Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ...

As large and / or complex organisations work towards meeting the demands of the International Standards on Auditing, automating internal controls is increasingly becoming a priority. Automation brings benefits in three key areas - regulatory compliance, risk management, and operational efficiency, explains Toby Grey.

Nearly one quarter of the 30 auditing standards detailed in the International Standards on Auditing (ISAs) (UK & Ireland) pertain to internal controls. The standards include stipulations about audit quality, documentation, regulatory laws, risk of material misstatement and risk assessment. Completing a successful audit efficiently requires a good internal controls framework. A large company could be monitoring more than 5000 controls in 100 business units. Doing so using manual and spreadsheet methods is likely to prove unwieldy or inadequate. The risk is that without automation, business units will duplicate effort, add to external auditor costs or overlook truly material risks. So when large or complex commercial organisations strive to meet the demands of ISAs, automating internal controls becomes a priority. IT tools can be extremely useful for analysing, mapping and documenting an organisation's internal controls and regulatory compliance procedures on a continuing basis. Such technology also supports information sharing among managers, auditors and regulators. These capabilities may be particularly important for holding companies with diverse interests and for companies subject to strict regulatory regimes. Besides improving the audit process, automating internal controls brings benefits in three areas: regulatory compliance, risk management, and operational efficiency. To comply with numerous regulatory regimes, senior managers and those tasked with internal audit responsibilities, such as non-executive directors, need to be sure that their enterprise has effective and efficient procedures and controls in place. For example, under the US Sarbanes-Oxley Act introduced in the wake of the Enron and Worldcom scandals, senior company officers who are distant from day to day operations are expected to certify accounts. Reliable reports from an automated system facilitate certification, assist in ensuring the auditor's “full and fair disclosure … to those charged with governance … on matters in which they have an interest” required by ISA 260, 11-4 and thereby instil confidence. Throughout the organisation, automation imposes a single internal process for regulatory compliance. By streamlining, companies can minimise the staff time and resource spent on compliance and still meet their deadline. Managing risk is easier when internal controls are effectively automated because automation gives a real time global picture of a company's internal controls, procedures and processes. Such visibility provides a crucial sense of corporate confidence and enables managers to pinpoint risk areas and develop action plans before risks grow into threats. Equally, visibility helps managers to make operations more efficient by identifying how to conserve resources, save time and streamline procedures. Finally, it enables the auditor to obtain the comprehensive understandings of an entity, its environment and internal controls “sufficient to identify and assess the risks of material misstatement” as required under ISA 315, 2.

INTERNAL CONTROLS FRAMEWORK An internal controls framework provides the policies and procedures for ensuring financial statements are based on accurate and verifiable data, safeguarding assets and adhering to legal regulations. Internal controls can be administrative or accounting controls. Both kinds of controls are fundamental to ensuring that an audit in accordance with ISAs (UK & Ireland) will “provide reasonable assurance that the financial statements taken as a whole are free from material misstatement” (ISA 200, 8). In either case, introducing new controls changes workflow. All controls need to be defined, tested, documented and monitored. And any defined control may be examined by an auditor. Given the work this entails (and the costs that follow), it's essential to clearly agree the framework's extent. The right scope will separate operational areas that run smoothly simply due to good working practices from those requiring defined controls and documentation. Rumour has it that a leading UK energy company over zealously documented controls on its post room! That said, any business process, such as sales, purchasing and inventory management, can be subjected to controls. These include both financial controls that may be essential to audit and business controls that may be desirable to test. In Sales, for example: a control may test that Sales Terms and Conditions are formally validated by the Legal Department and automatically included in commercial documents. From a business standpoint, it could be beneficial to overlay this procedure with a communications system that ensures the sales team's mastery of relevant laws, tax and custom regulations. In choosing what controls to formally document and test, the US Securities & Exchange Commission now recommends focusing Sarbanes-Oxley (SOx) compliance on material risk. So non material issues need to be eliminated, leaving attention on material financial accounts and significant business processes in relevant business units facing high and medium risks. Consequently, focus of a SOx compliance project remains on key controls. When key controls are tested and fail, the failure must be reported and steps must be taken to remedy the situation. Any resulting action plans need to be managed and controls retested to ensure the improved practices conform to the required standard. Good coordination can ensure that this feedback system works efficiently. Furthermore, appropriate communication between the firm and its auditor helps the latter to “design and perform further audit procedures” that are responsive to the risks assessed, as per ISA 330, 7. An effective internal controls system bolsters the management of risk. The annual audit of financial statements confirms this.

WHO SHOULD AUTOMATE? A unified, automated internal controls framework suits enterprises with diverse interests as well as those operating in certain regulatory climates. These include: - Holding companies owning a number of separate businesses in a range of industrial sectors or engaging in high levels of merger and acquisition activity. For such companies, automated internal controls provide visibility at group level of commercial performance, risks and risk management. Equally, such control systems ensure that financial reporting across all relevant business entities conform to established standards. - Companies poised to merge with, acquire or be acquired may benefit from improved internal controls. Effective mergers call for the harmonisation of controls across groups. - Companies bound by regulatory compliance regimes such as the US Sarbanes-Oxley Act (which pertains to all US listed public companies, and their subsidiaries overseas); France's Loi de Sécurité Financière, requiring companies with shareholders to document business processes including financial reporting; and Ireland's proposals relating to Directors' Compliance Statements, should this framework eventually come into force. The need to comply with complex financial regulations drives many companies to look for automated internal control frameworks. Regulatory compliance is a demonstration that internal controls work.

HOW TO AUTOMATE Introducing automation involves a number of dimensions, including winning management buy-in, choosing a technology platform, planning and running a pilot and rolling out an internal controls framework across business units.

Moving from paper to a technology platform Technology drives automation. IT tools enable companies to standardise tests, retain documentation and monitor remedies for controls at both the business unit and group levels. Embedding any new IT framework takes time as well as leadership from committed individuals. In the case of internal controls, total and massive support from both the CEO and the CFO are essential. With such support, the transition can be made as a priority. The goal is to do it well once, and quickly. Take as one example building materials giant Lafarge, a €14.4 billion company with operations in 75 countries.

Says Lafarge's compliance project manager Jean-Francois Rossi: “Without that very high level of commitment from our executive team, it would be much harder for us to achieve real, lasting compliance. You have to make sure that it is embedded across the organisation and that management is championing it. Ultimately management is responsible for the quality of our internal controls.” In choosing a technology to support internal controls, Lafarge's team specified three key requirements:

- to provide visibility of the consolidated internal controls picture to senior management and external auditors; - to require limited functional administration at head office and by the project core team; and - to be easy for users at all levels of the organisation to learn quickly and use effectively.

Rossi says: “First the system had to be able to cope with our highly decentralised organisation, where internal controls would have to be documented at local level but assessed for quality at group level by our auditors. “Next we needed a system that would allow us to record information consistently and track activities in real time in one place. We had to be able to see what was being documented and how.” Finally, for a system that would be accessed by people in a range of functions - marketing, sales, management, purchasing, inventory, HR - throughout the worldwide organisation, ease of use was critical. “Unlike ERPs, the system will not be used everyday,” says Rossi. “It has to be intuitive and self-explanatory so that you can come back to it without difficulty when you need to.”

Project manager as champion It takes a skilled project manager to convince all participants that automating an internal controls framework can actually be a matter of doing it well once, and quickly. Like other projects, a new internal controls framework requires the input and goodwill of many people across an organisation. Win support for your project by - positioning it as “not just another corporate reporting project” - integrating into the internal controls system useful documents people need in their day to day jobs (like training manuals) - setting realistic staging posts, and publicising when they are achieved - sustaining morale by reminding people that today's disruption will improve workflow in the months and years ahead.

The time required to launch an automated internal controls framework depends both on the project's scope and the organisation's complexity. Whether measured in days, weeks or months, however, no project can proceed smoothly without good will and good coordination. Good communication - proactive, timely, clear and efficient - is paramount. Only through effectively communicating the purpose and plan can people using new tools do the right thing at the right time. Take another infra-structure project like updating a road system:

During construction, delays and diversion across the network result from road works. Drivers tolerate this because they know it won't last and that the final outcome will better meet their needs. Like the new road system, an internal control automation project can be derailed by several risk factors: an inappropriate or incomplete project methodology, poor project management skills and a lack of senior management support.

From pilot to full scale implementation In piloting automation technology, companies can choose to introduce a software framework across several processes in a single business unit, or for one process across multiple business units. In a rolling pilot, controls are introduced one process at a time in a single business unit, and are rolled out to other entities in the group as each controls framework is refined. When introducing new IT, the first step at the pilot stage is to define financial and business controls and relevant tests, given the agreed scope. Once definitions are uploaded into the new system, staff can be trained on how to test, document and monitor the controls using the automation software. Initially, tests and documentation may need to be refined. Once stable, the controls framework can be introduced more widely. In a highly centralised context, controls best practice are established at headquarters and disseminated to business units. In a more decentralised model, a controls framework will be defined and disseminated by headquarters to managers with oversight for several business units. These middle managers will determine which of the centrally defined controls are relevant for the business units in their stable, and disseminate accordingly. In both models, controls are assessed and documented by business units themselves.

CONCLUSION Depending on their internal complexity and the regulatory obligations they face, many companies are choosing to automate their internal controls. Using IT, a sensibly defined framework can be disseminated and managed efficiently. A well managed, staged IT implementation can make regulatory compliance more efficient, improve risk management and operational efficiency, whilst greatly assisting the audit process and improving the quality and reliability of the financial statements themselves.

Toby Grey is Managing Director, RVR Systems UK and Ireland. A Chartered Accountant, formerly Toby was Group Treasurer, TNT and Finance Director, DHL France.