Compliance for Compliance’s Sake?

Dan Sollis

Many businesses consider compliance a cost of doing business, rather than an opportunity to implement operational excellence with effective automated internal controls. When the right automated internal controls are implemented, compliance is no longer a costly burden. What a business does to comply adds tremendous value, offsetting the cost of compliance.

Imagine it is the third quarter and the IT staff is preparing to roll a new enterprise resource planning (ERP) system into production to replace an out-of-date homegrown legacy system. As an online retailer, the goal has been to aggressively push the implementation deadlines with consultants to ensure operations are up and running prior to the holiday shopping season. To the delight of many, the implementation goes off without any major incidents—the manual fixes in the accounting system worked and the company sails through the holiday shopping season with ease. Five-and-a-half years later, an accounting error in the customer refunds system is discovered, proving that not all customer return codes in the new system have been recorded and shipping revenue for canceled orders has not been reversed out. Now, an embarrassing letter to shareholders explaining what caused the five-and- a-half year earnings restatement and the 1.7 percent reduction in revenue is required.¹

Where were the internal controls that could have detected and prevented this error from going unnoticed and causing so much damage?

Compliance Failure—The Fallout

Despite their best efforts to prevent system, process or human errors that result in restating financial reports or overcharging customer accounts, companies continue to experience the fallout of deficient internal controls. For example, more than 8,000 Macy’s customers were debited up to three times for a single transaction during a recent holiday season. According to the retailer, a computer glitch in its payment processing systems caused the error. Macy’s soon discovered it was an internal problem, and not an external problem as originally announced.²

Many companies, in fact, are seeing a continued stream of information errors that have gone undetected for periods of time and result in embarrassing headlines. Software giant Microsoft, for instance, discovered that a payroll error caused the overpayment of a number of recently terminated employees by an average of US $4,500 each. After initially sending letters requesting repayment within 14 business days, Microsoft retracted the request after a flurry of worldwide news headlines. It was also discovered during that time that another error caused Microsoft to underpay severance packages for a number of others.³ Once discovered, these errors required additional effort by way of implementing additional manual controls and creating accounting spreadsheets to clean up information errors. In addition, auditors’ jobs are made more difficult as they are required to look more closely at business processes, and internal controls are seen as deficient.

What Options Are Available?

Since the US Sarbanes-Oxley Act was enacted in 2002, many companies have found Sarbanes-Oxley compliance too burdensome. Fulfilling Sarbanes-Oxley requirements is costly and time-consuming, often lacking immediate financial benefit for the company. In fact, companies that fail Sarbanes-Oxley compliance may suffer not only from hefty fines, embarrassing headlines and a tarnished brand; they are also at risk of having executives face prison terms of up to 20 years. As a result, many are moving their headquarters offshore to offset the jurisdiction of compliance and consequences of failed compliance. Companies would rather relocate than comply with Sarbanes-Oxley.⁴ It is no wonder most companies perceive compliance as a non-value-added activity but rather simply a cost of doing business. Compliance is viewed as a mandatory requirement, not as an opportunity to proactively implement operational excellence.

These missed opportunities are truncated as external auditors are consulted to identify what companies need to be able to prove compliance. This “phoning it in” method of operating results in extended auditing and consulting hours. For these, businesses’ audit costs continue to rise, and there is a greater possibility of continued, unchecked information errors.

Internal controls that are implemented as a solution to hedge the risk of the cost of information errors are not a viable option. Manual processes that once worked can no longer keep up with the volume, pace and complexity of information.

Current methods of finding information errors are costly. A large staff of auditors may find the errors, but not in time to prevent them from propagating downstream, resulting in unavoidable and potentially disastrous operational consequences. In fact, studies show that the top 15 financial firms in the US are collectively involved in 70 percent of investment markets embeds, on average, between US $83.3 million to $600 million for direct costs, losses and operational risk resulting from erroneous information.⁵

Automated Information Controls—A Viable Solution

Leading companies are pursuing a different strategy that will detect and prevent information errors from occurring, thereby saving the costs, embarrassment and headaches so frequently associated with these errors. These companies have recognized that their processes are information-intensive and have decided to automate the controls that ensure them. In these companies, automated information controls implemented in an enterprisewide controls environment add tremendous value. By creating and implementing a set of automated information controls for basic compliance checks, value is added through the streamlined auditing process.

Additionally, these controls, when implemented accurately, detect and prevent information errors from occurring, providing the value of reliable information throughout the business processes, systems and applications. As a result, critical business decisions are based on accurate and reliable information through operational excellence. Businesses do things right the first time instead of going through the hassle, and sometimes embarrassing steps, of rework, reruns and restatements.

Automated information controls add tremendous value to a business because they ensure the integrity of critical information and processes, thereby saving money, enhancing efficiency, mitigating risk and streamlining the auditing process. Some examples⁶ of how automated information controls have helped businesses are:

Immediate return on investment (ROI) recognized by automating general ledger (GL) matching processes manually performed by 8-10 full-time employees, according to one leading investment services provider
Revenue assurance, service accuracy, and continuity by prevention and detection of more than US $190 million in GL discrepancies, according to one Fortune 200 retailer
Prevention of a US $32 million duplicate payment, according to a leading health insurer
Significant operational cost reduction by automating 95 percent of manual processes, according to a large credit union
Prevention of a US $57 million retail sales overstatement at a Fortune 200 retailer

Most companies that embark on an automated information controls journey do so with a specific business process in mind and a single team member or two piloting the effort. These team members train on the technology and author a few dozen controls, depending on the needs of the selected business process. This effort results in automated information controls for a specific system, while equipping the company with knowledge on costs, resource needs, skills and benefits for continuing to implement automated information controls for additional business systems.

Key Aspects of Automated Information Controls

To ensure that automated information controls meet the criteria to streamline compliance and risk management, it is important to recognize the key attributes that are essential in automated information controls to provide greater value than options and alternatives available in the marketplace or via in-house development. Some of these attributes include:

Information controls must be continuous. Although the term “continuous” may seem like an obvious attribute for these controls, this term is not defined consistently by all software vendors. Many vendors, in fact, apply the term “continuous” to mean the control is run on a frequent and recurring scheduled basis, as opposed to running as often as the underlying information and processes dictate. In yesterday’s “batch process” world, frequent and recurring may have been sufficient. In today’s distributed processing world, a continuous control must always be available to control in real time.
The best information controls are independent from the applications, processes and systems that are being controlled. Conversely, embedded controls built into an application, process or system, by definition, cover a limited scope. These controls are subject to errors and failures of the specific system within which they are embedded (i.e., ERP systems, databases). For example, embedded controls will run only when the system in which they are embedded runs. Consequently, when that system fails, the controls embedded within it may also fail.
It is important that information controls provide full, verifiable audit trails of control execution data and results. By doing so, they speed up the diagnosis of detected errors and detail what went wrong, when it went wrong, what business rules were violated, the source data and the location the error occurred. These verifiable controls streamline compliance by keeping an audit trail and providing documentation on not just the controls themselves, but on each control’s execution as well. Verifiable information controls enable people to diagnose and correct information errors more easily.
It is essential that information controls monitor business processes end to end, to validate critical business information that spans multiple processes, applications, databases and systems across the enterprise. Conversely, more limited-scope controls, such as account reconciliation controls, “see” only the information specific to the application where it is embedded. Therefore, these limited controls may not reconcile information as it travels across a series of applications, systems and business units.
Successful information controls must be automated. Gone are the days of taking a sample set of accounts or transactions to manually verify the integrity of information. Automated information controls automatically validate all instances of controlled information and execute all transactions, resulting in 100 percent validation of the information without human intervention. They perform control checks as the information is generated or updated, and detect errors before they propagate downstream and cause more damage.
Additionally, ad hoc automated controls may appear to be the most immediate quick-fix; however, they are typically comprised of hacked together programs and scripts. A set of ad hoc controls is usually anything but standardized. The time and resources required to train auditors and maintain ad hoc controls on multiple systems—with multiple access requirements—and processes are ineffective and costly and do not fundamentally improve the cost-benefit equation for automated control ownership. Imagine the IT effort required to keep a significant set of ad hoc controls in sync with changing business needs and regulations.

Conclusion

Regulatory compliance does not have to be painful and costly for businesses. With the proper information controls that are automated, independent, continuous, verifiable and end-to-end, compliance can be viewed as an added value to a business. Compliance is streamlined, risk is mitigated, efficiency is enhanced, and external audit costs are reduced. Automated internal controls can detect and prevent information errors from going unnoticed and causing damage. Transactions are no longer duplicated, payroll is accurate, compliance is streamlined, reports are reliable, and leadership has confidence in the integrity of business processes and information.

Endnotes

¹ Kanaracus, Chris; “Update: Overstock.com Restates Earnings, Cites ERP Implementation,” ComputerWorld, 27 October 2008, www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118205
² Schuman, Evan; Fred J. Aun; “Duplicate Debit Debacle Hits Best Buy, Macy’s. Who’s Next?,” 18 March 2009, www.storefrontbacktalk.com/securityfraud/duplicatedebit-debacle-hits-best-buy-macys-whos-next
³ Kincaid, Jason; “Oops: Microsoft Asks Some Laid Off Workers to Send Back Part of Their Severance (Updated),” 21 February 2009
⁴ Morici, Peter; “Smash Sarbanes-Oxley Law,” Global Politician, 16 June 2006, www.globalpolitician.com/21867-america-economics
⁵ Grody, Allan D.; Fotios C. Harmantzis; Gregory J. Kaple; “Operational Risk and Reference Data: Exploring Costs, Capital Requirements and Risk Mitigation,” Journal of Operational Risk, February 2007 (revised)
⁶ All of the stated examples are based on Infogix customer testimony and identities cannot be disclosed due to contractual confidentiality.

Dan Sollis
is group leader of business development at Infogix. Sollis supports business development activities including marketing and strategic partnerships. Previously, he served as senior vice president for Sanchez Computer Associates and general manager for Digital Equipment of Canada.

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?