Angsuman Dutta and Dan Dopp
Organizations are information-driven and operate in an interconnected economy. With increasing automation of critical business processes, information has become the lifeblood of any business.
In the past, organizations were able to manually verify and audit the accuracy, consistency and reliability of the information they used and exchanged due to low-volume and relatively stable monolithic, mainframe-based information processing environments. With the advent of distributed technology and the adoption of a service-oriented architecture (SOA), data volume and compliance requirements have increased exponentially. The use of manual controls, or semiautomated or homegrown controls, has become costly, obsolete and simply not sustainable. A recent study by KPMG’s 404 Institute revealed the prevalence of manual controls in large organizations.1 More than 50 percent of the companies (the total sample size was more than 1,000) reported that 80 percent of their key controls are manual. About 24 percent of the companies reported that 60 percent of their key controls are manual.
Standardized, independent and automated controls have become business necessities, rather than options. While the value of automated controls in reducing costs, mitigating risks, improving processes and streamlining compliance2, 3, 4, 5 is unquestionable, organizations need to make investments to develop an infrastructure to support automated controls and to establish a culture of proactive information risk management.
With the exception of controls in a few progressive organizations, controls in most organizations are compliance-driven and often implemented following a risk event. In the absence of any recent, glaring information-error event, control automation projects take a backseat and compete among many organizational priorities. However, the situation changes when executives can establish a strong business case that articulates short- and long-term value propositions of automated controls. The case for automated controls becomes even stronger when presented with appropriate financial metrics such as net present value (NPV), return on investment (ROI) and payback period.
This article establishes the key concepts that can be used as the building blocks of an ROI model. A typical ROI model has two components: time evolution of benefits (the expected benefits of automated controls over time) and time evolution of costs (the initial cost of deployment and recurring costs of operation and maintenance).
Internal controls are automated for several reasons: cost reduction, risk reduction, efficiency gains and transparency. The following examples6 showcase how some leading companies use automated manual controls to achieve a positive ROI:
Typically, areas in which information exists in electronic format are prime candidates for control automation.
The benefits of automated controls fit broadly in two categories: quantitative and qualitative. While the quantitative benefits make the most powerful argument in a business case, the value of the qualitative benefits should not be ignored. Figure 1 depicts the four dimensions of benefits, which were developed based on a literature review7, 8, 9, 10 and the authors’ experience in assisting Fortune 500 organizations in developing a business case for automated controls.
The four dimensions of benefits are:
Once all dimensions of the benefits of automated controls are analyzed, the benefits need to be quantified using a template similar to what is shown in figure 2. Financial numbers presented in this template are representative of the estimations made by a leading Nordic bank to automate more than 5,000 internal controls in its technology, operation and financial processes.
Accurate and complete estimations of costs associated with controls are as important as the benefits estimated in developing a reliable business case. Each element of the cost should be evaluated. Care should be taken in estimating a onetime cost and a recurring cost. Critical cost components that need to be considered include:
Once all dimensions of the costs are analyzed, the costs of automated controls must be quantified using a template like the one shown in figure 3.
The cost-benefit analysis estimated earlier needs to be presented using appropriate financial models. Most organizations are interested in the following financial information:
To estimate the previously mentioned key indicators, one should build a 10-year cash-flow statement that captures the benefit and cost of automated controls. In figure 4, it was assumed that the organization started realizing the benefits of automation from the third quarter of the second year.
Assuming a 3 percent inflation rate and 10 percent cost of capital, one can use figure 4 to estimate the following key financial indicators:
In addition to the ROI, it is important to capture the key nonfinancial values:
With the accelerating changes in the source systems that support business needs, increasing reliance on information for critical business operation and decisions, and an expanding (and ever-changing) array of regulations and compliance requirements, the use of automated controls is no longer an option. It is the only way to ensure information accuracy across the enterprise. To develop a compelling business case, organizations should follow the following steps:
1 404 Institute, Maintaining Your Control Environment in Turbulent Times, Fifth Annual Benchmark Study, KPMG LLP, USA, 20092 Whitehouse, Tammy; “The Next Goal in SOX Compliance: Automation,” Compliance Week, 1 April 20083 Miller, Danny; Automated Controls Strategy, Implementation & Practical Examples, Grant Thornton LLP, USA, 20084 Ronald, Holly; “Operational Excellence through Internal Controls,” Financial Executive, 1 November 2007, www.allbusiness.com/company-activities-management/management-risk-management/5844373-1.html5 Scott, Mitchell; “Automated Controls And Risk Management,” Compliance Week, 27 March 20076 These examples are taken from the authors’ experiences in the field.7 Op cit, Whitehouse8 Op cit, Miller9 Op cit, Ronald10 Op cit, Scott
Angsuman Duttais the unit leader of the marketing and customer acquisition support teams at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated controls by providing assessment, advisory, implementation and support services.
Dan Doppjoined Infogix in 1998 and is responsible for the North American Expansion Initiative. He is a group leader and continues to support the Customer Development Unit responsible for establishing and maintaining relationships with Infogix’s European customers. Previously, Dopp held positions at Zurich American Insurance, SunGuard Investment Systems and Northern Trust Co.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.