- Business Risk and Resilience
- Technology and Cyber Risk
This article is a part of Risk Update 4.
Organisations are up against constant changes in technology, compliance and regulation, and yet internal control functions remain static. Implementing automation into internal control functions can assist in improving efficiency, reducing costs, and result in development of more robust controls.
In a world where organisations are faced with changes in technology, compliance and regulation, it is alarming that internal control functions tend to remain static. As it stands, many organisations still rely on manual controls because they fear automation will relinquish their control have over existing activities in key business processes.
However, industry insights reveal that this perception is not realistic. Automation is commonly attributed to numerous efficiencies and cost advantages, including more efficient use of personnel, increased productivity and a reduction in errors. Ultimately, automating internal control functions will lead to more robust controls.
Benefits of automated controls
Automating and properly implementing internal controls will result in the following benefits for line one risk teams:
1. Reduced costs and manual workload allows teams to focus on high value-add tasks
Reduced costs and manual workload on key business processes and compliance activities enables teams to focus on timely issue/exception resolution and gives the team an opportunity to complete deep dive analysis when required. As a result, the team can complete root cause analysis rather than addressing secondary issues with temporary fixes.
2. Increases reliability and accuracy
If designed well, automated controls are more reliable and accurate, reducing the likelihood of intentional errors that manual reviews and checks are susceptible to.
3. Streamline assurance and improve key controls testing
Automation of entity level controls will streamline assurance and improve key controls testing across the organisation. A single control which addresses multiple regulatory requirements can be shared across the organisations divisions/business units.
In addition, second line and third line teams can have greater confidence in automated controls. The impact is twofold:
- A reduction in administrative burden in testing controls; and
- Improved effectiveness, time and quality of compliance control activities.
A retail company has been operating for over five years and has a newly appointed CRO. The CRO has requested that Line 1 teams across the business review their internal controls to consider whether associated overhead costs can be reduced. The company has previously encountered issues with repeated human error and possible cases of fraud. The CRO has asked Line 1 teams to come back with proposed options for manual controls that can be automated. Below are examples of recommendations that were made to the CRO: Unauthorised vendor payment processing A review is performed to check that vendor payment processing has been approved by two separate authorised delegates. A member from Finance checks that the vendor batch processing payment has been signed off by a separate preparer and reviewer and ensures that the grades are appropriate. The company could automate this by granting access and enabling workflows for approvals and enforced delegations of authority in the system. Incorrect discount applied A review to check customers are applying the right discount/claim code to a corresponding promotion. A member from Finance checks claims from their retailers to ensure each line item has the correct discount, amount and claim is within the promotional threshold. The company could automate this using rules-based logic, whereby the system will make sure that the claims and details match before applying the discount.
These automated controls will not only improve efficiency and reduce costs but are significantly more robust.
What to look out for when automating
As organisations’ risk and control environments mature overtime, senior management should prioritise the automation of controls. While there are many benefits, it is even more important to understand the pitfalls to automation. Without a structured roadmap for integrating and implementing automation, increased costs and wasted resources can undermine any potential efficiency and control effectiveness that automation can bring.
Investment in software, resources and training
You can expect large upfront costs before the benefits outweigh existing manual processes. Integration of automated controls requires modern software, additional resource capability and capacity, and may be difficult and expensive to implement.
Automation needs to be configured correctly for controls to be robust. It is recommended that periodic reviews over rulesets and coding be undertaken to ensure configurations continue to meet business requirements and minimise costs.
Key Considerations:- Planning! Define the organisations control automation strategy and blueprint, and evaluate potential options for software / platforms.
Trying to automate all manual controls
Since automated controls are performed entirely by a system or application and do not require human intervention, it is important to consider what type of controls to automate. Repetitive, routine, resource draining and simple controls should be automated. Customer facing activities that are best performed with personal interaction should not be interfered with.
Key Considerations:- Review existing internal controls framework to identify areas for control automation. - Identify top manual controls to be automated by looking at previous years efforts or estimating the most time-consuming control tests for the current year. Manual controls: for circumstances where judgement, discretion and scrutiny are required. Automated controls: for high volumes of repetitive tasks.
Adapting to change
People tend to fear automation because they are concerned that they will be replaced by robots. However, not everything can or should be executed by a machine. There will always be a level of human interaction and human intelligence required. Importantly, automation can lead to an increase in skillset as resources can be used for stimulating tasks.
Key Considerations:- Overcoming inertia – getting the right people on the right page. - Nominate a Champion – this person champions the cause, influences people to adopt control automation and educates them to look for more opportunities to apply automation.