This week, I was joined by Robin Ashby, Audit Director and Head of Internal Controls at Qurate Retail Group, the $10bn company behind QVC and the Third Way to Shop®.
It seems we are still approaching risks and controls without sufficient recognition of the impact of the seismic changes underway, in M&A, “socially distanced” and “touchless” tasks, new IT application landscapes, global end-to-end processes and business governance itself.
At Qurate, it’s fair to say that their technology landscape is complex. With over 150 IT applications, and 50 of them in SOX scope including their new Cloud S/4HANA ERP, the need for solid risk management and control is evident.
Robin and I dissected many factors impacting ICFR and SOX deficiencies including the “layers” of risk, controls design, the annual “winds of change” from the PCAOB via the audit firms, geography of the business, potential aggregation of control failures to name a few.
When it comes to the increase in control deficiencies, Robin clearly articulates the significance of the IT application landscape and impact of changes and governance over;
- M&A Inheritances
- Transition and cutover to new applications
- New (ERP) systems do not fix bad processes (his words are they “AMPLIFY and ACCELERATE awful”!)
- Data, especially Master Data
- Manual process controls, of which many are the unintended mitigating consequence of failed IT controls.
You can read this 4 minute synopsis here – and get a link to the webcast recording. . .