According to a recent Deloitte survey 69% of organizations have suffered multiple Internal Control over Financial Reporting (ICFR) and SOX deficiencies in the past two years. This is a worrying statistic and one that isn’t likely to improve unless action is taken.
The past twelve months have taught us that we have to work and think differently. Whilst COVID has had its lasting impact, the world is changing every day, and at a fast pace. Yet, many businesses are approaching risks and controls without sufficient recognition of the impact of the seismic changes underway, from M&A, “socially distanced” and “touchless” tasks, new IT application landscapes, global end-to-end processes to business governance itself.
Amid sustained efforts on digital transformation, it might be surprising to learn that manual process controls are the main concern in ICFR. The good news is they are also the biggest area of focus and investment in ICFR. However, audit deficiencies are on the rise and we need to raise our understanding of the dynamics impacting that and to become more proactive in our ICFR approach.
Are we responding fast enough to change? Could this be the real reason for the increasing deficiencies?
In a recent webcast we were joined by Robin Ashby, Audit Director and Head of Internal Controls at Qurate Retail Group, the $10bn company behind QVC and the Third Way to Shop®. Robin brought his wealth of experience of all 3 lines of defense in corporations as well as a former external auditor as well as vital insight from Qurate’s approach to ICFR and SOX.
At Qurate, it’s fair to say that their technology landscape is complex. With over 150 IT applications, and 50 of them in SOX scope, the need for solid risk management and control is evident. At Qurate risk management and control processes are viewed as global, end-to-end cycles, like any other business process (O2C, P2P, R2R etc). However, it is complex and there are many factors at play; the “layers” of risk, controls design, the annual “winds of change” from the PCAOB via the audit firms, geography of the business, potential aggregation of control failures to name a few.
Yet, when it comes to the increase in control deficiencies, Robin clearly articulates the significance of the IT application landscape and impact of changes and governance over;
- M&A Inheritances
- Transition and cutover to new applications
- New (ERP) systems do not fix bad processes (his words are they “AMPLIFY and ACCELERATE awful”!)
- Data, especially Master Data
- Manual process controls, of which many are the unintended mitigating consequence of failed IT controls.
Manual process controls remains a perennial problem, and there was a fascinating poll that illustrated that even definition by subject matter experts of an “automated control” is not standard. Controls with a manual component, even if just attestation, are a very high percentage. With the human factor comes thought, opinion and individual judgment as well as substantial effort in ensuring the control is executed in a timely manner.
73% of attendees at the webcast stated that only 25% or less of controls are currently automated. This is surely making it harder for organizations to have a preventative approach and help reduce the possibility of ICFR/SOX deficiencies.
Robin and Qurate have been doing a great job at identifying and minimizing control issues, but it hasn’t been easy. As Robin put it in his ‘Lessons from the “bloody battlefield” of experience’, key recommendations are;
- Get your definitions right and consistent across business AND IT
- Ensure process ownership is well defined
- Ensure control ownership well defined
- Ensure process execution in the operational units is well defined & understood
- Focus on making global control governance efficient and effective
But, as Robin so eloquently stated, “the path is littered with weak, non existent, or outdated standards and policies”
Deficiencies have a life of its own, and there is a mountain of work in proving “that nothing bad really happened”. So, the key is minimizing any control failures up front, by understanding, collaboration and design.
We put together a checklist of 9 ‘Big Themes’ to help organizations enhance the effectiveness of their internal control over financial reporting.
- Managing complexity – is it as simple as you think?
- Risk Management – “Risk to Perform” as a process
- Global Business Processes – end-to-end process drive outcomes and risk, focus on them
- Governance – “structure and processes for decision making, accountability, control and behavior”
- Applications – educate and collaborate around the new “hub and spoke” reality
- Concept Control Harmonization – be sharp and consistent on vocabulary and definitions, keep it consistent, keep it simple.
- Manual Process Controls – maintain an inventory of all controls, mapped to process, application, BU, geography and whether they are manual/hybrid/automated.
- People, Identities, Access – Who has access to what and why? Do they know/ Do you know?
- Execution – needs to be truly collaborative, break down the silos that inhibit “getting stuff done right”
There are genuine challenges, but they can be addressed and the key is to avoid procrastination and start on the key themes, NOW. Progress can be faster than you might think!
You can see the full presentation and discussion here . . It covers a lot of ground.
We asked the attendees to share their views on the biggest challenges. We massaged the data, normalized it, translated some of it, even transformed and harmonized where possible. The result, as this wordcloud image shows, is that we all have common challenges. Let’s make some progress together!
Let’s make sure we “Nail it” not “Fail it”.
Thanks for reading….