Assurance by design has been saved
Assurance by design
Insights for a controls approach to transformation
A controls mindset and assurance-by-design process can help organizations effectively manage operational and strategic risks with new business transformations or implementations. Approaching the process through these assurance-by-design principles and insights for finance professionals can elevate an implementation and governance framework to a controls-conscious transformation.
November 16, 2021
A blog post by Charmaine Wilson, principal, Deloitte & Touche LLP
Controls are routinely the subject of compliance discussions, but of equal importance is how a controls mindset and assurance-by-design process can help organizations effectively manage operational and strategic risks with new business transformations or implementations. Companies often commit considerable resources to large transformative projects, and significant planning often supports new systems implementations; but many organizations may struggle to achieve their intended objectives. Approaching an implementation process and building controls through assurance-by-design principles can streamline transformation, mitigate risks, and align an inner controls design environment with the broader organization. In addition, identifying needed business process and controls capabilities can help inform the development of principles for incorporating controls throughout a project life cycle. These principles, along with some key insights for controllers and finance professionals, can elevate an implementation and governance framework to a controls-conscious transformation.
Start with a controls mindset: Build risk and controls into every step of the implementation process
Developing a controls transformation and assurance-by-design approach for a project’s entire implementation life cycle can give organizations a proactive approach to achieving risk and controls readiness while limiting potential challenges post-implementation. In addition, building in controls with these assurance-by-design considerations may increase the focus on strategic priorities, improve risk insights, risk exposures, costs, and potential disruptions. Here are some examples of how this may look in the critical phases of an implementation life cycle.
Strategy and approach
A controls mindset often begins with aligning the nature and scope of activities performed by risk and compliance professionals associated with the project to the business process and control owners to better think through control needs and data requirements that may reduce risks and challenges with implementation. Involving the front-line workers who will perform everyday functions helps stakeholders identify needed controls capabilities and define the risk and controls scope to align with business objectives. With this alignment to help inform the overall implementation strategy, the next step is to establish a detailed plan for including controls throughout the project life cycle—from design and implementation to testing and go-live preparation. Here are what some assurance-by-design methodologies may look like for each phase:
Develop a governance framework using Three Lines Model
An implementation strategy that incorporates broad control considerations is consistent with the Three Lines Model, an updated model to facilitate governance offered by the Institute of Internal Auditors. The Three Lines model outlines the roles and responsibilities for each pillar of controls governance, but it is also essential that the three lines work together within the framework.
Ask the critical questions for implementation
Controllers are vital stakeholders to any system implementation. When it comes to being genuinely ready from a controls standpoint using the principles of assurance-by-design, controllers and finance professionals should address some crucial questions when planning for implementation.
Be aware of common drawbacks and difficulties
To avoid possible control deficiencies, inefficiencies, and confusion that may negatively impact business operations or contribute to a failure of achieving business objectives, be aware of and avoid these common pitfalls with a controls approach to implementation:
- Not considering end-to-end business risks
- Missing compliance requirements
- Not aligning with controls stakeholders early on
- Not identifying report requirements early on
- Lacking control owner involvement and buy-in to the project
- Limited or faulty testing of controls
- Missing opportunities to modernize and automate controls
- Not confirming control configurations during the cutover
Being aware of and avoiding these common pitfalls, approaching the entire implementation life cycle from a controls mindset, and considering control requirements and governance throughout implementation promotes control readiness and may refresh controls in systems weak spots that benefit a new control environment. In addition, aligning stakeholders and control owners to expectations, requirements, and strategic priorities in an assurance-by-design process may reduce risk, increase the efficiency of systems, and deliver a competitive advantage to the organization.
To delve further into the principles of assurance by design, including implementation examples from industry guests and Deloitte leadership, listen to our Assurance by design webcast.