Controls resilience has been saved
Digitizing pathways to the future of internal controls
In response to COVID-19, many companies introduced new technologies to enable remote work and sustain operations. But advanced technologies often cause a disconnect between where the business is headed and the ability of controls functions to keep up. To close the gap, those functions should focus more on offense, leveraging automation to enhance monitoring.
Digitizing the future of controls
A resilient system of internal controls is one that maintains a state of awareness and an accepted level of operational normalcy amid shocks and disturbances, including threats of an unexpected and malicious nature. Given the pace of change in technology transformation in finance and operations systems, there is an opportunity to evaluate how controls resilience can be built into future-state processes as they change.
Controls resilience involves fortifying companies from the inside out by continuously identifying risks, analyzing impacts, accelerating monitoring, and performing the right dose of controls at the right time. By leveraging emerging technologies in automation, AI, and advanced analytics and visualization, controls resilience can enhance an organization’s ability to identify issues and produce insights in near-to-real time, rather than quarterly or annually through traditional monitoring processes and audit cycles. With a progressive, offense-oriented program, organizations can get ahead of deficiencies, decrease exploitations, and rapidly complete exposure analyses.
The four “sights” of controls resilience enable organizations to go beyond withstanding shocks to help build a better path forward:
Hindsight: Looking back to understand the meaning of an event after it happened in order to gain insights for taking action in the present. Hindsight often limits an organization’s ability to identify issues as they emerge, preventing them from being contained sooner.
Insight: Obtaining a deeper understanding in the moment that ultimately drives decisions and actions in the present. Controls-resilient organizations leverage digital assets to harvest insights that enhance productivity and unlock value beyond the controls program, extending into improving the quality of business operations.
Oversight: Supervising the execution of work both in the past (hindsight) and the present (insight) to monitor results and improve decision-making. Controls-resilient organizations have the ability to shift oversight, monitoring, and reporting to near or real-time by harnessing the power of automation and analytics to identify risks as they occur.
Foresight: Predicting what might happen before it occurs in order to supply management with insight for taking action in the present. Introducing AI and cognitive risk-sensing into controls programs can provide insight into what might be coming around the corner.
Highly manual, siloed, legacy approaches keep organizations stuck in a continuous cycle of “ask, wait, and evaluate.” In contrast, controls-resilient organizations benefit from the compounding benefits of automated, cross-functional connectivity. This connectivity enables them not only to address the issues immediately at hand, but also to identify root causes, streamline remedial efforts, and capture new insights that may improve business operations along the way.
The launchpad for controls resilience
While no one can flip a switch and instantly become controls-resilient, organizations can use the potential deficiencies identified in their current processes as a launching pad for taking the initial steps. Consider, for instance, piloting automated tools to gather and analyze data, or using advanced analytics and visualizations to reveal new dimensions within old data, such as velocity of transactions. These types of use cases can help the organization to determine the extent of potential exposure quickly and accurately rather than relying on traditional manual efforts that often address the symptoms without getting to the root cause.
Considering the added strain organizations are facing in the current environment, it may also be appropriate to bring in specialists to provide surge support. These specialists may already be working in the second or third lines of defense or, in more complex cases, may be external to the organization. By collaborating across the three lines of defense and involving external resources when needed, growth can occur, and piloted solutions can evolve into digital assets that can benefit multiple stakeholders.