Few would disagree that financial services is one

Transcription

1 Enterprise Risk Management and Controls-Monitoring Automation Can Reduce Compliance Costs By Mark Nelson and James Ambrosini A framework to reduce risk and compliance costs. Few would disagree that financial services is one of the most heavily regulated and risk-conscious industries. Banks and other financial institutions must continually enhance their risk management strategies to keep up with the changing landscape brought about by new technologies, financial products and global strategies. A decade ago, most financial services firms risk management activities were limited to market and credit risk in an attempt to minimize financial loss caused by market fluctuations or poor lending. Today, with a plethora of new regulations and customer demands, d banks must account for other multidimensional facets of fri risk, including those related to privacy, information on technology, og reputation and operations. How does a company sift through the details and focus on the risks most important to oit?fo For that purpose, banks should use an enterprise risk management (ERM) approach along with a controls automation solution. What Is ERM? First, let us explain what ERM is not. It is not a tool; it is not a onetime project; and, most of all, it is not an end state. ERM is a framework supported by various tools and methods that helps organizations answer questions such as, What are my biggest risks? and How do I manage these risks to get them to a level suitable for my business? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) gives the following definition of ERM 1 : Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO elaborates on this definition by stating that ERM is a process with the following characteristics: Ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level, portfolio view of risk Able to provide reasonable assurance to an entity s management and board of directors Designed nedto identify potential events that, if they ont s automation so ution. De occur, will affect the entity and to manage risk within its risk appetite Geared to achievement of objectives in one or more separate but overlapping categories ERM Components According to the COSO framework, 2 which is becoming a de facto standard in ERM frameworks, ERM consists of eight interrelated components: Internal environment. The internal environment encompasses the tone at the top or controls con- Mark Nelson is Managing Director at Protiviti, New York, New York. Contact him at mark.nelson@protiviti.com. James Ambrosini is Associate Director at Protiviti, New York, New York. Contact him at james.ambrosini@protiviti.com. FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 25

2 sciousness and sets the basis for how risk is viewed and addressed by an entity s people, ethical values and the environment in which they operate. Objective setting. Objectives must exist before management can identify potential events affecting their achievement. Further, these are aligned with the organization s risk tolerance. Event identification. Internal and external events that could affect the achievement of an entity s objectives must be identified and reported to management. Risk assessment. Risks are analyzed, and their likelihood and impact are evaluated, to determine how they should be managed. Risks are assessed on an inherent and a residual basis (that is, before and after considering any threat mitigation efforts or controls). Risk response. Management determines how to handle the risks (accept, avoid, reduce or share them) and develops a set of actions to align risks with the entity s risk tolerances. Control activities. Policies and procedures are established and implemented to help ensure the risk responses are applied effectively. Information and communication. Relevant information on is identified, captured and communicated din a form and time frame that enable people e to carry out their responsibilities. Effective communication mu also occurs in a broader sense, flowing down, across and up the entity. Monitoring. The entirety of ERM is monitored and modifications are made as necessary. Monitoring ing is accomplished through ongoing management ent activities, separate evaluations or both. Organizations usually perform well in most of these categories, at one time or another. The key is to integrate them holistically across the enterprise, specifically among their strategic, operational, financial reporting and compliance-related functions. It is important to note that not all of these components will apply equally in all institutions due to variations in size. For example, smaller banks or financial institutions have a significantly different risk landscape than larger ones. Thus, these principles of ERM should be applied and tailored for a custom fit. In addition, there is no single aspect of ERM that is more important than another. There is one key element where companies continually struggle: monitoring. Monitoring is the glue that holds the ERM framework together. In an information-rich society, where we continually monitor data such as market swings, expenses and financial information, etc., the importance of monitoring should come as no surprise. Without effective monitoring, all the best-laid ERM plans are for naught because the quality, amount and speed of required information will be compromised. Technology to Monitor Controls and Reduce Compliance Costs The Sarbanes-Oxley Act of 2002 ( SOX ) provides a good example to illustrate how companies can make better use of compliance and controls-related information. Each year, organizations have spent millions of dollars and tens of thousands of hours to complete the documentation, testing and reporting required by SOX. In retrospect, many organizations faced two very common issues: 1. Documenting Too Many Controls When SOX compliance was in its infancy, no one was certain how many documented controls were too few, too many or the right amount. Preferring to err on the side of caution, most companies documented every control they could find. 2. Documenting Mostly Manual a Controls SOX teams often lacked application experts with a detailed understanding of the embedded system-based controls (often called configurable controls). Therefore, they mostly documented manual controls. The effect of these errors is that companies performed very extensive and largely manual testing. These testing projects occur quarterly and annually for the 302 and 404 certifications required of SOX. Often, this costly work is not adding value or improving the internal control environment. Most companies seasoned in SOX compliance are beginning to change their approaches. Rather than approach SOX compliance as a project, they see the advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance helps companies maintain strong internal control over financial reporting and saves money in the 26 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007

3 long term. To accomplish this, the proper use of technological tools is key in creating an effective and sustainable transition from project to process. Automating and Optimizing Controls Technology plays a significant role in moving SOX compliance and ERM in general from a project to an ongoing, sustainable process. Manual controls are more prone to failure than automated controls. They are detective rather than preventive, identifying problems only after they have occurred, and they are ad hoc, meaning only a portion of all transactions is evaluated and tested. Optimized automated controls are system based, preventive and managed. These features allow companies to engage in more self-assessment, entitylevel and process-level monitoring and automated testing. In addition, automated testing more accurately covers a larger universe than manual testing. A manual control test is based on a selected sample size of typically 10 to 30 transactions; automated controls ols testing is performed on the full universe of transactions. ti Because of this larger number of transactions, ns, there is inherently ntly greater assurance provided by automated te controls testing. The role of technology in regulatory ry compliance can nbe ebro broken down into two parallel tracks: (1) automation of the internal control environment and (2) automation of the compliance process. By automating the control environment and compliance process, companies are able to test and review controls throughout the year, providing the documentation and reporting materials needed to more easily comply with quarterly and annual reporting requirements. In many instances, companies do not need to purchase expensive new technology tools. Many companies can make significant advances by making better use of the applications and tools they already have. The result is improved sustainability, lower costs and greater value to the internal control environment and compliance process. Enterprise Resource Planning (ERP) companies and other technology vendors recognize the benefits they can provide to the control environment and compliance process. As a result, they have been improving their products in an evolutionary way. Continuous Controls Monitoring to Support ERM The highest levels of compliance technology provide continuous control monitoring and improvement and support ERM (Exhibit 1). With continuous control monitoring, companies achieve preemptive segregation of duties ( SOD ), conflict analysis, real-time transaction exception monitoring and master data and configuration change alerts. These features keep management on top of and, often, ahead of changes to their control environment. They can immediately detect problems or often anticipate and avoid them. With ERM, companies have the ability to integrate compliance frameworks, tools and data. They gain the benefits of proactive risk identification and evaluation. Employees gain portal access to individual risk management information. To achieve sustained value from application controls, organizations must first attain a high level of process maturity. Process maturity implies a high degree of control automation, control reliability and preventive versus detective controls. This entails properly configuring controls for the control universe, assessing existing controls, identifying gaps and opportunities and implementing necessary control and process changes. SOD issues must also be addressed, including the design and acquisition of rule sets, assessment of existing roles and assignments, nts identification ication and mitigation of potential tial gaps, redesign of roles where necessary and reprovisioning user access rights. Once the process maturity is achieved, SOX compliance costs become more predictable. They are also lower than the expected costs of a manually driven project approach. This decrease in cost occurs because most of the controls testing, monitoring and documentation are automated and woven into business processes. The move from manual processes to control automation requires an investment in people, tools and time. Once automated controls and SOD are in place, however, organizations can actively maintain the environment. It is this active maintenance that ensures compliance becomes an ongoing process rather than a stand-alone project. FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 27

4 Active Maintenance Is Essential Active maintenance is critical. Without active maintenance, companies with a strong automated control environment can eventually fall back into the project mode of compliance. This happens over time as a result of employee turnover, poor change management and other factors that decrease the effectiveness of the control environment. Eventually, the organization reaches a point where it must engage in another expensive project to bring the control environment back to a high level of effectiveness. Along with active maintenance, continuous monitoring and automated testing enable organizations Exhibit 1. Development of Compliance Technology Sophistication of Compliance Technology High Low Enterprise Risk Management Enterprise Risk Management Continuous Control Monitoring & and Improvement Control& and Assessment en Automation Autom Autom ation of of Certification Process Document Inte Interna l Controls Time to Implement The basic level of technology enables the documentation of internal controls. The next level builds on that to automate the compliance process, providing features such as control owner updates, quarterly certifications, control self-assessment and routine risk assessment. Control and assessment automation enables organizations to move from manual to systemic and from detective to preventive controls. Automation at this level also provides improved system-enforced SOD, automated assessment of SOD transaction analysis and configurable control testing. Continuous controls monitoring allows real-time and proactive monitoring of an organization s transactions and application controls. With ERM, companies tailor their monitoring initiatives to specific areas of risk and integrate various tools and frameworks. to stay on top of employee turnover, quickly address SOD issues and address changes in the environment to keep the technological tools current. Continuous controls monitoring is a rapidly growing market with solutions from ERP leaders SAP and Oracle, as well as niche vendors Applimation, Approva and Logical Apps. For example, a midsize bank in the Southeast selected Oracle s Internal Controls Manager (ICM) software to automate its SOD processes. Previously, the bank was using internally developed scripts to test for security violations only when the auditors were working onsite. With the implementation of Oracle s solution, it added a level of continuous automation to check and prevent SOD violations when changes to new or existing users are performed. Automated tools are key to helping organizations ensure active maintenance of their control environment so that controls are operating for the entire period, not just at testing time. A story about a Protiviti SOX client illustrates the effectiveness of these tools. Company A had been through nearly two years of SOX compliance when Protiviti was asked to evaluate its compliance program and look for improvement opportunities. ortu ies Through h an assessment ssm of the company s high-risk control areas, we identified four categories of issues: 1. Forty controls matched to the automated assessment and tested without exception. The potential for improvement here resided in the ability to replace manual testing with automated testing. 2. Sixty-nine controls matched but tested with exception. This means that Company A was improperly relying on these 69 controls. Potential for 28 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007

5 improvement included enhancing security and configurable controls and automating testing to achieve efficient and replicable results. 3. Ninety-eight controls were turned on but were not mentioned in the control documentation. As a result, the company was missing opportunities to place more reliance on these controls and reduce manual testing. 4. One hundred and forty-five controls that could have been implemented were not. They were not identified in the documentation and tested with exception. At the completion of the analysis, there were: one hundred and nine already identified application controls that could be tested more efficiently, including the 69 that tested with exception; two hundred and forty-three application controls that could be used to replace manual controls; and two hundred and fourteen potential security/ configuration issues. Based on these findings, it s likely that the company s prior-year testing and conclusions may have been wrong due to the inherent limitations of manual testing of sophisticated applications. This example is typical of most organizations, an overreliance on manual al control of activities. Af further argument for using automated tools to transition tion from mp project to process is the stance of the external audit firms. They appear pe to be preparing to deploy sophisticated stic application ation analysis alysis tools for future audits and Section 404 assessments. By automating controls where possible and shifting the focus away from detailed application plicat testing and on to the tools and rule sets used to monitor the applications, time and effort can be saved, with the reliability of results greatly enhanced. The need for active maintenance cannot be overemphasized. Without a process to maintain and monitor the control environment, it will weaken over time, forcing companies to spend significant resources to bring it back up to a high level of efficiency. Maintenance ensures SOX compliance remains a process that can be predictably and reliably managed. Which Controls to Automate? Moving a control structure and the associated testing toward a reliance on automated controls takes time. It will require input from a variety of internal business constituents and at least some technology investments. In this regard, organizations should begin by examining the sources of evidence supporting management s conclusion as to the operating effectiveness of internal control over financial reporting. This examination ordinarily should drive efforts to start rebalancing the automated controls portfolio (Exhibit 2). The effort begins with a fresh look at the organization s current key controls, with an eye toward several factors. We have found control automation efforts to be most successful in yielding value-added benefits when they are: applied through an integrated solution (for example, ERP) because the improvements have a multiplier effect across common processes; used to replace manual controls that are particularly expensive to operate and test; used in risk areas that have the most impact on reports and performance if the controls fail; employed in areas of heightened external audit sensitivity, such as SOD, and areas of concern to the audit firms; directed toward current practices that are more prone to error and breakdowns; and operated in association with procedures that are repetitive and require little judgment or human intervention. Applying the factors above to manual or poorly automated controls can help rank management s options for automating or optimizing controls. Prerequisites to relying on automated controls include sound program and configuration change management controls, as well as strong security controls. If either of these general controls is weak, automated a controls ols are vulnerable to circumvention by management men and other personnel. In addition, the compliance team would be unable to prove conclusively that the automated controls remained intact through year-end. It should be noted that automation is not appropriate for all situations. As always, there should be an evaluation of the holistic cost of change against the value of future savings and increased quality and effectiveness of the internal controls structure. Where Should Financial Institutions Focus? We believe there are several key areas where financial institutions should apply their ERM and controlsmonitoring activities. This is based on our experience FEBRUARY MARCH 2007 BANK ACCOUNTING & FINANCE 29

6 within this industry, as well as discussions with our banking clients and regulators: Operational risk. Most financial institutions are quite familiar with this risk dimension because this is a frequent hot spot of regulators and SOX auditors. Financial institutions should use a risk-based approach to implementing and testing internal controls. For example, we have seen increased scrutiny over loan processing and wire transfer functions, so it would make sense for organizations to consider strengthening and automating controls in these areas. Information security. The advent of the Web and e-banking has enabled customers to conduct their banking activities from their home computer and manage their own accounts. While this has been a significant benefit to both banks and customers, the downside is that critical data could become compromised. It is no longer enough to merely have strong passwords and encrypt transactions. Financial institutions must be proactive and employ the latest tools and techniques to thwart the would-be information assailants. Customers expect a certain level of security and privacy; compromising this could severely damage a company s reputation. Credit risk. It is not uncommon for financial institutions to monitor credit risk at the transaction level rather than have a broad picture of the total portfolio risk, which requires more sophisticated tools and processes. In addition, geographic diversity of lending may be beneficial, but it also requires more real-time information about emerging conditions in those markets. Exhibit 2. Rebalancing the Automated Controls Portfolio Controls That Are Not Optimized Manual Detective Ad hoc Automated Controls Manual Controls Automated Automated Controls Controls Manual Controls Optimized Controls System-based Preventive Managed Sustainability Optimizing controls through continuous controls monitoring reduces the need for large amounts of manual testing. As a result, an organization s overall compliance cost is reduced and its controls sustainability is increased. Using Technology to Minimize Risk In today s complex financial services arena, all organizations need, and are required to have, sound risk management techniques. An ERM approach coupled with the efficient use of technology and monitoring could aid financial institutions in achieving their goals while minimizing risk. The exact process by ywhich h these initiatives are addressed ed should differ with an organization s size, risk appetite and overall goals. Endnotes 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, Executive Summary, Id. This article is reprinted with the publisher s permission from Bank Accounting & Finance, a bimonthly journal published by CCH, a Wolters Kluwer business. Copying or distribution without the publisher s permission is prohibited. To subscribe to Bank Accounting & Finance or other CCH Journals please call or visit All views expressed in the articles and columns are those of the author and not necessarily those of CCH or any other person. 30 BANK ACCOUNTING & FINANCE FEBRUARY MARCH 2007