In both personal and business settings, internal controls serve an important purpose: to prevent, detect and mitigate risk. An internal control in our daily lives, for instance, might be checking to make sure the garage door is closed before leaving for work. (Can’t remember? Darn it! Better go back and check again…) 

This type of verification is a manual control, one that’s performed by people. Businesses traditionally have taken a manual approach to their internal controls—the processes and records they use to address the spectrum of risks (financial, operational, technological, etc.) they face. These manual controls could come in the form of “monster spreadsheets” to ensure segregation of duties, lengthy paper trails to approve transactions, or screenshot (after screenshot, after screenshot…) for compliance reporting. As with checking the garage door, humans can forget things and introduce variance, errors and inefficiencies.

With automation, though, it’s possible to conduct a wide range of tasks quickly and accurately. Bringing one layer of automation into the garage door example, an automatic garage door closer could be programmed to shut the door if it’s left open for, say, 10 minutes—providing peace of mind. But what if, after activating the closer, the door happens to be open when the owner swings home mid-day for lunch? Introducing other automated layers and technologies, such as cameras and motion sensors, will show why the door was open at that point in time—and better support the primary purpose of keeping threats out.

Businesses can use automated controls, typically built into their software applications, in much the same fashion and with the same end goals in mind. As they move to uncover the “why” behind aberrations and address the risk landscape more proactively, with constant, data-driven vigilance aligned to business priorities, they’re moving toward the Future of Controls (FoC).

From a technology standpoint, the FoC combines automation and advanced technologies, such as robotic process automation (RPA), artificial intelligence (AI), machine learning (ML) and predictive analytics, to streamline and improve controls, deliver actionable intelligence, and help businesses scale quicker, faster and better.

The State of Internal Controls Today

For businesses across industries, the pandemic has spurred their digital transformations, both planned and “forced” ones. Companies have adopted new technologies and digitized front-office activities to meet customers and prospects where they are, and enhance the customer experience.

But a concerning divide has developed, as back-office functions—saddled with legacy systems, siloed data and manual processes—aren’t keeping pace with the move toward greater innovation and efficiency. Such is often the case with internal controls.  

In a recent Deloitte poll, just two in 10 respondents (22 percent) reported that their organizations currently leverage advanced technologies, such as AI, RPA, and advanced analytics and visualization, within their internal controls program. 

That’s a problem when the status quo isn’t serving organizations well. Existing controls environments are often overly complicated, inefficient, reactive and rigid—forcing talented staff to sink time into menial tasks that “check the box” but don’t provide intelligence to advance the business. Furthermore, in today’s largely work-from-home environment, previous manual controls (such as printing out and initialing reports, and filing them away as proof for auditors) often just aren’t tenable.

Organizations have a mandate to rethink their existing controls. In addition to driving efficiencies through digitization, it’s important to align controls to the dynamic risk environment today—taking into account, for instance, risks associated with a more distributed and untethered workforce, such as network breaches and insider threats. 

Benefits of Automation

Moving to the Future of Controls can help eliminate instances of leaving the figurative garage door open and the business exposed. Organizations on the road to a successful FoC journey will look to use controls to increase confidence, intelligence and performance. 

Maximizing automation—not just for the sake of automation, but when and where it makes sense—is key to delivering on that vision. With automation and next-generation technologies thoughtfully embedded into internal controls frameworks, organizations can:

• Reduce the time and effort involved in ensuring compliance.
• Detect risks, aberrations and exposures quickly, in near-real time (not just during quarterly reviews or audits).
• Highlight the root causes of issues, not just their symptoms, to get ahead of deficiencies and drive faster decision-making.
• Move from a defensive, reactive risk-management posture to an offensive, proactive one. Rather than executing just hindsight-oriented activities, controls environments can incorporate three other important lines of sight: providing insight, oversight and foresight, so organizations can take better action in the present.
• Drive and improve controls resilience, fortifying the business from the inside out. Controls-resilient organizations are able to continuously identify risks, assess their impact, and monitor and implement the right amount of controls at the right time.
• Improve resource utilization and staff morale, freeing up IT, for instance, to focus on more strategic and revenue-generating activities.

One example of the FoC technology in action comes through Deloitte’s Nexus Digital Nerve CenterTM, a suite of digital services for managing and optimizing internal controls and risk management programs. Blending robotics, cognitive and data analytics, AI and predicative capabilities, Nexus provides centralized, near real-time intelligence and transparency into an organization’s operational health and risk posture—monitoring KPIs, uncovering trends and insights, and proactively triggering corrective actions. 

Nexus is enabling businesses across industries to automate and advance processes, improve workflows and better manage risks. As a recent example, by using AI monitoring to review data from over 25,000 loans issued by a global bank, Nexus was able to rapidly uncover $26 billion in commitments that didn’t adhere to the bank’s lending protocols—along with the contributing factors (e.g., tenure of loan officer, divisions generating more exceptions, etc.) and areas of potential future risk. Manually wading through all that data would have been near-impossible and time-intensive—and wouldn’t have unearthed insights to strengthen the bank’s lending portfolio and improve the coaching of loan officers.

Charting a Course to the Future of Controls

The drawbacks of reactive, labor-intensive and wholly manual controls are apparent; so are the benefits of a more proactive, insights and data-driven approach. 

So what’s the hold-up on advancing to the Future of Controls and, along that road, embracing automation? Many organizations are stuck in neutral, uncertain of where to start. 

As organizations look to pull the three key levers to advance their FoC journey—reconstructing the internal controls framework, designing the next-generation controls operating model and establishing the controls technology ecosystem—it’s often best not to try to tackle everything at once. 

Taking a crawl-walk-run approach can help with controls automation and digitization, in particular. For example:

Technology is Just One Piece of the Puzzle

According to the Deloitte poll referenced earlier, more than 3/4 of respondents (78 percent) say their organizations plan to strengthen resilience for their internal controls in the coming year. That’s great news, and technology has an important role to play.

But technology is not the only driver of the FoC—which also combines skilled people and processes to foster resilience. With a multi-pronged approach—mixing human intelligence with artificial intelligence, technology, and digital processes and controls—organizations can satisfy their risk appetites and maximize their controls investments.

The time is now to embrace the Future of Controls—backing up out of the garage (with the door indubitably closed!) and leaving knowledge gaps and inefficiencies in the rear-view mirror.