With a steady rise in risk and volatility in the modern global economy, companies are dialing up their adoption of technology solutions to manage their monitoring and testing in risk, compliance, and control activities—or at least, they are trying to.
“We are seeing more companies moving to integrated controls,” says Joe Howell, executive vice president at Workiva. Companies with only partially deployed ERP systems are starting to take a fresh look at what they can do with the software they have, he says.
“People love IT, but it may have been expensive, complicated, or required a lot of IT involvement to fully implement,” he says. “It took a lot of discipline to get them up and running. Now there’s pressure to rethink that. Even though it’s expensive and complicated, people are drawn back to use them.”
Interest in advanced or automated monitoring and testing solutions is accelerating, says Jerry Stone, a partner with PwC and leader of the firm’s compliance services. A recent PwC survey showed roughly 60 percent of CEOs saw more business opportunity on the horizon in the next three years—and the same percentage also said they saw more risk. “That balance is what companies are looking at,” he says. “How do I pursue opportunities in a world that is changing at a greater pace? How do I grow but have the right balance of infrastructure, and therefore monitoring and proactive feedback?”
That same PwC survey of CEOs said roughly two-third of chief executives expect significant regulatory change over the next five years. “Organizations are responding to the environment, and that environment includes an increase in regulatory complexity,” Stone says. Monitoring and testing solutions give compliance and risk officers more timely feedback on their processes, and more sustainability to that feedback. “So they can move more nimbly into some of the growth areas that are presented by advances in technology and globalization.”
“That balance is what companies are looking at. How do I pursue opportunities in a world that is changing at a greater pace? How do I grow but have the right balance of infrastructure, and therefore monitoring and proactive feedback?”
Jerry Stone, Partner, PwC
Dan Kinsella, third-party assurance solutions leader for Deloitte Advisory, says many compliance operations are outfitted with modern monitoring and testing solutions, but haven’t found them to be the cure-all people expected. “There was this view that this would be panacea of the future, that this was going to do all of this automagically,” he says.
Not so much magic has arrived yet. Companies have implemented lots of systems, and systems technology is improving, but the idea of “master data management” is still somewhat elusive for many companies.
QUESTIONS TO ASK
A number of internal and external indicators can signal where an outsourced or co-sourced monitoring and testing solution would add value. Below is a sample of questions that PwC says companies should ask themselves:
What is your strategic posture—for now and the future?
Do you operate in global markets or plan to?
Do you operate in emerging markets or plan to?
Are you expanding the diverse markets in which you operate?
What are your needs, strengths, and weaknesses around controls monitoring? Is there a desire to get to the next level?
Has your company evaluated the strategic benefits of controls monitoring?
Is your company required to have controls monitoring activities?
Do you currently have recurring controls monitoring activities in place? If not, is there a need or desire to establish those activities?
Are there opportunities to enhance risk coverage through better coordination of your controls monitoring?
Do you effectively leverage your data (both structured and unstructured) to maximize automated monitoring?
Is the organization open to evaluating outsourcing approaches and improvement strategies?
What is your level of risk maturity?
Are you an early-stage organization that still needs to put the basic elements of risk management in place?
Are you a developing organization looking to better link your business and risk strategies?
Are you an organization with mature risk management and corporate compliance systems but with a need for improvements around monitoring and testing of processes and controls?
Are your needs broad based or tightly focused? Are you seeking to alleviate stress points in your infrastructure by redistributing specific responsibilities?
Are you seeking to better utilize technology to more effectively automate your risk processes?
Could a restructured approach offer opportunities to optimize your controls monitoring?
Is there an opportunity to centralize controls monitoring activities to drive quality, maximize the use of data, control costs, and achieve greater economies of scale?
Could enhanced coordination and consistency in testing approaches provide opportunities for greater efficiency and effectiveness and drive more-reliable testing results?
Is there a desire to leverage a long-term, sustainable solution rather than a one-time controls monitoring project?
Are you looking for opportunities to reduce the cost of compliance?
Are there opportunities to better centralize and standardize your monitoring and testing activities to save costs while improving quality?
Are there opportunities to utilize data-driven monitoring and offshore resources to create a more integrated, low-cost approach?
Are there human resources challenges to achieving effective controls monitoring?
Does your organization employ people with the right skills and does it have the right technology to monitor and test its control activities? How well do people at the business level understand the objectives of the controls they monitor?
Are your resources stretched or at capacity—without the flexibility to handle changes to your risk and controls environment?
Are there issues with turnover in the controls monitoring functions?
“Ten or 15 years ago, you may not have had the right data to make decisions,” Kinsella says. “Now you have too much data to make the right decisions.” Now companies are starting to make more use of automated controls and automated analytics to meet varied reporting requirements and achieve some efficiency, he says, especially in the more heavily regulated sectors like financial services, health sciences, and energy.
Getting to a Good ROI
The technology has developed to a point where it tends to provide a good return on investment, says Gary Sturisky, national consulting leader for McGladrey. “We’ve seen a significant migration toward automation to get efficient and drive down the compliance cost,” he says. “Compliance for the most part has become somewhat mature. When you look at the repetitive, known aspects of it, companies are looking for ways they can draw down the costs.” With most packaged solutions offering plenty of customization options, companies are finding they get a lot of bang for their buck, he says.
The bad news: Those bucks will still be a significant investment, says Warren Stippich, partner and national GRC leader for Grant Thornton. He warns that organizational challenges will still flummox lots of companies. “It’s where we need to get as a profession focused on risk, compliance, and controls,” he says. More advanced technology is the “poster child” for optimizing the compliance function. “How do you look at the risk and compliance environment and test it with a lot more efficiency?”
Miklos Vasarhelyi, professor of accounting information systems at Rutgers University, has been studying the development and use of continuous auditing and continuous monitoring solutions for more than 20 years. “I used to tell students: Everyone uses computers, so everyone will use this information technology to audit in five years,” he says. “All these years later, never underestimate the time it takes for companies to adopt modern technologies.”
Research has shown that companies still have plenty of cultural constraints to consider in determining how best to move professionals into more modern methods, he says, but companies are gradually making the move. “The whole idea of manual audit has become very close to preposterous,” he says. “The idea of sampling on huge populations is very procedural. It is an old-fashioned view of the world.”
It’s been a long haul for a variety of reasons, says Sandra Richtermeyer, accounting professor at Xavier University who studies accounting systems. Many companies have invested in a significant IT infrastructure and robust control processes, but they struggle with integration, she says. “What about an enterprise system that only utilizes 20 percent of its capability?” she says. “That’s what I hear a lot. They may have all these really cool islands of technology, but they don’t speak to each other.”
Below, the IIA examines to what extent companies are automating, monitoring, and testing solutions.
The Institute of Internal Auditors' Global Internal Audit Common Body of Knowledge (CBOK) Practitioners Survey says 44 percent of respondents globally — more than 14,500 — report moderate or extensive activity for continuous/real-time auditing. It is not clear how many combine this with continuous/automating monitoring.
The IIA's GAIN survey, which includes information from internal audit functions at 479 organizations including 315 in the United States, found 62 percent of respondents use computer-assisted audit techniques, while 33 percent report performing continuous auditing.
Source: Institute of Internal Auditors.
Richtermeyer also sees companies with ERP systems that have the capability for customized monitoring, but they haven’t found the time or staffing expertise to deploy those capabilities well. Companies also struggle to some extent with having controls around monitoring systems. “As some companies become more complex in their business model or they are expanding, their comfort in using something automated may go down,” she says. “It’s monitoring the monitoring, or putting processes around processes.”
Companies are working through some of those adoption challenges by taking a pilot approach, Stone says. “There isn’t a lot of resistance to the need to have more sustainable monitoring in place,” he says. “So companies are looking at the practical aspects of piloting and how to implement in a way that makes sense.” Companies typically turn to their risk assessments to determine where to prioritize their adoption of new technology, he says. “Organizations need to measure that business priority like any other business priority and put it on a scale around everything else they’re doing.”