After many years of focus on controls automation, the issue of residual manual controls has never been more pressing for global businesses. Maybe the agility we exhibited in rapid process change and digitization during the COVID pandemic has added to the challenge.
Manual controls are a critical problem at the core of risk management and controls transformation. Despite huge investments in digitization, this isn’t going away.
– 69% of major corporations have had one or more significant audit deficiencies in the last 2 years.
– 93% have under 50% of their key financial controls automated, with 46% under 10%.
– 62% identify manual process controls as their biggest single, current concern.
We sat down with Stuart Worthington and Hans van Nes, socially distanced of course, on 17th June 2021, to explore the root causes of manual control proliferation, and to share practical guidance on how to eliminate, automate, augment and accelerate ICFR transformation into the digital world.
Ironically, despite the plethora of guidance and documentation provided by regulators and advisors, one of our previous speakers, Robin Ashby, Audit Director, Internal Controls, Qurate Retail Group, reminded us that there is no clear definition of an “automated control”. And, as with many things, the devil is in the detail, and the detail is nuanced.
Our snap poll of several hundred attendees, below, confirmed that we have no consistent definition.
Of course, one of the nuances is that we have focused a great deal over the years on preventive controls, which are largely necessarily automated, but there are considerable number of detective or assertation controls, which are, by definition, manual in part, as the schematic below shows.
Stuart Worthington, former Internal Controls Manager at Nestlé, the world’s largest food company, shared his 15 year journey and invaluable experience in ICFR. Stuart has an interesting hybrid background having been trained as an accountant, operated as a Controller, and latterly implemented SAP and associated controls. So he has a valuable blend of business, finance and IT knowledge and experience.
Stuart described the Nestle journey, and the rationalization of end to end business processes and internal controls over financial reporting (ICFR) and it was a major undertaking. Stuart described their approach to eliminating controls as analogous to the game of “Jenga”, as a delicate, time consuming dance to ensure the tower did not collapse!
Stuart gave good examples of eliminating manual controls and redundant controls, shifting to automated controls and the role of “hybrid” controls, where data from IT systems is used as input to a necessarily manual management assertion or “attestation”.
Stuart shared a simple 3 step approach to establish how to make the right decision for a manual or automated control.
In response to questions about the use of the latest technologies to eliminate the need for controls, Stuart referred to Data Science, AI/ML, Cloud ERP solutions, and warned us against hype and mythology and questioned whether all the claims were valid, or at least cost effective.
It was a learning curve for Stuart and the team, with quite some “Dunning-Kruger” effect exposed. The focus is about shifting the balance to eliminate, replace or automate as many manual controls as possible, or augment as hybrid controls. This improves both efficiency and effectiveness, and the quality of risk management.
Hans summarized by making it clear that there will always be controls requiring human judgement, but let’s make sure there are as few as necessary, and that we make them as practical and effective as possible. He also reminded us that risk management itself is a process cycle, and the “Fact to Act” model below shows the linkage between risk, policy, control, monitoring and action.
We outlined a 5-step approach when it comes to optimizing and streamlining your ICFR landscape;
- Understand – take a 360° approach and then ‘Zoom in on your target.’
- Eliminate – Validate! Do you use it? What are the variants? What is the frequency?
- Automate – Look at ambition for automation, execution and value. Ask Where/What/How?
- Augment – This is ‘hybrid’ territory. Isolate the human part, automate the preceding and successor elements.
- Attest – Now it’s about the Context, the Concept and the Conclusion – this is ‘as good as it gets.’
Hans showed the practical steps of a clear approach for shifting the balance and the use of rapid response automation for augmentation and attestation.
In conclusion we discussed the Pareto Principle, the 80/20 rule that is so powerful in achieving rapid progress in strategy implementation. Pareto underpins the approach that Hans described.
So, whilst Manual Controls are here to stay, a balance is key.
Controls, in an ICFR context, are here to assure your financial statement and to confirm that the business is operating as reported. The flow from financial statement, through processes, transactions, applications to infrastructure, and the role of risk management and control is illustrated below, a slight variant on a COBIT model.
We concluded by asking the audience, “what, in your view and experience, is the single biggest challenge in optimizing the balance between Automated, Hybrid & Manual Controls?”
The wordcloud below is a representation of the major themes in the responses, and you can see for yourselves the direction of “cognitive travel” on this topic.
It is promising that so many attendees recognized the need not just to automate, but to augment ICFR controls. Hopefully Stuart’s story and Hans’ insights have given you some food for thought as to how you can address the “elephant in the room” once and for all.
You can access the recording of the live webcast here . .
Hopefully we can start to remove these old signs indicating manual labor in the ICFR cycle!
Thanks for reading…….