Increased government reporting requirements have forced those responsible for internal controls to do more. The global recession has required them to do more with less. While regulators press for accountability, investors press for performance. Now, those responsible for internal controls must now take charge by assessing their processes and tools, and execute on efforts to make them as efficient – and effective – as possible. Those able to optimize their controls will be more able to move past compliance toward improved performance and competitive advantage.
What Are The Drone Anti-jamming Systems Technology?
Building control efficiency: Rationalization, optimization and redesign
1. Insights on IT risk
April 2011
Building control
efficiency
Rationalization, optimization
and redesign
2.
3. The past five years have been challenging for those
responsible for internal controls.
It took many corporate executives years to finally regain
their footing after increased government reporting
and compliance requirements, such as the Sarbanes-
Oxley Act in the US. Then, in 2008, a global economic
recession suddenly challenged them all over again.
The increased reporting requirements forced internal controls functions to do more.
The all-encompassing global recession then required them to do it with less. While
regulators pressed for enhanced accountability, investors and stakeholders pressed for
enhanced performance.
The regulators haven’t gone away, and neither has shareholder scrutiny or the market’s
pressure for improved returns. However, the global economic landscape is slowly settling,
and economic uncertainties have become less acute.
Those responsible for internal controls must now seize this opportunity to make their
control frameworks as efficient and effective as possible. By focusing on controls
optimization, rationalization and control redesign, corporate executives can more efficiently
leverage technology to meet the expectations of their demanding stakeholders.
Among the benefits of an optimized controls environment:
• Lower costs due to a reduction in the number of controls, enhanced standardization,
reduction of effort related to (internal) compliance and enhanced coordination and
alignment between functions
• More appropriate risk coverage with a keen focus on the risks that really matter
• Improvement of the risk assessment process through a risk-based approach
• Better return on IT investments due to use of application controls rather than
manual controls
By reviewing controls — and rationalizing, optimizing and potentially redesigning them to
deliver an improved environment — companies will meet present challenges and prepare
their organization to effectively address future control demands.
Insights on IT risk | April 2011 1
4. Chasing the elusive optimal
control environment
Early efforts to respond to increased reporting
requirements were mostly focused on
compliance, with a secondary focus on risk.
Those efforts weren’t designed to establish
an efficient foundational framework as much
as they were implemented to simply meet
obligatory compliance needs. Since then,
companies have begun to understand the
value of building control and reporting systems
focused on addressing compliance and risk
rather than complying just to comply. The
mindset is shifting to a more proactive rather
than reactive approach.
But companies still struggle to create optimal
control environments that balance cost with
risk. This suboptimal performance hampers
efficiency and jeopardizes clarity, transparency
and confidence.
2
5. Missed opportunities abound
Most companies fail to take advantage of the potential to create an effective and cost-efficient risk and control environment, even when the
potential cost savings would clearly eclipse the cost of control. There are many reasons companies fail to sufficiently optimize their control
environments, including lack of focus, human nature, lack of time, lack of knowledge and a failure to understand how to make things better.
Here are three major explanations of why companies have endured inefficient control environments:
1. Duplication of risk and control activity. Because reporting and compliance are a core part of doing business, significant effort and
cost are expended to build controls that address potential risk. But often, the correlation, intersection and duplication of controls
across different groups are not clearly visibly or easily understood because of multiple, overlapping and sometimes conflicting lines of
reporting and responsibility. (See graphic below.)
2. Too much of some, not enough of others. Most organizations have too many controls to address some areas while not having enough
controls to address others. One of the reasons for this disparity is that control activities tend to be added over time and not taken away
or reduced when the need has been extinguished. Furthermore, in order to comply with regulators’ requirements, a lot of effort goes
into controls around the daily transaction processing without properly addressing the higher-risk areas.
3. Failure to sufficiently leverage technology. Although a company may have invested significantly in enterprise resource planning
(ERP) systems, there still may be a systematic lack of automation in controls implemented, leaving a significant portion of the ERP
investment unrealized and missing an opportunity to increase efficiencies.
Duplication of risk and control activity
Board/Senior management oversight
Audit Risk Other
committee committee committees
Risk Internal Information Legal and
Internal audit Compliance External audit
management control technology regulatory
Audit Risk Other Other
committee committee committees committees
Finding a better way toward efficiency
Recently, companies have pushed for control efficiency by improving their approach and their corresponding frameworks. The objective
of this improvement effort has been to remove redundant controls, identify and deploy controls that address multiple risks and replace
multiple manual controls with more efficient application controls. In particular, the increased focus on application-based
controls — those that are largely computer-driven and automated — has been propelled forward not only by internal control and risk
executives, but also by regulators who encourage those companies to leverage a more risk-based approach in their control frameworks.
The previously outlined inefficiencies waste organizational resources and create opportunity costs. But through the rationalization,
optimization and redesign of the company’s control environment, companies are better able to increase efficiency and effectiveness of
their controls and potentially reduce overall compliance costs. It is a forward-leaning method of doing more to address today’s concerns to
be better positioned to conquer tomorrow’s.
Insights on IT risk | April 2011 3
6. Value and competitive
advantage through internal
controls
Leading companies are now expected to
improve their internal control systems and
have those improvements drive competitive
advantage. Like all other significant corporate
functions, internal control must do its part
to build its value proposition by delivering
competitive value through greater efficiency
and/or by generating large cost savings.
In attempting to deliver competitive advantage, those responsible
for the control environment historically have been hampered by
entrenched perceptions that the time and costs associated with
control improvement program implementation are prohibitive and
ultimately not justifiable. But such erroneous perceptions can mask
the potential benefits generated when control improvement efforts
are focused on three key elements:
1. The risks that really matter to the business, particularly those
that align with key business and overall corporate strategies
2. Improvements that provide both risk coverage and improved
business processes
3. A cost-effective approach that provides the business with
tangible benefits from the investment in control and optimal
use of automation
Benefits of enhanced control efficiency It is not necessary for control environment improvements to
require major investments in time and resources — and therefore,
The rewards of making investments into improving the control
higher risk and potentially lower ROI — in order to generate positive
environment can be substantial. The potential benefits arising
impact. It is important to understand that, like most things, there
from a control rationalization, optimization and improvement
is a high correlation between complexity and difficulty in control
program include:
environment improvements and their resulting rewards (cost
• Fewer controls; lower costs savings, improved efficiencies, etc.). Even at the lower end of the
• Better aligned risk coverage, including the identification of cost/investment scale, companies can still generate significant
stronger, more pervasive controls improvements in operational and compliance process efficiencies,
• The identification and standardization of efficient and as well as a variety of cost savings. Control environment
effective controls improvements are practical for today and designed to add
ongoing benefit.
• More effective and efficient risk-based assessment process
• Better use of technology through the use of applications
controls rather than manual controls
• A reduction in the internal compliance effort
• A more sustainable compliance process
• Improved alignment between the IT, business and internal
audit functions
• Coordinated IT risk management activities
4 Insights on IT risk | April 2011
7. Different roads, same destination
Whether companies decide to massively overhaul their control environments or recalibrate or modify what they already have will largely
depend on:
• The company’s current state
• The company’s desired state
• Resources available to implement effective change
• Institutional capacity to see all of it to fruition
The three main approaches toward increased control efficiency are rationalization, optimization and redesign:
1. Rationalization involves the removal of unnecessary, insignificant or redundant controls or processes. This option requires the least
amount of resources and overall effort.
2. Optimization involves the potential replacement of certain controls in exchange for others that are more efficient. Replacing a
manual control with automation is an ideal optimization. Another example would be standardizing controls across business units and
geographies.
3. Redesign involves modifying, redesigning or re-engineering a process and its underlying control structure to drive operational
efficiency. This is the option that requires the most resources and effort because it usually requires redefining organizational design
such as tasks, roles and responsibilities. While this option requires the greatest investment, it also provides the greatest potential for
impact and return.
Understanding the differences: rationalization, optimization and redesign
Rationalization:
• Create formal criteria for assessing whether controls should be considered critical
• Challenge existing key controls for design effectiveness (i.e., whether an IT platform should be leveraged to improve the
efficiency and reliability of a control)
• Benchmark key controls with peer companies or standard control templates to identify potential efficiencies
• Identify and leverage “power controls,” which are key controls that may mitigate multiple risks
Optimization:
• Review process documentation with process owners and IT staff to understand control structure within applications
supporting specific processes and other potential controls that may be available
• Standardize business and IT processes
• Challenge existing manual key controls to determine if alternative application or automated controls exist
• Challenge the number of controls identified that address the same risk
Redesign:
• Review of industry-leading practices and available options including new, proven approaches such as continuous monitoring
• Process design sessions with process owners and other stakeholders
• Cost/benefit analysis and assessment of residual risks
• Implementation and change management
Insights on IT risk | April 2011 5
8. Controls rationalization
Correctly identifying controls that are central to enterprise business processes is critical in creating increased benefit. For the right testing
impact, companies need to target the right controls. Many companies rationalize all of their controls using a “bottom-up” approach and
may find significant opportunity to reduce their total population. Companies that were diligent in their focus on internal control over
financial reporting and used a “top-down” approach to compliance may find fewer opportunities to reduce their control population.
The following steps should be considered during the rationalization process:
1. Identify and potentially reduce risks that are not relevant to internal control over financial reporting
2. Review financial assertions for each significant account to determine relevance
3. Review key application end-user information security controls, particularly as they relate to user authentication, access and auditing
4. Review significant accounts and related components to determine if insignificant components are included in scope
5. Review population to identify redundant or insignificant controls
6. Identify opportunities to centralize activities that are currently done at multiple locations
7. Review adjusted control population with external auditors
Rationalization approach
All controls documented at a single entity
Controls over Controls over Scoping and
inconsequential insignificant business sub-process
general ledger codes processes/transactions rationalization
ti li ti
Controls addressing
out-of-scope objectives
t f bj ti Risk
rationalization
Complimentary
controls
Compensatory Selection of
controls
key controls
Redundant
controls
Rationalized
controls
t l
Controls optimization
Controls optimization is the process of standardizing and centralizing controls and selecting controls that are more efficient to test than
others that potentially reduce the same risk. To do so, it is important to have an understanding of the different classes of controls:
Manual controls — These controls depend on a person to perform without reliance on IT tools or the company’s overall IT environment.
IT-dependent manual controls — These controls have both manual and automated aspects (e.g., a review of a computer-produced open
orders report to determine that all sales have been invoiced).
Application controls — These automated controls are processed by the entity’s IT applications without input from a person and are focused
on procedures used in the critical path of transactions or other financial data. Application controls help ensure that transactions are
authorized and accurately recorded and processed. When operating properly, IT application controls typically provide more effective risk
reduction and are more efficient to test (sample size and leverage). The ability to leverage such controls can significantly reduce costs but
depends on effective security controls around the application and the infrastructure on which it operates.
6 Insights on IT risk | April 2011
9. Application controls can typically be classified as:
• Edit checks — These controls are used to limit the risk of inappropriate input, processing or output of data due to field format (e.g.,
dollar amounts must be in the numeric format).
• Validations — These controls are used to limit the risk of inappropriate input, processing or output of data due to the confirmation of
a test. Examples include tolerances, duplicate checks and matching (e.g., an automated three-way match, where a check to a supplier
will not be generated without a matched purchase order, receipt of goods and invoice).
• Calculations — These controls are used to ensure that a computation is occurring accurately (e.g., the system automatically extends
and foots an invoice).
• Interfaces — These controls are used to limit the risk of inappropriate input, processing or output of data being exchanged from one
application to another (e.g., the system confirms through a record count that all records were uploaded from the sales sub-ledger to
the general ledger or confirms that totals from a header record reconcile to the detail that was posted).
• Authorizations — These controls are used to limit the risk of inappropriate input, processing or output of key financial data due to
unauthorized access to key financial functions or data and include segregation of incompatible duties, authorization checks, limits
and hierarchies (e.g., roles are defined within the system, so only the purchasing manager has the ability to add vendors to the vendor
master).
The use of application controls rather than manual controls allows for more sensitivity and reliability in the processing of transactions and
activities. Also, greater leveraging of application controls better aligns an organization with the significant investments that it is making in
IT systems to support and transform its businesses.
Optimization approach
Rationalized Are there entity-level controls that
entity level
controls operate at the transaction level?
Yes
No
Are there entity-level controls that
operate at the transaction level? Yes
No
Are there entity-level controls that Optimized
operate at the transaction level? Yes
Y controls
No
Are there entity-level controls that
operate at the transaction level? Yes
No
Are there entity-level controls that
operate at the transaction level? Yes
No
Rationalized
controls
Controls redesign
Once key controls have been optimized, management should consider re-evaluating the overall control structure by looking at how those
controls operate, where they are performed and who owns and performs them. Leading companies are redesigning their control structure
to create a compliance process that is more sustainable and cost-efficient. Examples of what some companies have done in the name of
controls redesign include:
• Implementation or expansion of shared services organization
• Migration to standard general ledger or ERP platforms
• Standardized policies and procedures across all business units or subsidiaries
• Integration of acquisitions or business units that are similar in form or function
• Process simplification around financial reporting and disclosure processes
• Implementation of continuous process monitoring
• Implementation of global standard access control and user identify management processes and supporting technology
Insights on IT risk | April 2011 7
10. Controls improvement and information security
A fundamental part of a company’s business control framework is the controls that
support major IT systems and application security. The increased use of application
and embedded controls increases the need for effective information security controls.
However, information security controls usually make up a large percentage of the
controls contained within a company’s overall control framework. Information security in
general — and user access management in particular — are increasingly seen as critical
areas and are good candidates for potential controls rationalization, optimization and
possibly redesign.
As with all controls enhancement efforts, the foundation for such Companies that effectively manage the security aspects of their
decisions must be based upon management’s overall approach control framework have:
toward risk. Controls improvement must consider security
• Undertaken the implementation of standardized security
across the people, process and technology landscapes, as well as
procedures
across the key IT areas of infrastructure, operating system and
applications. Many companies are now looking to fully review their • Adopted procedures that support the creation of a balanced
information security policies, procedures and standards through set of security controls, including measures that prevent
a revised controls lens that ensures risk is managed appropriately and detect
and in a timely manner while allowing overall security controls to • Eased the burden caused by required testing
be optimized. Key security areas where organizations must ensure they apply
the rationalization, optimization and redesign tenets include:
Seizing opportunities • User access provision (including leavers, joiners and movers)
The ideal circumstances and situations to review and improve • Emergency access management
control efficiency and effectiveness are when the company is: • Privileged user access, especially at the infrastructure,
database and application levels
• Undergoing a new ERP implementation or upgrade, or
undergoing some business transformation (merger and • Annual reauthorization of access
aquisition, divestitures, restructuring, cost reduction • Segregation of duties (SoD) definition and implementation
initiative, etc.) • Authentication and access self service
• Moving to a smaller set of standard business or IT • User access monitoring
management processes
• Application usage monitoring
• Addressing concerns the management team has with
• Incident management and escalation
the success of system integration or the ability of the
development team to properly assess risk or implement
appropriate controls
• Facing new regulatory factors that may drive new risk or
force improvements in the control environment
• Discovering material weaknesses and misstatements
related to financial reporting, which may have resulted from
an inadequate ERP control environment
• Implementing a major information security improvement
program
• Led by a risk function individual who is dynamic,
thought-provoking and not afraid to make bold moves
8 Insights on IT risk | April 2011
11. Case study: harmonization and standardization
Operating different controls monitoring business processes in 10 different countries, this global technology company decided to
standardize the processes in each country, but without modifying the process itself. The business processes were supported by one
single instance of SAP that was centrally hosted at one of the operating companies. Working with Ernst & Young, the company’s
objectives included:
• Achieving greater efficiency across the compliance and reporting program
• Focusing on fewer key controls with less proportion of manual controls
• Using IT application controls more consistently and improving quality of testing strategies
• Standardizing information controls and reducing “surplus” controls
• Potentially reducing deficiencies
The starting point of this business process harmonization effort was the risk and control framework at each operating company.
Although the risks were harmonized, the controls were not, leading to different control sets in each company. Frameworks could
contain controls that were purely manual at one end or could contain a substantial amount of IT application controls. That IT
application controls varied so widely was also a complication.
Management reviewed and approved multiple aspects of the standardization process, including risk and control mapping, control
design, preliminary reliance strategy by control and test steps. Management also developed and shared standardized testing
templates to encourage greater consistency and documentation quality.
After testing and reviewing, the use of controls frameworks within two of the operating companies — each with the highest
extent of IT application controls — served as a leading practice for the team and was replicated in other operating companies. A
small number of exceptions to this approach were allowed by management, but only in cases where local business process flow
deviations could not be changed. Eventually, through harmonization, the IT application control framework consisted of a standard
set of 23 SAP IT application controls across key financial processes. Overall, the project successfully generated greater efficiency
while improving risk coverage, prompting the client to expand its optimization project to include other areas and functions.
Insights on IT risk | April 2011 9
12. The road map between current and future states
After understanding the potential benefits of an improved control environment and outlining the differences between each approach,
companies interested in control enhancement need to:
• Focus on risks that align with key corporate strategies
• Examine improvements that provide risk coverage and improve processes
• Commit to ensuring that any improvement generates measureable return on investment
By leveraging a robust five-step framework, companies are able to move forward, confident of the value they will achieve from control
environment improvement activities. The process focuses on steps that will identify, diagnose, design, deploy and sustain a company’s
control environment improvements.
Framework for control environment improvement
Identify Diagnose Design Deploy Sustain
• Identify efficiency • Measure and assess • Deveelop and validate • Implement action • Implementation of
and effectiveness the process to optio to enhance
ons plans at selected adequate and
opportunities from determine current and i
improve the process levels sustainable
process performance performance issues proce and control
ess monitoring
• Monitor and support
Objectives
s
and/or internal and inefficiencies envir
ronment implementation at environment
control reviews
• Analyze data and affected • Transfer
determine root management levels responsibility to
causes for process owners
performance issues
and inefficiencies
• List and confirm • Detailed process map • Valid
dated options • Plot high-impact • Design, validate and
value opportunities with stakeholders options roll out monitoring
• Collect leading
Activiti and results
s
• Develop high-level practices and • Roll out after and control system
business case with benchmark data validation of pilot • Develop transfer
goals and benefits results plan and hand off to
• Gap analysis
• Create policies and process owner
ies
• Confirmation of root
cause with procedures
d
stakeholders • Prepare and execute
training plan
• Define improvement
objectives
Fundamental to the success of this five-step improvement process is a current-state assessment, risk-based scoping and a top-down, risk-
based approach.
Assessing current state
Having a clear view of the current number of processes, risks and controls will enable efficiencies. Additionally, it is important to
understand the composition of controls (manual vs. automated) and the nature of the IT applications supporting those controls. Finally, it
is important to gather information related to the level of effort around performing, documenting and testing current controls. This will help
identify high-impact areas (effort, cost and potential benefits) for prospective pilots.
Scoping
Scoping determines and defines the focus of the improvements. Scoping prior to the project begins reduces unnecessary and wasted
effort. An example of such wasted effort is the attempt to optimize locations and processes not relevant to the organization’s overall risk
management requirements.
A top-down, risk-based approach
A risk-based approach involves identifying and assessing material financial reporting risks and allocating resources and efforts based
on the severity and likelihood of those risks. This approach begins with management’s judgment of what is material to the consolidated
financial statements, followed by a thorough risk assessment. That assessment would consider the likely sources of potential misstatement
within significant enterprisewide processes.
10 Insights on IT risk | April 2011
13. Once the risks have been prioritized, management needs to associate the nature, timing and extent of testing of the corresponding control
that can most efficiently monitor it. The benefit of a top-down, risk based approach is illustrated in the graphic below. Allocating control
attention and effort where risks are highest is a more efficient and effective use of available control environment resources.
Typical results before and after a top-down, risk-based approach
Before After
Entry
level 5% of effort Entry
E t
level 15% of effort
Division-level Division-level
it i
monitoring 10% of effort 20% of effort
monitoring
controls controls
Risks
Risks
Non-routine, Non-routine,
complex transactions 20% of effort complex transactions 40% of effort
Business unit monitoring Business unit monitoring
Routine transaction, process 65% of effort 25% of effort
Routine transaction, process
and application-level controls
and application-level controls
Case study: automation and globalization
A global pharmaceutical company decided to align and redefine the risk and controls in connection with a global SAP implementation
and enlisted Ernst & Young to assist. This effort included the optimization of controls, with the desired future state of enhanced
automation and globalization. In building the business case, a single business process — Requisition to Payment (RTP) — was selected
for a pilot review. This process covered the capital expenditures, goods receipt/invoice receipt, inventory and receiving sub-processes.
The RTP risk and control framework was compared against leading practices, combining the knowledge of the company’s environment
with third-party resources with extensive knowledge and experience with SAP control functionality. Through this process, the company
identified several opportunities, including:
• Potential reduction in the number of risk points associated with the business process
• Potential replacement of manual controls by application controls
• Reduction of the overall testing effort by management and internal and external auditors, freeing up resources for other activities
and potentially reducing the external cost of compliance
The pilot review successfully demonstrated that the company could be more efficient while improving risk coverage. Benefits the
company realized included the reduction of controls from 25 to 19, a 24% reduction in the number of tests, and the increased
leveraging of SoD, user access and user change management controls around SAP. The company is now expanding its optimization
project to include other processes supported by SAP.
Insights on IT risk | April 2011 11
14. Building value through control efficiency
The roads to increased efficiency, better returns, heightened transparency and more
confident stakeholders can all intersect at control environment improvement.
Whether a company seeks to rationalize, optimize or redesign will depend upon available
time, resources and resolve. However, it is clear that by properly examining the entire
control environment and better understanding what paths are available — and the
potential benefits of each route — companies can generate a competitive advantage.
Companies continue to try to find ways to move ahead of their competitors. The
harder those companies look, the more clear it becomes that meaningful benefits can be
found in enhanced and more efficient controls. Now is the time to optimize the controls
environment and help companies meet present challenges and future demands.
Questions to consider:
• Have you prioritized risks identified from internal audit, internal control and risk assessment findings?
• Have you identified process and control performance gaps or deficiencies?
• Do you have documented current-state processes including key tasks, performance metrics, handoffs and controls?
• Do you have a full and detailed understanding of the cost associated with your current processes?
• Have you engaged your security personnel to understand the potential benefit of improvements and the hazards of standing still?
• Have you benchmarked your current processes against leading practices to assess performance and identify improvement
opportunities?
• Have you determined whether supporting technology meets business requirements?
• Have you involved those integral to the controls process in helping to identify and design improvements?
• What role can your internal audit function have in business improvement?
• Are process improvement efforts built into your audit plan?
• Does your internal audit department have strong skills in data analytics, problem solving, benchmarking, etc.?
• Does internal audit have appropriate business process skills?
• Do you have a program to monitor process and control changes for the sustainability of recent improvements?
• Is your organization prepared to make the necessary investment in building these competencies and changing the culture?
12 Insights on IT risk | April 2011
15. Contacts
Global
Norman Lonergan +44 20 7980 0596 norman.lonergan@uk.ey.com
(Advisory Services Leader, London)
Paul van Kessel +31 88 40 71271 paul.van.kessel@nl.ey.com
(IT Risk and Assurance Services Leader, Amsterdam)
Advisory Services
Robert Patton +1 404 817 5579 robert.patton@ey.com
(Americas Leader, Atlanta)
Andrew Embury +44 20 7951 1802 aembury@uk.ey.com
(Europe, Middle East, India and Africa Leader, London)
Doug Simpson +61 2 9248 4923 doug.simpson@au.ey.com
(Asia-Pacific Leader, Sydney)
Naoki Matsumura +81 3 3503 1100 matsumura-nk@shinnihon.or.jp
(Japan Leader, Tokyo)
IT Risk and Assurance Services
Bernie Wedge +1 404 817 5120 bernard.wedge@ey.com
(Americas Leader, Atlanta)
Paul van Kessel +31 88 40 71271 paul.van.kessel@nl.ey.com
(Europe, Middle East, India and Africa Leader, Amsterdam)
Troy Kelly +85 2 2629 3238 troy.kelly@hk.ey.com
(Asia-Pacific Leader, Hong Kong)
Giovanni Stagno +81 3 3503 1100 stagno-gvnn@shinnihon.or.jp
(Japan Leader, Chiyoda-ku)
Insights on IT risk | April 2011 13