he says. “And if something were to happen to that person, it all falls apart. There’s no repeatability.”

The next stage is called “repeatable,” in which processes are established and are repeating; however, controls documentation is lacking, and reliance on people continues. Many companies, Hartley observes, are at one of these two stages.

Incremental improvement

Ultimately companies may work their way through three higher stages of capability—defined, managed and optimizing—with increasing levels of process and controls capability. The point isn’t necessarily to reach the highest level; indeed, few firms need to achieve the top level for all processes. Rather, it’s to recognize that improvement evolves step by step. “Organizations can sustain only so much change in a limited time,” he says. “Firms need to move gradually, in an organized fashion, and determine just how mature their capabilities need to be.”

As companies look at streamlining their processes, it’s only logical to look toward automated solutions, which can improve business efficiency and reduce compliance costs.

Once the process is right (for example, the elimination of redundant controls), says Dean Berg, director of compliance solutions for Stellent Inc., technology can be used in a two-step process to: 1) convert manual controls to automated controls, and 2) further optimize processes along the aforementioned maturity chain—i.e. migrating detective controls to preventive controls.

Stellent offers three key products to help companies automate controls and optimize processes:

• Stellent BPM, or Business Process Management technology, for automating manual processes and for tying together sub-processes that have already been automated but are disconnected.
• Stellent Document Management/Records Management, for applying controls to financial spreadsheets — controls around who can access and who can change financial data and for setting retention controls on specified sets of content like product or patient documentation.
• Stellent Web Publishing, for automating controls related to the communication or distribution of policies and procedures.

Berg offers an example of BPM technology by modeling a capital expenditure request. At many companies a capital expenditure request process remains a manual process, one entailing plenty of paper pushing. Automating the process allows the expenditure request to automatically move through the process as an electronic form with e-mail notification to the users that need to be involved at various points along the process. Looking toward compliance, the technology makes it easy to track all actions along the process. Likewise, it allows companies to migrate upward on the process maturity model—for example, by routing requests under $500,000 to the CFO and requests above $500,000 to the Board of Directors. “That’s now a preventative control that redirects who has to sign off, based on a dollar amount,” Berg explains.

Automation’s triple benefits

The compliance benefits of automation are threefold. The first, says Berg, is documentation. BPM provides automatic documentation of critical processes, as required for Sarbanes-Oxley compliance. Manual performance of a process is only the initial step; documentation of its occurrence must still take place. “But if you’re modeling your process in technology with the purpose of automating that process, that documentation is there, almost as a byproduct,” Berg says.

Second, it provides audit logs, or evidence, to support testing. “Relative to Sarbanes-Oxley compliance,” says Berg, “there’s a big testing effort. Not only do you have to document your processes, but then you have to test the controls within that process to make sure those processes are actually being performed in the way that you documented them.” With BPM, the automatic audit logs provide those answers, reducing the amount of testing time required. In addition, Berg says, manual methods are somewhat error-prone. “With an automated approach, the possibility of introducing errors is greatly diminished.”

Third, automation allows companies to start monitoring processes. “If you have a process that is going awry for whatever reason, you can automatically monitor events that would allow you to correct the process immediately upon an issue or even before an issue occurs,” Berg says.

That’s not to say that companies need to leap from having 100 percent of their processes being manual to 100 percent automated overnight. Many companies are already semi-automated, particularly if they already have an ERP package in place.

But companies should consider automation from a broader perspective and begin to prioritize the additional processes that may be ripe for automation. Says Berg: “I don’t think there’s any question that automating controls and maturing controls is a good thing for a company to do, from a general business benefit and value as well as from a compliance standpoint.”  

Article from Protiviti KnowledgeLeader – www.knowledgleader.com.

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.