Assurance by design

November 16, 2021

A blog post by Charmaine Wilson, principal, Deloitte & Touche LLP

Controls are routinely the subject of compliance discussions, but of equal importance is how a controls mindset and assurance-by-design process can help organizations effectively manage operational and strategic risks with new business transformations or implementations. Companies often commit considerable resources to large transformative projects, and significant planning often supports new systems implementations; but many organizations may struggle to achieve their intended objectives. Approaching an implementation process and building controls through assurance-by-design principles can streamline transformation, mitigate risks, and align an inner controls design environment with the broader organization. In addition, identifying needed business process and controls capabilities can help inform the development of principles for incorporating controls throughout a project life cycle. These principles, along with some key insights for controllers and finance professionals, can elevate an implementation and governance framework to a controls-conscious transformation.

Start with a controls mindset: Build risk and controls into every step of the implementation process

Developing a controls transformation and assurance-by-design approach for a project’s entire implementation life cycle can give organizations a proactive approach to achieving risk and controls readiness while limiting potential challenges post-implementation. In addition, building in controls with these assurance-by-design considerations may increase the focus on strategic priorities, improve risk insights, risk exposures, costs, and potential disruptions. Here are some examples of how this may look in the critical phases of an implementation life cycle.

Develop a governance framework using Three Lines Model

An implementation strategy that incorporates broad control considerations is consistent with the Three Lines Model, an updated model to facilitate governance offered by the Institute of Internal Auditors. The Three Lines model outlines the roles and responsibilities for each pillar of controls governance, but it is also essential that the three lines work together within the framework.

Be aware of common drawbacks and difficulties

To avoid possible control deficiencies, inefficiencies, and confusion that may negatively impact business operations or contribute to a failure of achieving business objectives, be aware of and avoid these common pitfalls with a controls approach to implementation:

• Not considering end-to-end business risks
• Missing compliance requirements
• Not aligning with controls stakeholders early on
• Not identifying report requirements early on
• Lacking control owner involvement and buy-in to the project
• Limited or faulty testing of controls
• Missing opportunities to modernize and automate controls
• Not confirming control configurations during the cutover

Being aware of and avoiding these common pitfalls, approaching the entire implementation life cycle from a controls mindset, and considering control requirements and governance throughout implementation promotes control readiness and may refresh controls in systems weak spots that benefit a new control environment. In addition, aligning stakeholders and control owners to expectations, requirements, and strategic priorities in an assurance-by-design process may reduce risk, increase the efficiency of systems, and deliver a competitive advantage to the organization.

To delve further into the principles of assurance by design, including implementation examples from industry guests and Deloitte leadership, listen to our Assurance by design webcast.