I was recently invited to speak on the topic of how Internal Controls has changed in the past 20 years at an event held by ISACA, the Information Systems Audit and Control Association. I thought this topic might make an interesting blog so here are my thoughts on how things have changed over that time...
Back in 1997, Tony Blair had just become Prime Minister, the UK was handing Hong Kong back to Chinese rule - and the ‘millennium bug’ was loitering on the horizon, apparently set to disrupt the world’s computing systems.
It may only seem like yesterday, but it’s fair to say a lot has changed for businesses in the two decades that have followed - and that’s certainly true in the internal controls function.
In the late nineties, most business systems were not yet external facing, so internal threats were the primary concern. Global ERP rollouts were in full swing, and this was all happening in a far less regulated environment than we have today, with the Sarbanes-Oxley act yet to take effect.
At this time risk-based auditing was emerging as a concept. Audit firms were forming more specialist teams to focus on application specific controls, whilst generally speaking, the idea of external auditors providing consulting services to clients was far more common than it is today.
Most significantly, the technology was different. Primarily, excel spreadsheets were being used to manage internal controls. Manual approvals and controls were in place, and detective and reporting controls were considered extremely weak, if they existed at all.
The challenges of the time were significant, but nothing in comparison to the complexities involved with managing internal controls today. Internal controls is now a much broader and more nuanced process to manage – and it’s set to get even more challenging in future.
Yet while the business environment has evolved significantly since 1997, the internal controls capability that exists in many organisations hasn’t moved at quite the same pace.
Fast-forward to 2017 - where are we today?
The Sarbanes-Oxley Act (SOX) of 2002 significantly increased the personal accountability of Directors for the state of Internal Controls in the businesses under their direction, making the process more formal and rigorous than ever before and setting a very different ‘tone at the top’. This has upped the pressure on those responsible for managing internal controls and ensuring their effective operation.
External auditors too have had to raise their game, and are now more stringent in their approach, looking to evaluate an organisation’s risk and compliance exposure more broadly. For instance, audit scope used to be internal controls focused, but has now extended to include elements of external threats.
The tools external auditors use are naturally more sophisticated than 20 years ago. Rather than manually sampling a small number of control risks, 100% sampling is now possible through today’s technology. Auditors also expect organisations to have more sophisticated GRC tools of their own in place, taking advantage of similar technology on an ongoing basis.
Of course, cyber threats are one of today’s biggest business challenges. Online attacks cost British businesses an estimated £30 billion in 2016, and that looks likely to rise this year following the crippling effects of the Wannacry ransomware attack in May 2017, which brought business systems to a standstill in more than 150 countries.
Other recent examples of harmful system failures include British Airways, DLA Piper and Reckitt Benckiser - the latter of whom reported a cyber attack by the NotPetya ransomware would effectively cost them £98.9m.
These are just some of the most publicised cases - the tip of an iceberg which illustrates a rapidly changing threat landscape, where cyber attacks and external threats pose a very real risk to almost all kinds of business.
IT complexity contributes to the challenges of managing internal controls too. IT environments have become increasingly complex over time, with the challenge of managing hybrid landscapes and integrated on-premise/Cloud-based systems proving particularly prevalent.
From an SAP perspective alone, these issues are complicated by:
- Integration and migration to HANA & S/4 HANA environments
- Legacy SAP systems not properly migrated to ECC 6.0
- Volume of legacy interfaces resulting from M&A activity
- Global SAP footprints vs local config., interfaces and custom ABAP
- Increased SAP functionality – HCM, CRM, BI, Mobile & custom apps
- Supply chain integration and connectivity
All of this means SAP systems are increasingly vulnerable to external threats. Indeed, it could be argued that there is no such thing as an internal network anymore - perimeters have disappeared and boundaries blurred with most SAP systems now directly connected to the Web (via apps, mobile, SaaS etc).
Last but not least, today’s environment is a vastly more regulated arena - with the likes of Basel II in play and GDPR fast approaching - now less than a year to go. GDPR in particular is a watershed moment, with significant penalties of up to 4% revenue threatened for data breaches.
Integrated risk management and the growing capability gap
The good news is that GRC technology is evolving to help combat the challenges highlighted above, enabling businesses to move towards an integrated risk management model.
In operation, integrated risk management would include:
- A centralised repository for risk and controls data
- An ongoing process of documenting audit evidence for effective operation of controls
- Linking internal controls to corporate risk management activities
- Segregation of duties tools built into ERP systems
- Sophisticated controls tools to manage system-specific risks
- Automated controls and exception-based monitoring
- Real-time detective controls
- Timely risk and control reporting at multiple levels of the organisation
If capability had kept pace with the industry’s rapid change, this would be the norm for today’s organisations - but for many, the solutions in place still feel reminiscent of 1997.
If that’s the case in your business, then now’s the time to address the capability gap, because the future holds even more challenges.
The complexity of the threat landscape will continue to increase, and you’re going to have to rely more and more on continuous controls monitoring with real-time reporting and ongoing auditing. You’re going to need to integrate detective and preventative controls. And with so many unpredictable events certain to occur, GRC with in-built artificial intelligence is going to become more prevalent, too.
As GRC technology and thinking evolves, and machine learning and predictive algorithms improve, the ability for firms to manage uncertainty with little margin for error is going to improve significantly.
Ultimately, for every risk that can be predicted, there are now so many that can’t. As such, GRC has evolved to handle pervasive uncertainty and not simply the expected events. Perhaps this is the biggest change over the last 20 years and an even bigger challenge for the next 20?