Are you in control of your internal controls?
Internal controls may not be the most glamorous aspect of corporate operations. But they are extremely important, forming the bedrock of trust in organisations held by shareholders, stakeholders and regulators.
They comprise the policies, procedures, systems and processes designed to support effective business outcomes, and ensure both operational efficiency and compliance with laws and regulations.
But a KPMG survey suggests much needs to be done in many organisations to get those controls up to scratch.
We recently polled nearly 300 financial risk managers, accountants, internal auditors and compliance managers from 100 organisations in the listed, private and public sectors, across a range of industries.
The poll found while many businesses are undergoing major change or structural transformation, their internal controls have not kept pace. Many companies’ internal controls are patchy, undocumented, not automated and lacking clear ownership.
Automation of controls, a key driver to improvement, has not started in nearly half of organisations surveyed.
The poll found:
- More than a third described their internal controls as either ’basic’ or ‘rudimentary’.
- More than two-thirds said it was not clear, or only partly clear, who was responsible for overall controls standards.
- 85 percent said controls were not, or only partly, documented.
- In terms of controls automation, 47 percent said the process had not yet started, and 53 percent said semi-automated but more needed to be done.
The results showed despite a lot of discussion in the market over the last 2-3 years about controls transformation, standardisation, and digitisation, in many cases this has not yet led to practical action.
This needs to change if organisations are, for example, embarking on major ERP implementations or undergoing structural transformation then internal controls need to develop in line with that business change.
The COVID era has also put more pressure on operating models and controls – some processes are harder to carry out virtually.
There are some examples of companies have already advanced to a system of Artificial Intelligence-enabled controls, but many others still urgently need to start the automation process.
We would advise these organisations to start by identifying where the current pain points are experienced by the business, especially those that are manually labour intensive – such as collating data from multiple sources, and manual reconciliations – or known control points of failure. These are potential target areas where businesses can start to assess the feasibility of automating controls.
Cost, unsurprisingly, is often behind organisations’ reluctance to transform their internal controls systems. But the risk is one of false economy.
When assessing the costs of control, traditionally the focus has been on direct costs such as costs of execution or annual testing. But recent benchmarking by KPMG estimates those costs to be between $2,000-$3,000 per control each time it is performed.
There are also ‘hidden costs’ such as management review costs, correction of errors or remediation of control failures, and fraud risk. With some organisations operating hundreds of controls, costs can quickly add up to millions of dollars. We believe this creates a clear case for control standardisation, digitisation and automation, as long-term efficiency benefits by far outweigh transformation costs.
And there may be another push factor. One of the recommendations in the recent report from the Joint Parliamentary Inquiry into the Regulation of Auditing in Australia was that companies should be required to establish and maintain an internal controls framework for financial reporting.
Under this proposal – which some have described as a ‘Sarbanes-Oxley-lite’ system for corporate Australia – management would have to evaluate and report annually on the effectiveness of that framework, and external auditors would then report on management’s assessment.
Whether or not this proposal is taken forward, it seems clear there will be more focus on controls. Our survey suggests there is much to be done.