Internal control over financial reporting: How to optimize your compliance activity to add value

Compliance mandates — including Sarbanes Oxley, the Model Audit Rule and the Federal Deposit Insurance Corporation Improvement Act — have been established for years, having been put into place to protect public investors from unethical behaviors by companies like Enron, Tyco International and WorldCom.

Often times, these mandates are treated only as compliance activities and not looked at as a potential value add for the organization. Instead of just testing that internal controls are in place and functioning throughout your program, why not take the time to also ensure these controls are efficiently constructed and clearly tied to organizational risk or strategy?

Where your organization sits in the control maturity lifecycle directs how much optimization can occur while remaining compliant and adding true value. But where to start?

The answer is clear: Start from the very beginning and from the top. Do you have an established Enterprise Risk Management Framework (ERM)? If not, start there, as this drives all next steps.

When’s the last time you updated your risk assessment?

Also, is that risk assessment nimble? Easy to use? Easy to update? Has it been updated for COVID-19? Has it been updated in general? If not, it should be.

If it hasn’t been updated, you’re not alone. Often the “annual” risk assessment is established by the most experienced team members and rolled forward annually at the beginning of the year as a planning routine. Therefore, risk assessments are seldomly updated year to year and especially mid-year to account for changes in business, customers or environment, processes, accounting or contracts with customers. This can lead to serious consequences, including risk of material misstatement due to operational or financial line items that should be “in scope” that have not been in past years and therefore haven’t been recently reviewed for compliance.

Updated risk assessments can lead to savings by potentially reducing substantive testing of an area or reduced scope. However, be thorough and detailed and, as always, coordinate closely with your external auditors, especially for any changes to risk assessments and audit plans.

How to get started

Immature internal controls over financial reporting (ICFR) can be costly for your organization in many ways, including having to put additional effort into addressing inefficient processes and controls, spending too much time testing too many controls, not correctly utilizing internal systems and software, or having to pay fines or penalties or missing costs savings by external audit’s reliance on internal controls.

With the outline (ERM) and the plan (risk assessment) established, the next opportunity for optimization is in the details: process, controls and the correct use of technology.

It’s important to note that organizations subject to first-year compliance (e.g., recently public, recently acquired, crossed a billion threshold (FDICIA), etc.) will need to start the process early, generally about 12-18 months before the deadline, to ensure the required understanding, documentation and testing is performed and potential weaknesses remediated.

Once compliant, begin the control-refining part of the optimization, including making processes and therefore controls lean (e.g., removing redundancy, eliminating unnecessary controls and identifying the true “key” controls), automating controls (more on this later), implementing continuous monitoring, and performing control rationalization. Oftentimes, automation and implementation require more effort and longer lead time; therefore, organizations in their first year can quickly implement manual procedures and processes to ensure compliance. However, these items should be flagged for follow up on automation and implementation plans.

Understanding “simplify” and “automate”

Process narratives and the risk and control matrices completed during the risk assessment provide a foundation for understanding controls. Simplification is achieved through control rationalization, key control identification, and lean process improvements.

Automation, however, requires some additional unpacking. Workflows and/or smart controls within your current system can be created to automate control functions. Controls such as “check for duplicate invoice” may be a checkbox that has to be turned on; purchase orders passed around the office for sign-off approval can be approved electronically through the accounts payable system; or dual approval requirements for sending a wire have to be activated for the controls to function.

Controls can be further enhanced by creating automation between multiple systems. Controls and efficiencies can be significantly improved when any task a human can perform in core systems, ERPs, HRIS and CRM are automated by using robotics process automation (RPA).

What is RPA, and why is it important?

RPA refers to the automation of computer-based tasks and is best used for high-volume and mundane processes through the implementation of advanced software. RPA can be applied to all high-volume rule-based items, multiple applications or databases in which a repeatable process occurs. This is a great tool for bridging existing legacy systems (e.g., various ERPs or core systems).

RPA can do anything on a computer that a human can, but when should you consider automation?

• Do you have a team of people working on processes that are highly manual and time-consuming?
• Do these processes have well-defined rules with low exception volume and minimal human judgment required?
• Does your process involve people working in at least two different systems/media to produce results?
• Do your finance and accounting team members spend a lot of time reconciling data from multiple systems?
• Are your core systems integrated with third-party systems?

If yes, RPA can be a great tool to free up valuable time, as well as make these more efficient and less prone to manual errors.

Potential RPA tasks could include:

• Reconciliation processes from across applications
• Email and document processing
• Composing and sending follow-up emails based on data
• Credit approvals based on defined criteria
• Automating AR and AP processes, and sending late notices via email
• Vendor setup or maintenance
• Bank confirmations
• Moving employees time information from various tracking tools to a consolidated file for the financial systems and processing system to cut checks

The key is that the data comes from two or more systems that are not integrated. Currently, organizations often pull a report and use Excel to copy, move, transform and push the data via email. Each step can be performed by RPA overnight with emails waiting in inboxes for analysis each day, week and month. Legacy technology investments work, but they may require significant manual time and are often not responsive and fast enough for today’s expectations.

RPAs can be built to handle exception handling and artificial intelligence (AI) for activities such as conditions-based processing and document & image parsing. The RPA team can be based in a center of excellence team, IT or even operations, and is usually not part of the internal audit team. However, internal audit is often a major contributor to both the processes and controls that are used. 

Do any of your controls or scenarios fit these criteria? Some additional reasons and incentive to utilize RPA beyond compliance (e.g., Sarbanes-Oxley and FDICIA) is to achieve real-time reporting capability and continuously monitor changing business conditions with a real-time awareness of issues. Also, operational and nonfinancial indicators can be easily tracked real time, such as production status, on-time deliveries, and customer satisfaction and employee-related issues. One major point to consider is how and where to deploy your staffing resources once their time is freed up. Once items are optimized and automated, the increased capacity of resources is a significant benefit.  

Getting started with robotics process automation and more

The more time, effort and thought that go into the control universe, the more value can be expected. It can help to work with a third party to help provide this greater value. Wipfli’s team not only delivers compliance but also flags items for efficiencies, potential automation or further investigation for waste. We have assisted numerous clients with setting up and establishing control frameworks, documenting existing control frameworks, identifying gaps, designing automation points, recommending and implementing controls, and testing and remediating controls. We also have experience focusing on key risks and controls in companies, thereby adding value in compliance, reporting, operations and strategy. Life is a journey, not a destination; let Wipfli be your trusted guide.

Click here for more information on Governance and Risk (including internal audit and ERM). Click here for more information on technology consulting, including RPA. Or continue reading on:

Internal Controls – Back to the Basics

Internal controls and data tracking financial institutions need during COVID-19

Five myths about internal controls