A Framework for Estimating ROI of Automated Internal Controls 

 
Download Article Article in Digital Form

Organizations are information-driven and operate in an interconnected economy. With increasing automation of critical business processes, information has become the lifeblood of any business.

In the past, organizations were able to manually verify and audit the accuracy, consistency and reliability of the information they used and exchanged due to low-volume and relatively stable monolithic, mainframe-based information processing environments. With the advent of distributed technology and the adoption of a service-oriented architecture (SOA), data volume and compliance requirements have increased exponentially. The use of manual controls, or semiautomated or homegrown controls, has become costly, obsolete and simply not sustainable. A recent study by KPMG’s 404 Institute revealed the prevalence of manual controls in large organizations.1 More than 50 percent of the companies (the total sample size was more than 1,000) reported that 80 percent of their key controls are manual. About 24 percent of the companies reported that 60 percent of their key controls are manual.

Standardized, independent and automated controls have become business necessities, rather than options. While the value of automated controls in reducing costs, mitigating risks, improving processes and streamlining compliance2, 3, 4, 5 is unquestionable, organizations need to make investments to develop an infrastructure to support automated controls and to establish a culture of proactive information risk management.

With the exception of controls in a few progressive organizations, controls in most organizations are compliance-driven and often implemented following a risk event. In the absence of any recent, glaring information-error event, control automation projects take a backseat and compete among many organizational priorities. However, the situation changes when executives can establish a strong business case that articulates short- and long-term value propositions of automated controls. The case for automated controls becomes even stronger when presented with appropriate financial metrics such as net present value (NPV), return on investment (ROI) and payback period.

This article establishes the key concepts that can be used as the building blocks of an ROI model. A typical ROI model has two components: time evolution of benefits (the expected benefits of automated controls over time) and time evolution of costs (the initial cost of deployment and recurring costs of operation and maintenance).

Examples of Internal Control Automation

Internal controls are automated for several reasons: cost reduction, risk reduction, efficiency gains and transparency. The following examples6 showcase how some leading companies use automated manual controls to achieve a positive ROI:

  • General ledger (GL) reconciliation—A regional bank has about 2,400 GL accounts that it reconciles with its subledger at the end of each month. Prior to automation, the bank had four full-time employees (FTEs) who used data extraction and an Excel-based, manual matching process to reconcile the accounts. In addition to the costs of FTEs, the bank experienced challenges closing its books on time. Typical month-end reconciliation activities took three days because of reliance on manual data capture and manual matching. An automated control solution was deployed to capture data automatically from the subledger and GL systems and to perform automated matching. As a result, the bank was able to reassign three of its resources to research mismatched transactions.
  • File monitoring—A credit card transaction processing company had a total of 12 FTEs monitoring the transmission of more than 600 settlement files to more than 400 financial institutions. The timely delivery of the settlement files is critical for the payment settlement process. Failure to deliver the files on time could result in hefty fines and customer dissatisfaction. This particular organization deployed an automated control solution to monitor the file transmission process against a predefined control list, which eliminated the need to manually watch the file transmission process. As a result of this control, the total number of required resources was reduced to three (one for each shift). In addition to FTE-related savings, this organization was able to save close to US $300,000 per year that it had previously incurred due to fines related to service level agreements (SLAs).
  • Duplicate payment detection—A health insurance company wanted to eliminate the risk of duplicate claims payments. Prior to control automation, the organization sampled 10 percent of its claims payable transactions to detect the presence of duplicates. By deploying an automated controls solution, this organization was able to examine each payable transaction against the current data set and the last 90 days paid transaction data to detect duplicates and fraudulent transactions. This organization was able to detect more than US $5 million in fraudulent transactions. Unlike manual sampling and the audit process, the automated control solution enabled implementation of complex logic to detect duplicate, split and fraudulent transactions.

Typically, areas in which information exists in electronic format are prime candidates for control automation.

Estimating the Benefits of Automated Controls

Figure 1The benefits of automated controls fit broadly in two categories: quantitative and qualitative. While the quantitative benefits make the most powerful argument in a business case, the value of the qualitative benefits should not be ignored. Figure 1 depicts the four dimensions of benefits, which were developed based on a literature review7, 8, 9, 10 and the authors’ experience in assisting Fortune 500 organizations in developing a business case for automated controls.

The four dimensions of benefits are:

  1. Cost reduction—Cost reduction refers to all direct and indirect cost savings that are realized as a result of the control automation. At a minimum, the following three types of costs must be considered:
    • Cost of controls—Automated controls can reduce or eliminate the cost of existing manual controls. A typical reduction includes the number of resources needed to perform a required control activity. For example, in the file-monitoring example described previously, the credit card transaction processing company estimates a total savings of US $720,000 per year as a result of nine FTE reductions.
    • Cost of research—Organizations spend time and effort to research and resolve exceptions detected by controls. Automated controls preserve the complete audit trail and streamline the research-and-resolve process. For example, a property and casualty insurance company had engaged two resources to research and resolve issues identified through its general ledger reconciliation process. By automating the reconciliation process, this company was able to identify and isolate all mismatched transactions, resulting in a 50 percent reduction in its research and resolution effort.
    • Cost avoidance—The high cost of manual and internally built controls forces many organizations to accept risks. For example, organizations may resort to sampling only techniques because verifying the entire data set is costly and time-consuming. Automated controls enable organizations to avoid the costs that they would otherwise incur if they chose to address the identified risks. For example, a wealth management financial organization used to engage five resources to validate the accuracy of its monthly statements produced for its high-net-worth customers. Prior to automation, this organization used to sample only 10 percent of the statements. With control automation, this organization was able not only to reduce the number of FTEs required for statement validation, but also to verify 100 percent of the statements.
  2. Risk reduction—Risk is defined as any event that can negatively impact the intended outcome, and is estimated as the product of the impact and the probability of the adverse event. Automated controls reduce information risk by reducing either the impact (by detecting an error early in the process) or the probability (by detecting errors). In addition to financial impacts, risks can adversely affect the reputation of the company in the long term. At a minimum, the following three types of risks must be considered:
    • Revenue risk—Organizations lose revenue due to information risks present in their revenue chain. Examples of such risks include missed billing and underbilling.
    • Cost risk—Organizations incur additional costs due to information errors in their core processes. Examples of such risks are duplicate payments and overpayments.
    • Reputational risk—Errors in information exchanged with customers, suppliers, business partners, regulators and the public result in loss of reputation and, in some cases, penalties. Examples include financial restatements and customer complaints.
  3. Compliance—Compliance costs continue to rise due to internal and external audits, changing regulation standards, a greater need for risk containment, and the need to ensure material accuracy in financial statements and other reporting. The cost of the audit and violations of SLAs are examples of the cost of compliance. Automated controls reduce the cost of compliance by reducing the cost of the control audit and testing, by reducing the penalties from compliance failure, and by providing better coverage to mitigate risks throughout the organization. At a minimum, the following three types of compliance-related costs must be considered:
    • Lower cost of audit—Automated controls are less costly to audit because appropriately designed automated controls are required to be tested only once during the testing period, compared to several times for manual controls. In addition, automated controls reduce the total time required for the audit because they provide a complete audit trail of control execution and resolutions when errors are detected. For example, prior to control automation, one health insurance company spent approximately 50 hours per year for testing each key US Sarbanes-Oxley Act control. Through automation, this organization was able to reduce the control testing time to less than 10 hours per year per control. Given that this organization has more than 200 Sarbanes-Oxley controls to support multiple lines of business in multiple states, it was able to save approximately 8,000 hours of control testing effort through control automation.
    • Reduction in penalties—Automated controls reduce the cost of penalties by detecting errors early and enabling organizations to take corrective actions. This type of savings was exemplified in the file monitoring example described previously.
    • Increased control effectiveness and coverage—Automated controls are more effective for risk mitigation because they are standardized and reusable, which provides a better coverage for mitigating risks throughout the organization. For example, most organizations do not focus on deploying controls in processes that are deemed to be low to medium risks because of the cost of the manual or internally developed controls. The low incremental cost of deploying automated controls in these processes enables organizations to mitigate these risks in an effective manner.
  4. Process improvement—Automated controls simplify and speed up processes by automating manual steps and manual validations. While the financial value of process improvements is difficult to quantify, their value in developing the business case should not be ignored. Expected process improvements need to be clearly articulated in the business case, and, as applicable, appropriate assumptions need to be made to estimate value. While considering process improvements, the following three types of improvements need to be taken into account:
    • Process cycle time—Automated controls drastically reduce the amount of time required for performing the control activity. In the GL reconciliation example described earlier, the bank was able to automate data capture and the data-matching process for its GL accounts. As a result, the total time for monthly reconciliation was reduced from three days to 10 minutes.
    • Complete validation and enterprise visibility—Automated controls increase stakeholder confidence by validating 100 percent of the transactions and by providing enterprise visibility into control actions. An auditor/ business-process owner can go to one central monitoring portal to validate that the controls are running as designed. In cases in which control exceptions occurred, the auditor/business-process owner will see what went wrong, when it went wrong, who was alerted and how it was resolved.
    • Decision effectiveness—Accurate trustworthiness of information with a complete audit trail provides better insight for making effective decisions.

Summarizing the Benefits of Automated Controls for ROI

Once all dimensions of the benefits of automated controls are analyzed, the benefits need to be quantified using a template similar to what is shown in figure 2. Financial numbers presented in this template are representative of the estimations made by a leading Nordic bank to automate more than 5,000 internal controls in its technology, operation and financial processes.

Figure 2

Estimating the Costs of Automated Controls

Accurate and complete estimations of costs associated with controls are as important as the benefits estimated in developing a reliable business case. Each element of the cost should be evaluated. Care should be taken in estimating a onetime cost and a recurring cost. Critical cost components that need to be considered include:

  • Cost of hardware and supporting software—Initial cost of hardware and supporting software. Not only are initial hardware costs a factor, but the costs for continued support and software updates need to be considered as well.
  • Cost of automated control software—Yearly license cost of the automated controls software
  • Cost of implementation—Cost of the initial implementation and ongoing maintenance
  • Cost of training—Cost of training resources for controls development and operation

Summarizing the Costs of Automated Controls for ROI

Once all dimensions of the costs are analyzed, the costs of automated controls must be quantified using a template like the one shown in figure 3.

Figure 3

Financial Model for Estimating the ROI

The cost-benefit analysis estimated earlier needs to be presented using appropriate financial models. Most organizations are interested in the following financial information:

  • Initial investment—Maximum amount of investment required to start seeing benefits
  • NPV—Net present value of all estimated future benefits
  • Break-even period—Time required for offsetting the project cost/investments
  • Internal rate of return—Average annual ROI earned through the life of the investment

To estimate the previously mentioned key indicators, one should build a 10-year cash-flow statement that captures the benefit and cost of automated controls. In figure 4, it was assumed that the organization started realizing the benefits of automation from the third quarter of the second year.

Assuming a 3 percent inflation rate and 10 percent cost of capital, one can use figure 4 to estimate the following key financial indicators:

  • Initial investment required:  US $1,470,000
  • NPV:  US $10 million
  • Break-even period:  30 months
  • Internal rate of return:  94 percent

Figure 4

Understanding Nonfinancial Values

In addition to the ROI, it is important to capture the key nonfinancial values:

  • Increased confidence in the financial information
  • Enterprisewide view of the controls and controls results
  • Enhanced information exception management process

Conclusion

With the accelerating changes in the source systems that support business needs, increasing reliance on information for critical business operation and decisions, and an expanding (and ever-changing) array of regulations and compliance requirements, the use of automated controls is no longer an option. It is the only way to ensure information accuracy across the enterprise. To develop a compelling business case, organizations should follow the following steps:

  • Quantify the benefits of automated controls.
  • Articulate the intangible benefits of automated controls.
  • Quantify the costs of automated controls. Consider both one-time cost and recurring costs.
  • Develop a financial model to project the ROI.
  • Summarize key findings using a business case.
  • Present the business case to all key stakeholders.

Endnotes

1 404 Institute, Maintaining Your Control Environment in Turbulent Times, Fifth Annual Benchmark Study, KPMG LLP, USA, 2009
2 Whitehouse, Tammy; “The Next Goal in SOX Compliance: Automation,” Compliance Week, 1 April 2008
3 Miller, Danny; Automated Controls Strategy, Implementation & Practical Examples, Grant Thornton LLP, USA, 2008
4 Ronald, Holly; “Operational Excellence through Internal Controls,” Financial Executive, 1 November 2007, www.allbusiness.com/company-activities-management/management-risk-management/5844373-1.html
5 Scott, Mitchell; “Automated Controls And Risk Management,” Compliance Week, 27 March 2007
6 These examples are taken from the authors’ experiences in the field.
7 Op cit, Whitehouse
8 Op cit, Miller
9 Op cit, Ronald
10 Op cit, Scott

Angsuman Dutta
is the unit leader of the marketing and customer acquisition support teams at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated controls by providing assessment, advisory, implementation and support services.

Dan Dopp
joined Infogix in 1998 and is responsible for the North American Expansion Initiative. He is a group leader and continues to support the Customer Development Unit responsible for establishing and maintaining relationships with Infogix’s European customers. Previously, Dopp held positions at Zurich American Insurance, SunGuard Investment Systems and Northern Trust Co.


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.