The Future of Internal Controls

In both personal and business settings, internal controls serve an important purpose: to prevent, detect and mitigate risk. An internal control in our daily lives, for instance, might be checking to make sure the garage door is closed before leaving for work. (Can’t remember? Darn it! Better go back and check again…)

This type of verification is a manual control, one that’s performed by people. Businesses traditionally have taken a manual approach to their internal controls—the processes and records they use to address the spectrum of risks (financial, operational, technological, etc.) they face.
These manual controls could come in the form of “monster spreadsheets” to ensure segregation of duties, lengthy paper trails to approve transactions, or screenshot (after screenshot, after screenshot…) for compliance reporting. As with checking the garage door, humans can forget things and introduce variance, errors and inefficiencies.

With automation, though, it’s possible to conduct a wide range of tasks quickly and accurately. Bringing one layer of automation into the garage door example, an automatic garage door closer could be programmed to shut the door if it’s left open for, say, 10 minutes—providing peace of mind. But what if, after activating the closer, the door happens to be open when the owner swings home mid-day for lunch? Introducing other automated layers and technologies, such as cameras and motion sensors, will show why the door was open at that point in time—and better support the primary purpose of keeping threats out.

Businesses can use automated controls, typically built into their software applications, in much the same fashion and with the same end goals in mind. As they move to uncover the “why” behind aberrations and address the risk landscape more proactively, with constant, data-driven vigilance aligned to business priorities, they’re moving toward the Future of Controls (FoC).

From a technology standpoint, the FoC combines automation and advanced technologies, such as robotic process automation (RPA), artificial intelligence (AI), machine learning (ML) and predictive analytics, to streamline and improve controls, deliver actionable intelligence, and help businesses scale quicker, faster and better.

The state of internal controls today

For businesses across industries, the pandemic has spurred their digital transformations, both planned and “forced” ones. Companies have adopted new technologies and digitized front-office activities to meet customers and prospects where they are, and enhance the customer experience.

But a concerning divide has developed, as back-office functions—saddled with legacy systems, siloed data and manual processes—aren’t keeping pace with the move toward greater innovation and efficiency. Such is often the case with internal controls.

In a recent Deloitte poll, just two in 10 respondents (22 percent) reported that their organizations currently leverage advanced technologies, such as AI, RPA, and advanced analytics and visualization, within their internal controls program.

That’s a problem when the status quo isn’t serving organizations well. Existing controls environments are often overly complicated, inefficient, reactive and rigid—forcing talented staff to sink time into menial tasks that “check the box” but don’t provide intelligence to advance the business. Furthermore, in today’s largely work-from-home environment, previous manual controls (such as printing out and initialing reports, and filing them away as proof for auditors) often just aren’t tenable.

Organizations have a mandate to rethink their existing controls. In addition to driving efficiencies through digitization, it’s important to align controls to the dynamic risk environment today—taking into account, for instance, risks associated with a more distributed and untethered workforce, such as network breaches and insider threats.

Benefits of automation

Moving to the Future of Controls can help eliminate instances of leaving the figurative garage door open and the business exposed. Organizations on the road to a successful FoC journey will look to use controls to increase confidence, intelligence and performance.

Maximizing automation—not just for the sake of automation, but when and where it makes sense—is key to delivering on that vision. With automation and next-generation technologies thoughtfully embedded into internal controls frameworks, organizations can:

• Reduce the time and effort involved in ensuring compliance.
• Detect risks, aberrations and exposures quickly, in near-real time (not just during quarterly reviews or audits).
• Highlight the root causes of issues, not just their symptoms, to get ahead of deficiencies and drive faster decision-making.
• Move from a defensive, reactive risk-management posture to an offensive, proactive one. Rather than executing just hindsight-oriented activities, controls environments can incorporate three other important lines of sight: providing insight, oversight and foresight, so organizations can take better action in the present.
• Drive and improve controls resilience, fortifying the business from the inside out. Controls-resilient organizations are able to continuously identify risks, assess their impact, and monitor and implement the right amount of controls at the right time.
• Improve resource utilization and staff morale, freeing up IT, for instance, to focus on more strategic and revenue-generating activities.

Charting a course to the future of controls

The drawbacks of reactive, labor-intensive and wholly manual controls are apparent; so are the benefits of a more proactive, insights and data-driven approach.

So what’s the hold-up on advancing to the Future of Controls and, along that road, embracing automation? Many organizations are stuck in neutral, uncertain of where to start.
As organizations look to pull the three key levers to advance their FoC journey—reconstructing the internal controls framework, designing the next-generation controls operating model and establishing the controls technology ecosystem—it’s often best not to try to tackle everything at once.
Taking a crawl-walk-run approach can help with controls automation and digitization, in particular. For example:

Challenges and trends influencing the Future of Controls
Now more than ever, organizations are operating in a world of unknowns. Understanding the challenges and leveraging the trends can help businesses navigate through these uncertainties and transform them into opportunities for growth and success. To do so, we have examined the evolving risk landscape and key trends that are influencing and reshaping the future of internal controls.

1. Automate what makes sense
   First and foremost, make sure automation supports the business goals.
2. Start small
   Pick a specific use case, ideally low in complexity, that’s also tied to a high-value activity.
3. Look at shortfalls in current processes
   As targets for employing automation. For example, companies may seek to automatically compare HR transfer and termination feeds with network and application user listings, for instant visibility into access privileges that need to be revoked or changed (a process that would have otherwise consumed many IT hours or gone undetected until an audit).
4. Accumulate quick wins
   To drive momentum across the business.

Technology is just one piece of the puzzle

According to the Deloitte poll referenced earlier, more than 3/4 of respondents (78 percent) say their organizations plan to strengthen resilience for their internal controls in the coming year. That’s great news, and technology has an important role to play.

But technology is not the only driver of the FoC—which also combines skilled people and processes to foster resilience. With a multi-pronged approach—mixing human intelligence with artificial intelligence, technology, and digital processes and controls—organizations can satisfy their risk appetites and maximize their controls investments.
The time is now to embrace the Future of Controls—backing up out of the garage (with the door indubitably closed!) and leaving knowledge gaps and inefficiencies in the rear-view mirror.
 

For more information, contact Adam Berman, Stuart Rubin, Kristen Heikkinen or one of our contacts below.

Adam Berman | Partner Deloitte, Risk & Financial Advisory
E: aberman@deloitte.com

Stuart Rubin | Managing Director, Deloitte & Touche LLP
E: stuartrubin@deloitte.com

Kristen Heikkinen | Senior Manager Deloitte, Risk & Financial Advisory
E: kheikkinen@deloitte.com