Deloitte & Touche LLP   Deloitte & Touche LLP
Global > Canada > Services > CEO/CFO Certification    
Sustain compliance and reduce costs using technology-enabled automation
CEO/CFO Certification News, March 2006

For U.S.-listed organizations that have completed their year-one certification process, and Canadian-listed organizations rushing to comply, one lesson has become perfectly clear: the CEO/CFO certification process is exceptionally labour-intensive. The work effort is exacerbated by the fact that many organizations are relying on applications such as spreadsheets and word processing tools, and even e-mail, to document their internal controls — applications that require extensive manual handling, lack integration between documentation components, and require manual data integrity checks. When you consider that an organization’s controls must be tested not only in year one, but on an ongoing basis, you can understand why so many organizations are looking at automation tools to reduce cost and accelerate response times. In addition, automation can make compliance part of an organization’s routine workflow and business activities.

There are essentially two key types of compliance automation: those that relate to internal controls documentation, and those that enable continuous controls monitoring.

Internal controls documentation tools enable an organization to automate their internal controls over financial reporting process by:

  • Developing a library of business processes, risks and controls
  • Streamlining the assessment of risks and controls
  • Facilitating the online certification of risks, controls and processes by process owners/management
  • Providing online, real-time reporting on the status of the assessment of internal control over financial reporting, the evaluation of disclosure controls, and/or other compliance matters together with related exceptions for management’s review

Continuous controls monitoring tools enable an organization to move from periodic to continuous assessment of the design and operational effectiveness of certain controls, including:

  • Business process monitoring and status reporting
  • Identification of business transactions that meet certain rules or exceed pre-defined thresholds
  • Flagging of changes to system configuration, exceptions to security settings or assignment of incompatible user access
  • Providing exception reporting and workflow processes to resolve exceptions or identified issues
However, before you can begin to automate your compliance process, there are certain considerations to keep in mind.

Automation: it’s more than just buying software
Before going down the route of automation, organizations must be aware that, in our view, there is no one tool that does it all. In fact a number of the tools in the marketplace are very specialized. As such, before selecting tools, you must not only decide on your automation goals/objectives, but also identify the processes targeted for automation which offer the best return on investment, from a people, process and technology perspective.

This examination has to go beyond the availability and cost effectiveness of appropriate tools to consider the people involved in the specific process on a day-to-day basis. Ultimately, these are the people who must be trained in the tools’ use and must commit to using them to monitor controls. Without acceptance of the new processes and technology, you will be hard pressed to realize a return.

Selecting a tool that’s right for your organization
If you do choose to implement tools, your next step is to determine if appropriate technologies exist to assist you. The marketplace for regulatory-driven compliance tools is fragmented and driven by industry or specific regulatory requirements. At this time, there is no single tool or technology that will allow an organization to automate all their compliance requirements.

Given this marketplace reality, it makes sense for organizations to consider what technology they already have implemented before looking for “new” tools. For instance, if your organization has an Enterprise Resource Planning (ERP) application, it may have a module available that provides internal controls documentation and segregation of duties functionality.

If you determine that you require new tools, it is important to properly balance the benefits of a new implementation against its potential risks and pain points. For instance, if your organization has already completed its first-year certification, you likely have a clear understanding of the areas of greatest manual effort and pain. Now that you have this knowledge, you are well positioned to evaluate the tools which will reduce the manual effort and pain, and determine if these benefits will outweigh the cost of implementation.

However, if your primary concern is meeting a looming certification deadline, you may want to focus on those tools that simplify the internal controls documentation and certification process. For instance, there are a number of solutions available in the marketplace that can be used with relatively small effort and with a large payback, i.e. segregation of duties tools.

Another way some organizations manage the risks of implementing the right tools is by taking a phased approach. This means starting small with a single module of a tool and adding additional modules over subsequent compliance cycles. In such cases, when evaluating tools, it will be critical to choose the tools that can be implemented in a modular and scalable fashion.

While it still remains to be validated, all indications are that over the long term there is a strong business case (reduction in management testing time and external audit time) for implementing a well thought out tool strategy.

Think long term
In order to make compliance sustainable, an organization should consider two other key areas: appointing a leader and integrating other compliance needs.

Leadership: First, to ensure your organization makes an appropriate decision, appoint an individual or team to drive the selection and implementation processes. In this regard it is critical to ensure that your compliance team, regardless of where the members are physically located, are capable of providing your IT department with a cohesive understanding of the key compliance issues your organization is facing. To ensure a smooth process, it makes sense to seek senior management sponsorship, encourage a cross-enterprise collaborative approach and work with external resources who can provide you with access to the experience you require to avoid common pitfalls.

Integration of other compliance needs: The second issue to consider is how organizations can integrate their existing compliance silos. Organizations typically have multiple compliance initiatives under way, including disclosure control evaluation initiatives, internal control over financial reporting initiatives (Sarbanes-Oxley, Bill 198), privacy initiatives (PIPEDA, GLB), industry initiatives (Basel II, FDA), process initiatives, IT governance (ISO17799, CMM) and other compliance initiatives (compliance with laws and regulations). Too often each of these initiatives is handled independently, creating duplicate work effort and investment in tools. If organizations truly hope to manage all compliance efforts as a single process and integrate it into their existing business infrastructure, they need to consider whether or not the tools can accommodate and manage all of these initiatives in a single compliance process.

Building on best practices
If your organization does decide to explore the benefits of compliance automation, there are certain critical success factors to keep in mind:

  • Build a strategy. Given the choice in the marketplace around the type of tools available, it is best to first build an approach and strategy that will suit the organization
  • Avoid the big bang. To reap a reasonable return on investment, it makes sense to take a phased approach, including leveraging existing internal tools and best practices
  • Take a risk-based approach. Focus on the high risk and easy to implement areas first, to build a pattern of success and demonstrate the value of selected tools
  • Allocate appropriate resources. To ensure proper implementation of a new system, it’s important to allocate sufficient resources both to integration and to training. An understanding of which initiatives are competing for the same resources can help
  • Gain senior management support. To ensure an effective rollout, and gain internal adoption for your new system, be sure to line up support from the appropriate levels of your organization

By taking a careful and considered approach to automation, your organization can begin to cut costs and streamline its compliance processes. The end result should help you build a robust and sustainable compliance process that can stand the test of time.

 

About CEO/CFO Certification News

This is a bi-monthly publication of interest for companies dealing with the requirements for  CEO/CFO certification.  

For more information email
ceocfonews@deloitte.ca
Contact us for more information about this topic.
 
Source: Deloitte & Touche LLP - Canada (English)

Print this page    Email To A Colleague
  Security | Legal | Privacy    

© 2008 Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 57 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Bookmark