If you’re not already automating your internal controls, you should be.
The cost of controls technology has come way down while its capabilities have increased. Advanced controls automation is now accessible even to smaller organizations, and the return on investment is high. Automation not only effectively pinpoints risk, but can also free your team to focus on high-value work while providing detailed information and analysis to help you better understand many aspects of your business.
Automating at least some of your internal controls is quickly becoming the bare minimum for effective corporate governance these days. But automated controls need to send the right alerts to the right people to be fully effective. After reviewing cross-industry benchmarking data on the prevalence of automation for primary controls, we highlight the benefits of automated controls and discuss the importance of setting up the right reporting and communication structures for them.
Through responses to its Internal Controls survey, APQC finds that bottom performers (organizations falling within the 25th percentile) only automate 15% of their primary controls. Top performers automate more than twice the percentage of their primary controls at 40%. (See chart below).
Why You Should Automate Primary Controls
Organizations with a higher percentage of automated internal controls have better safeguards in place to lower the risk of fraud, protect their corporate assets, prevent costly human errors, and ensure the accuracy of financial records.
There will always be a need for skilled finance professionals to assess the risk of any anomaly identified through internal controls. When internal controls processes rely heavily on manual intervention however, it greatly enhances the opportunities for fraud and abuse to occur and go undetected. Organizations that have automated a high percentage of primary controls have a more comprehensive approach that provides greater confidence in the safeguarding of organizational assets.
Internal controls automation allows organizations to quickly analyze huge volumes of data from multiple systems, flagging potential fraud patterns as they happen. Instead of a laborious, hands-on process of performing spot checks on random samples of data, automated bots run continuously in the background, doing the tedious work of scanning everything from emails to purchase orders, looking for patterns and anomalies, and flagging outliers for further investigation.
Automating this process frees auditors from digging through records manually and gives them more time to dive deeply into investigating red flags and determining whether there is a logical explanation for irregularities. Automated controls also find run-of-the-mill errors that can be corrected before they become vulnerabilities to the organization.
Informing the Right People
Imagine a vehicle with modern diagnostic systems that can detect low oil, bad sensors, failing brakes, or other mechanical issues. These extensive detective controls will not make any difference if the computer never communicates information back to the appropriate personnel — in this case, the driver.
In the same way, as we increase our reliance on technology to perform internal control activities, information and communication streams to the right people become increasingly critical. Top performers work to ensure that their organization can answer questions like:
How do we know if the control is working?
How do we know if the control has worked?
Who in the organization is responsible for receiving reports and logs of control activities?
Based on the information you receive, can you diagnose when automated controls are not working as designed and make corrections as needed?
When building out your communication streams, one must think about the reporting structures that will work best for their organization. If reporting comes by way of a dashboard on the homepage of your ERP system, are you confident that leaders and staff will view those screens when they log in? If reporting comes via system-generated emails, are you sure that employees will read them?
I must confess that I often self-select the most important emails for me as CFO while ignoring others — your colleagues and employees will probably do the same. Great organizations set up reporting structures and communication streams in a way that makes sense for their culture, and if possible, give people the choice of how they can view and consume the information.
When automated controls are set up effectively, the data they produce comes in handy for many different kinds of decision support beyond the audit. An automated system that detects unusual extremes in employee expense reports can also be used to study average expense costs for various cities where the organization does business. When those data are combined with sales plans, it’s easy to accurately plan for next year’s business travel.
If your organization has a smaller percentage of automated primary controls or none at all, it’s time to take a look at tools that can help you crunch much more data, more thoroughly, in less time. When they are well-implemented with the right reporting structures in place, you’ll wonder how your finance team ever got by without them.
Perry D. Wiggins, CPA, is CFO, secretary, and treasurer for APQC, a nonprofit benchmarking and best practices research organization based in Houston, Texas.