In both personal and business settings, internal controls serve an important purpose: to prevent, detect and mitigate risk. An internal control in our daily lives, for instance, might be checking to make sure the garage door is closed before leaving for work. (Can’t remember? Darn it! Better go back and check again…)
This type of verification is a manual control, one that’s performed by people. Businesses traditionally have taken a manual approach to their internal controls—the processes and records they use to address the spectrum of risks (financial, operational, technological, etc.) they face. These manual controls could come in the form of “monster spreadsheets” to ensure segregation of duties, lengthy paper trails to approve transactions, or screenshot (after screenshot, after screenshot…) for compliance reporting. As with checking the garage door, humans can forget things and introduce variance, errors and inefficiencies.
With automation, though, it’s possible to conduct a wide range of tasks quickly and accurately. Bringing one layer of automation into the garage door example, an automatic garage door closer could be programmed to shut the door if it’s left open for, say, 10 minutes—providing peace of mind. But what if, after activating the closer, the door happens to be open when the owner swings home mid-day for lunch? Introducing other automated layers and technologies, such as cameras and motion sensors, will show why the door was open at that point in time—and better support the primary purpose of keeping threats out.
Businesses can use automated controls, typically built into their software applications, in much the same fashion and with the same end goals in mind. As they move to uncover the “why” behind aberrations and address the risk landscape more proactively, with constant, data-driven vigilance aligned to business priorities, they’re moving towards the Future of Controls (FoC).
From a technology standpoint, the FoC combines automation and advanced technologies, such as robotic process automation (RPA), artificial intelligence (AI), machine learning (ML) and predictive analytics, to streamline and improve controls, deliver actionable intelligence and help businesses scale quicker, faster and better.
For businesses across industries, the pandemic has spurred their digital transformations, both planned and “forced” ones. Companies have adopted new technologies and digitised front-office activities to meet customers and prospects where they are and enhance the customer experience.
But a concerning divide has developed, as back-office functions—saddled with legacy systems, siloed data and manual processes—aren’t keeping pace with the move towards greater innovation and efficiency. Such is often the case with internal controls.
In a recent Deloitte poll, just two in 10 respondents (22 per cent) reported that their organisations currently leverage advanced technologies, such as AI, RPA and advanced analytics and visualisation, within their internal controls programme.
That’s a problem when the status quo isn’t serving organisations well. Existing controls environments are often overly complicated, inefficient, reactive and rigid—forcing talented staff to sink time into menial tasks that “check the box” but don’t provide intelligence to advance the business. Furthermore, in today’s largely work-from-home environment, previous manual controls (such as printing out and initialing reports and filing them away as proof for auditors) often just aren’t tenable.
Organisations have a mandate to rethink their existing controls. In addition to driving efficiencies through digitisation, it’s important to align controls to the dynamic risk environment today—taking into account, for instance, risks associated with a more distributed and untethered workforce, such as network breaches and insider threats.
Moving to the Future of Controls can help eliminate instances of leaving the figurative garage door open and the business exposed. Organisations on the road to a successful FoC journey will look to use controls to increase confidence, intelligence and performance.
Maximising automation—not just for the sake of automation, but when and where it makes sense—is key to delivering on that vision. With automation and next-generation technologies thoughtfully embedded into internal controls frameworks, organisations can:
One example of the FoC technology in action comes through Deloitte’s Nexus Digital Nerve CenterTM, a suite of digital services for managing and optimising internal controls and risk management programmes. Blending robotics, cognitive and data analytics, AI and predicative capabilities, Nexus provides centralised, near real-time intelligence and transparency into an organisation’s operational health and risk posture—monitoring KPIs, uncovering trends and insights, and proactively triggering corrective actions.
Nexus is enabling businesses across industries to automate and advance processes, improve workflows and better manage risks. As a recent example, by using AI monitoring to review data from over 25,000 loans issued by a global bank, Nexus was able to rapidly uncover $26 billion in commitments that didn’t adhere to the bank’s lending protocols—along with the contributing factors (e.g., tenure of loan officer, divisions generating more exceptions, etc.) and areas of potential future risk. Manually wading through all that data would have been near-impossible and time-intensive—and wouldn’t have unearthed insights to strengthen the bank’s lending portfolio and improve the coaching of loan officers.
The drawbacks of reactive, labour-intensive and wholly manual controls are apparent; so are the benefits of a more proactive, insights and data-driven approach.
So what’s the hold-up on advancing to the Future of Controls and, along that road, embracing automation? Many organisations are stuck in neutral, uncertain of where to start.
As organisations look to pull the three key levers to advance their FoC journey—reconstructing the internal controls framework, designing the next-generation controls operating model and establishing the controls technology ecosystem—it’s often best not to try to tackle everything at once.
According to the Deloitte poll referenced earlier, more than 3/4 of respondents (78 per cent) say their organisations plan to strengthen resilience for their internal controls in the coming year. That’s great news and technology has an important role to play.
But technology is not the only driver of the FoC—which also combines skilled people and processes to foster resilience. With a multi-pronged approach—mixing human intelligence with artificial intelligence, technology and digital processes and controls—organisations can satisfy their risk appetites and maximise their controls investments.
The time is now to embrace the Future of Controls—backing up out of the garage (with the door indubitably closed!) and leaving knowledge gaps and inefficiencies in the rear-view mirror.