We recently surveyed 150 organisations from around the world on the nature and implementation of their internal controls, with specific focus on those related to assurance over financial reporting (ICFR).
We gained some significant new insights. Yes, we suspected that the landscape is very different to that assumed by those of us involved in the heavy lifting of global ERP systems, embedded automated controls and the application of so-called Governance, Risk & Compliance (GRC) tools for risk management and continuous monitoring.
However, the results were stark and lead us to wonder whether we are addressing our time and resources at the right problem or at least whether we have the right balance in the focus of effort.
There has been much discussion and encouragement for organisations to question the nature of their internal controls (not least by the COSO 2013 revision), to ensure that they are genuinely risk based and to apply these efforts accordingly. However, it seems that the investment of time and money in optimising control implementation, operation and testing is unbalanced. The global leaders in control effectiveness have taken the prescribed medicine of global common processes, standardised ERP systems and automated controls, at considerable expense. Global process standardisation has, of course, many other benefits in addition to risk and compliance, not least in reducing the cost of operations and enhancing the quality of process execution and outcome.
Even the global leaders report a maximum of 25% of financial controls are automated, which leave a whopping 75% largely unattended in terms of improved efficiency and audit-ability. It is easy to assume that the answer, therefore, is just to put more effort into controls automation so this ratio can be increased. However, more detailed analysis shows that there are limits to the controls that it is appropriate or relevant to apply 100% automation to. This debate focuses attention on how to help improve the state of the nation with regard to manual and ‘IT dependent’ (sometimes called ‘hybrid’) controls. Even the majority of IT General Controls are not automated which may sound counter-intuitive since we tend to assume anything to do with IT is, by definition, automated. Further analysis explains the need for human judgement and attestation of IT process and control operation.
Controls over business process execution (‘Process Controls’) are by far the highest proportion of the controls landscape, eclipsing Entity Level Controls and IT General Controls by some margin. This supports our own experience of greater attention on the automation (or at least the automated monitoring of) process controls reported by organisations around the world.
This survey confirms that the ‘elephant in the room’ (as in “that large thing that takes up a lot of space but no-one talks about”, like a bad smell at a party) is not how to further improve the automation of the 25% but to address the majority of controls which require some level of management judgement, confirmation, assertion, attestation and evidence.
Fortunately, the guest speaker in our recent webcast gave some excellent examples of the way in which such controls can be optimised. He described his experience with automated support for distributed attestation in a global organisation that addressed three scenarios; simple local entity level attestation controls, attestation controls ‘with evidence’ and attestation of variable data such as in the period-end manual journal entry approval control process.
Details of the survey results are provided below and in the attached infographic and if you want to know more or discuss your specific situation, please respond to Erik Eriksson at firstname.lastname@example.org
Survey Report Details
I. Executive Summary
– Process Controls represent the largest single group of Internal Controls over Financial Reporting.
– The vast majority of organisations have less than 25% of their financial controls automated.
– The drive to extend the coverage of automated, preventive controls is important, but even the most successful of these organisations have struggled to break the 25% barrier
– COSO 2013 encourages the adoption of more Entity Level Controls. Although this may reduce the total number of controls, the testing of these is largely manual
– The untapped opportunity is to apply some level of automated support to provide enhanced efficiency, visibility and audit-ability to the full set of manual and IT-dependent controls
The concept of Internal Controls can be fairly broad, as it involves everything that controls risks in an organisation. According to COSO (Committee of Sponsoring Organisations of the Treadway Commission), Internal control can be defined as follows:
Internal Controls is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
The use of internal controls soared in the post-Enron era. New, tightened financial control regulation, Sarbanes Oxley in particular, placed great focus on process controls, especially key financial controls, internal controls over financial reporting, operational or compliance controls for legislative measures, anti-bribery and anti-corruption controls. SOX drove many organisations to adopt an enthusiastic approach to implementing controls (perhaps also encouraged by third parties). This, in return, triggered an increased interest in discovering means to reduce the costs of compliance, whether by automating controls, limiting their number and/or focusing on the important (key) controls. A notable discussion from those early years was also whether controls should be preventive or detective.
12 years after the Sarbanes Oxley act, we are looking to understand how the landscape of internal controls looks like? What is the SOX legacy? What types of controls do organisations prioritise over others and how are they implemented? Are control activities predominantly automated, manual or hybrid? These are the few but significant questions this survey has sought to answer.
This topic is particularly relevant, as regulated companies with year-end dates after December 15, 2014, that have selected the 1992 COSO Internal Controls Framework Standard to structure their IC requirements, are transitioning to the recently published 2013 framework.
Before we move onto the results, however, it is important that we share a common taxonomy in terms of types of controls and forms of implementation.
Within the Internal Controls over Financial Reporting framework, we have identified 3 types of internal controls:
- Entity Level Controls are internal controls that ensure management directives pertaining to the entire entity are carried out. Generally, entity refers to the entire company or an operating unit. They are designed to provide reasonable assurance that objectives related to the company as a whole are met. Such controls have a pervasive effect on the company’s system of internal control. Audit committee oversight of financial reporting and a CFO’s review of differences between the company’s monthly budget and actual expenditures are examples of entity-level controls.
- IT General Controls (ITGC) apply to all system components, processes & data for a given organisation or IT environment. They ensure the proper development and implementation of applications, as well as the integrity of programs, data files and computer operations.
- Process Level Controls apply to core finance business processes: revenue cycle, expense cycle, general accounting assets, treasury and HR/Payroll. They ensure the proper management of risk of financial misstatement or recognition of revenue, expenses or cash and deal with accuracy, completeness, authorisation and segregation of duties (SoD). They pertain to a single process activities, such as requiring that delivery receipts be matched with vendor invoices before a vendor payment is authorized.
In terms of how controls can be implemented we identified 3 possibilities. The survey distinguished between controls which are Automated, Manual or IT-Dependent/Hybrid.
- Automated controls are operated by IT systems without requiring manual intervention (e.g. edit checks, data entry errors, calculations performed by applications).
- Manual Controls are those operated by individuals without the assistance of applications or other technology systems (e.g. the preparation & review of manual reconciliations, written authorizations).
- IT-Dependent or Hybrid controls have both an automated & a manual component. In the case of aging reports there is an automated, periodic review as well as a manual management assessment for reasonableness. Both components need to be tested to ensure the controls operate properly.
Having these concepts defined, the survey aimed first to establish what percentage of the total control framework is represented by ICFR (internal controls over financial reporting). Within ICFR, what percentage are Entity Level Controls, IT GC or Process Controls? Of each of those 3, the survey also analysed what percentage is automated, manual or hybrid.
III. Survey Methodology
This research was conducted in Summer 2014, using an online questionnaire which was answered by approximately 150 financial control and risk professionals from 25 countries around the world, predominantly Europe and North America.
More than 10 industries are represented in the survey, including: Consumer Products, Defence, Packaging, Energy, Financial Services, Health Care, Manufacturing, Tech/Telecom, State and NGO.
The survey respondents come from different fields of activity. The most common 3 are: Internal Audit and Assurance (33%), Financial Control (20%) and SOX (19%), more are visible in the graph below.
The survey respondents span all types and sizes of business from small (<5,000 employees) to medium (5,000 – 20,000) and large (above 20,000 employees). Approximately 37% of respondents work in organisations with less than 5,000 employees; 26% come from medium to large organisations (5,000 – 20,000). Further 33% of the respondents are from large, multinational organisations.
The survey gathered insights from professionals at companies with gross annual revenues ranging from less than $1 billion to more than $20 billion:
IV. Survey Results
While considering the whole landscape of controls, this research focussed on Internal Controls over Financial Reporting (ICFR).
“Internal Control over Financial Reporting Remains a Key Focus”
Q1: Please indicate what percentage of your organisation’s key controls are Financial Reporting (ICFR); Operational (non-ICFR), Compliance (non-ICFR)?
Almost a third of respondents agreed that Financial Reporting controls represent between 50-74% of the total amount of key controls.
Half of respondents stated that Compliance Controls account for less than 25% of the total amount of controls. This is perhaps not surprising considering recent efforts to drive down the costs of compliance.
There were some comments from respondents that illustrated some variance in approaches and that despite the drive for standardization there remain some grey areas;
– ‘We don’t classify non-ICFR controls as key or non-key’
– ‘There can be some overlap between Compliance and Operational controls’
– ‘We do not separate Compliance controls but rather identify them as either Financial or Operational’
“Process Controls Dominate”
Q2: For Financial Reporting Controls (ICFR) what percentage of your controls are Entity Level Controls, ITGC, and Process Controls?
Within ICFR the majority of respondents (57%) report that Entity Level Controls in their business account for less than a quarter (25%).
Interestingly a similarly large percentage (50%) claims that IT General Controls account for a quarter or less of their Financial Reporting Controls.
The general view is that the largest percentage of ICFR consists, is in fact, Process Controls. 60% of respondents said that Process Controls make out more than half of their ICFRs.
“Entity Level Controls increasing in Importance (COSO 2013) but Largely Manual”
Q3: Of your Entity Level Controls for ICFR what percentage do you estimate are automated, manual or IT-dependent/hybrid?
A high percentage (42%) of respondents felt that less than a quarter of Entity Level Controls are automated or IT Dependent / hybrid. A further 26% said that no Entity Level Controls are automated.
There were comments indicating that organizations are still making the shift towards more automated controls over the next three to five years.
“Despite ERP vision, IT General Controls Remain Largely Manual”
Q4: Out of your IT General Controls (ITGC) for ICFR, what percentage do you estimate are automated, manual or IT Dependent / Hybrid?
A significant amount of respondents (41%) said that less than a quarter of ITGC are automated. This might sound as a surprise as IT is a terms associated with automation. However, many of these controls deal with policy and also IT processes and network environment.
“Process Controls Represent the Largest Single Opportunity”
Q5: Of your Process Controls for ICFR what percentage do you estimate are automated, manual, IT-Dependent / hybrid?
Yet again, the vast majority (57%) felt that less than a quarter of their Process Controls are automated. Since Process Controls represents the largest segment out of the ICFR, this means the level of automation is fairly low… perhaps lower than expected, given that most financial processes are automated in ERP, consolidation and BI systems.
V. Conclusions and Takeaways
The survey results and comments confirmed that organisations are still learning and working to continuously improve the quality, efficiency and audit-ability of their internal controls.
The key findings are;
- Despite great strides in effectiveness and functionality of the major ERPs, the coverage of automated, preventive controls tops out at about 25% of the ICFR total
- Process Controls are the biggest single segment of ICFR although many of these cannot be fully automated (i.e. requiring some human judgement).
- There is considerable focus on implementing the recommendations in COSO 2013 although this may have the counter intuitive effect of increasing the number of manual controls, as Entity Level Controls typically need manual attestation.
- Manual and IT-Dependent controls make up by far the largest percentage in the ICFR landscape, even for sophisticated organizations.
There is clearly a three pronged strategy for this which we need to balance carefully;
- Consider the COSO 2013 guidelines and implement the recommendations for increased coverage, efficiency, automation. Consider rationalising the number of controls by putting a greater focus on Entity Level Controls.
- Optimise the use of the ERP and its embedded, preventative controls to streamline processes, reduce risk and reduce the cost of testing. Recognise this is probably 25% of the ICFR landscape
- Implement an efficient, audit-able attestation process and technology for the 75% of ICFR which are manual or IT-dependent to reduce cost of compliance and enhance assurance.
Thanks for reading… view the infographic summarizing these survey results here