purple-circle-black-bg

Perspectives

Assurance by design through finance transformation

Establishing controls readiness before and after implementation

Internal controls and governance can be difficult during finance transformation, but the implementation life cycle also creates an opportunity to modernize risk and controls and streamline the control environment. With the proper methodologies, organizations can leverage risk and control considerations and achieve assurance through implementation and beyond. Here is a guide to risk and controls readiness and assurance by design in finance transformation.

August 22, 2023

A blog post by Beth Kaplan and Katie Glynn

Despite significant planning behind finance transformations, many organizations struggle with internal controls and financial governance during these projects. This can create considerable new control gaps and deficiencies while also neglecting strategic, operational, and business impacts. In addition, new or emerging risks (e.g., advanced technologies, third-party handoffs, workforce retention) may also be an unintended byproduct of the transformation, and new controls may be enabled or required because of these risks. These new controls are a part of the value delivery for transformation but can be expensive as a retrofit after the implementation. Instead, organizations can utilize established and new controls throughout the implementation journey to benefit both the project and internal controls.

Transformations create an opportunity to modernize risk and controls and streamline the control environment. With the proper methodologies, organizations can leverage risk and control considerations and achieve assurance through implementation and beyond. Let’s take a high-level view of internal controls through finance transformation and some considerations for building risk and controls assurance into the implementation process.

How to build risk and controls assurance into the finance transformation process

The implementation process for any finance transformations starts with a strategy and plan, followed by the implementation, and then the testing and go-live phase. To facilitate assurance from the ground up, there are considerations for controls-focused initiatives at each phase of implementation. Here are some of those crucial initiatives to help guide this approach and achieve true “controls readiness.”

  • Clarify the risk and controls scope and needed controls capabilities. To prioritize, focus on the right controls that address both business and customer objectives.
  • Identify key stakeholders and facilitate clear alignment of business objectives, roles, and responsibilities.
  • When forming the strategy for the transformation project, establish a detailed plan for including controls throughout the project life cycle.
  • Avoid the common pitfalls of not aligning with controls stakeholders early or failing to have enough owner involvement and buy-in.
Key questions to ask
What is the scope of controls that will be covered? Only automated controls? Or also manual controls? Only financial controls? Or also operational and regulatory?

What are we looking to get out of this implementation for controls? Compliance and assurance? Tech-enabled controls improvement? Enhancing GRC/automation capabilities?

  • Draft initial risk and control matrices (RACMs), develop control requirements, and identify reporting requirements early in the design phase. Make sure there is a straightforward mapping of controls to the business requirements and configuration documents.
  • Design controls through a regulator/auditor risk lens and support this with an overall control governance program to drive compliance.
  • Identify control owners and facilitate a direct alignment of control ownership. Ensure to also plan for training to enable “control owner readiness.”
  • Conduct working sessions to modernize controls and increase standardization of technology-enabled controls across the organization.
  • Avoid common pitfalls such as failing to consider end-to-end business risks or missing the opportunity to modernize and automate controls.
Key questions to ask
Have we thoroughly considered what we need for controls throughout the implementation life cycle? Blueprint and design? Building and testing? After we go live?

Are we clear on the roles and responsibilities within the company as they relate to controls? Who are the process and control owners? Compliance teams and audit? What is the level of training that we require for control owners?

  • Establish a controls testing strategy first for a more efficient and streamlined implementation.
  • Design controls and business process testing requirements and steps, and document everything in a testing catalog.
  • Review all the evidence of controls testing and any supporting documentation.
  • Assess the accuracy of the configuration and evaluate defect closures. Retest any control-related test steps if needed.
  • Avoid the common mistake of not enough testing.
Key questions to ask
What level of testing documentation do we require for each type of control?

What is the level of configuration validation that we require during the testing phases and in production?

  • Develop remediation plans and any potential workarounds if they are needed. Make sure also to implement proactive monitoring to detect emerging control issues quickly.
  • Validate the configuration in production before going live. Repeat this process to iron out any errors or make adjustments if necessary.
  • Finalize the post-go-live control set and the controls plan for any “sunsetted” systems.
  • Provide training to control owners to achieve “controls readiness” and avoid unnecessary deficiencies.
  • Ensure the control governance structure aligns with new business initiatives, implementations, and acquisitions.
  • Avoid the common mistake of not confirming control configurations during the cutover.
Questions to ask
What controls-related deliverables do each of our stakeholders need? RACMs? Process flows with risks and controls mapped in? Narratives and strategies?

Do we have control test procedures and documentation? Do we have baselining documentation for key reports and ITACs?

The risks to the success of finance transformation and risks to the control environment are equally critical, and often these risks are viewed in silos or not considered at all. Leveraging this guide to help establish assurance into every phase of the transformation life cycle can be viewed as the jumping-off point for risk management teams to evolve from simply auditors of the solution to strategic business partners aiding transition risk, empowering transformations, and creating more return on investment.

To explore more considerations for controls and risk management through implementation, listen to our Dbriefs webcast: Assurance by Design: Finance transformation controls readiness.

Did you find this useful?
Taking control of the wheel

Establishing effective operating models for the future of controllership

Risk and controls reporting

Developing an internal controls program for a changing risk profile