numbers motherboard

Perspectives

Revolutionize controls testing

Break the compliance-cycle mold by addressing risks

While organizational operations have shifted dramatically in the last few years, controls and compliance programs haven’t kept pace. How can organizations better address risks across compliance, operations, and finance? Explore the benefits of an enhanced controls testing platform that incorporates automation and advanced analytics.

Explore content

A burdensome compliance cycle

More than a decade after Sarbanes-Oxley (SOX) was enacted, the cost of maintaining compliance has become increasingly demanding. Many companies find themselves investing significant effort, resources, and dollars into programs that don’t produce customer-facing returns or align with strategic objectives. Additionally, companies still face operational failures due to poor control design and inherent limitations with traditional controls testing approaches. These failures can ultimately demoralize workers across the business and allow instances of fraud, theft, and suboptimized business processes to continue.

The common practice of investing in inefficient controls and ineffective compliance programs is counterproductive, but the way out is not always clear. Barriers to change can be daunting, so organizations often prefer to tweak their programs around the edges rather than transform them. Making incremental changes to common controls is not a bad thing, but often it creates a cycle of "maintenance" that is suboptimal at best. It is time to take a smarter approach by harnessing the power of digitization to help break the compliance-cycle mold.

Back to top

Revolutionize controls testing

Breaking the controls testing status quo

As stakeholders across the enterprise compete for dollars and the interests of their specific functions, a decentralized environment can make it difficult to gain a comprehensive view of compliance efforts. Without a comprehensive view, it can be challenging to identify what works and what doesn’t, spot opportunities for savings, and determine where collaboration among functions would benefit the organization. Though common, this decentralized, siloed approach not only leaves stakeholders fatigued and unmotivated to disrupt the cycle, but also stalls the overall productivity of the organization and can destroy synergistic value.

Given the large number of resources that traditional SOX compliance programs require, material changes in them often correlate to significant shifts in the business. But without those shifts, the status quo often remains: As soon as external auditors sign off, the compliance cycle resets without invoking change, producing another year of limited returns and further increasing the total cost of compliance.

numbers

Back to top

Reevaluate your controls testing environment

Used for decades, traditional control testing approaches are derived from statistical methods. While they can help identify the symptoms of failures, they are limited in their ability to uncover and address root causes. Often, this means additional analysis—commonly based on manual techniques that attempt to extract meaningful inferences from a small sample of data—is required. These traditional sample-based approaches mirror the siloed structure of the compliance programs themselves. Not encompassing the full population, they lack a comprehensive perspective, which can lead to fraud and expense challenges.

But new advances in technology and computing power can exponentially improve risk assessment and enable a new breed of controls that utilize automated, advanced analytics. This enhanced risk assessment is designed to reduce the overall scope and creates value by directing effort toward the risks that matter. Meanwhile, the new analytics-fueled controls empower organizations to quickly and continuously monitor control performance.

They also bring a holistic focus and a unified view by introducing detailed analytical dashboards. These enhancements collectively enable the organization to pivot from doing compliance for the sake of compliance to providing greater value. As controls are streamlined, people can shift their focus toward more strategic activities, such as performing analysis and providing insights in support of key business priorities.

number 3D screen

Back to top

These new capabilities enable organizations to take a fresh look at their control environments, empowering them to address the overall IT and business risks while harmonizing efforts across multiple regulations and compliance activities.

Changing the scope of controls testing across functions

Leveraging automation enables organizations to break the compliance-cycle mold by fundamentally changing how controls work across compliance, operations, and finance. By aggregating data from disparate sources, organizations can deliver quick wins within data-driven processes, such as accounts payable, IT security, and change management. With the data centrally aggregated, analytics can detect anomalous patterns, inappropriate behaviors, and activities, and even identify individuals who warrant increased monitoring—without the typical lag or the significant overhead associated with traditional monitoring.

Once organizations implement automation, accessible data, and visualization capabilities, they can start using them—extending them where necessary—to modernize controls testing across the enterprise.

  • Executives can observe the status of various controls through centralized dashboards and apply this intelligence to make key operational decisions continually, rather than annually or specifically, based on an event.
  • Compliance can use the same dashboards to drill down further into the data to reassess risk factors, examine day-to-day procedures, and realign the control framework to upgrade or replace existing controls.
  • Internal and external audit teams can also leverage this ongoing flow of analytical data to create additional views for testing, perform control activities, and continuously monitor efforts.

Using technology enablement to move past routine activities creates a big opportunity for audit and compliance teams to add value as they reallocate their time to process improvement, modernization, and projects that affect the customer experience.

Regulatory, Risk, and Program Compliance
Explore our enterprise compliance risk management services

Back to top

Achieve meaningful business outcomes

Scalable and repeatable tech-enabled controls testing reduces the time, effort, and dollars spent on the total cost of controls and compliance and enables organizations to reallocate higher-level resources to more strategic and valuable tasks. Automating routine activities and better leveraging scarce resources keeps people focused on business priorities so management can achieve its long-term vision. Learn how overlaying data analytics onto a tech-enabled control environment creates easy-to-digest visualizations that provide fresh insights and meaningful business outcomes:

Close
Uncovering a series of governance-related issues

After years of performing the same evaluation of its change management process across several IT platforms, a global asset management firm discovered that its routine checks were not picking up on issues beneath the surface that were impeding its change management process. The firm engaged Deloitte to identify the root cause of the slow down. Leveraging digital testing and controls automation (DTCA), the engagement team performed a trend analysis on 100 percent of the company’s system changes in half the time that the company traditionally spent conducting its former sample-based approach.

The analysis uncovered a series of governance-related issues that were causing system downtime and delays that ultimately slowed down their financial close process. Once corrected, the company was able to close faster as well as to better govern its system changes.

Read more
Close
A major decrease in controls and testing hours

An organization wanted to revisit its SOX program and identify opportunities for process efficiencies and control rationalization. The Deloitte team helped management improve the control environment by taking a modernized approach to their risk assessment. This resulted in the opportunity for consolidating duplicate controls and shrinking the number of controls tested by each audit group. Through the engagement, the company reduced its overall number of controls by 71 percent and decreased its testing hours by 38 percent.

Read more
Close
Creating a real-time system of checks and balances

Deloitte used digital testing and controls automation (DTCA) to assist a leading global bank in analyzing numerous security profiles and transactions related to its wire disbursements process. This uncovered critical segregation-of-duties violations that would likely have previously gone undetected due to the complex nature of the bank’s IT environment. DTCA enabled the engagement team to visualize the entire population of disbursements and identify those with the greatest risk profile.

In one situation, an individual was identified with both the ability to update payee information and process disbursements and the ability to circumvent their $50,000 authority limit by splitting larger amounts into separate transactions. By adding new dimensions to the bank’s monitoring process, they were able to identify a series of inappropriate transactions that would have likely gone undetected. With DTCA, analyzing security profiles and transactions has become a continuous process, alerting the company to violations and risks in real-time.

Read more

    Accelerating your organization’s controls testing transformation

    For companies that want to accelerate the transformation of their controls environment, outsourcing controls compliance may be a good option, since it provides access to resources who understand the current regulatory environment, have extensive industry knowledge, and are trained in the latest technologies, techniques, and methods.

    With or without outsourcing, an enhanced controls platform is beneficial to interrupting the cycle and fundamentally changing the controls environment. There is a significant opportunity to break the compliance-cycle mold and take a fresh approach to organizational risk—and to do so in a way that creates meaningful change for employees as they pivot from being checkers of facts for the lines of defense to generators of ROI for the business.

    numbers screen

    Back to top

    Get in touch

    Stuart Rubin
    Managing director
    Risk & Financial Advisory
    Deloitte & Touche LLP
    +1 561 962 7826

    Joseph Gaglio
    Principal
    Risk & Financial Advisory
    Deloitte & Touche LLP
    +1 313 394 5109

    Patricia Salkin
    Managing director
    Risk & Financial Advisory
    Deloitte & Touche LLP
    +1 609 806 7279

    Adam Berman
    Partner
    Risk & Financial Advisory
    Deloitte & Touche LLP
    +1 212 436 7267

    Explore content

    Did you find this useful?
    Connect. Modernize. Digitize. Take command of risk

    A strategic way to build resilient organizations

    Internal control over financial reporting (ICFR) series

    Uncover ICFR insights and guidance