Today, virtually every company relies on computerized systems to automate day-to-day business transactions, collect auditable history, and provide operational and management reporting. Automated controls within computerized or enterprise resource planning (ERP) systems include both preventive and detective controls. For example, automated controls help ensure a customer number is valid, all required data is entered for a purchase order, and debits equal credits. In addition, configurable application controls (a subset of automated controls) include checking tolerance limits, maintaining valid data integrity, ensuring data fields are completed as required, and maintaining workflow routings and approvals, among other controls.
Automated system controls are a key part of a strong internal control environment. They increase efficiency of operations, improve accuracy and help eliminate fraud. A major advantage of robust automated controls is that they are more reliable than manual controls. They work automatically and are not subject to human error or failure.
Today, we find that most companies have not fully optimized their use of automated controls in ERP systems such as SAP and Oracle. These systems typically are not preconfigured to optimize compliance and effectiveness, and implementation teams too often do not properly configure available controls. In addition, software tools are available today that give companies the ability to develop custom automated controls or tests to meet concerns unique to their environment. Some companies are even exploring predictive controls to anticipate future risk or fraud situations.
Challenges and Opportunities
Automated controls often are overlooked because IT departments are resource-constrained and may not have the necessary risk management/compliance perspective or skills. Likewise, the compliance function (internal audit, Sarbanes-Oxley, etc.) often lacks the necessary insight into ERP automated controls definition and use.
During ERP implementation efforts, building in the proper automated controls often is prioritized well below cost and schedule management.
Proven benefits of optimizing automated controls include:
- Decrease in employee time conducting and supervising more tedious manual controls
- Decrease in the cost of annual assessments through replacing error-prone manual controls with consistently executed automated controls
- Reduction in operational inefficiency and reduction in the odds of human error and fraudulent manipulation
- Proactive management of audit fees via increased auditor reliance on automated controls
- Ability to strengthen the overall risk management environment by adding new custom controls that mirror the controls needed in key business processes
Our Point of View
Companies should be planning to transition from a majority of manual controls to a majority of automated application controls. We have seen internal rates of return (IRR) of 250 percent on these types of efforts. Every company has this same opportunity to strengthen its use and reliance of automated controls within its ERP system. Optimization of such controls better enables organizations and their external auditors to attest to the effectiveness of controls over critical financial statement elements as well as the key financial reporting processes that drive them. New advances in automated assessment and monitoring tools require investigation.
How We Help Companies Succeed
Our Enterprise Applications Solutions practice helps companies fully optimize their automated application controls to realize improved efficiency and strengthen the control environment. We accomplish this by:
- Documenting configurable controls and recommending improved configurations to optimize compliance and control
- Rationalizing the overall control environment to reduce the number of overall controls, decrease the reliance on manual controls and increase the use of automated controls
- Designing and implementing custom automated tests that examine configuration data, master data and transaction data to address high-priority control issues unique to your company or industry
- Implementing continuous monitoring tools such as detective controls to alert you to changes or activities that warrant investigation
There are a variety of tools available today with a wide range of functionality and flexibility. We work with most of the major tool providers and can assist you in selecting and implementing the right tool for you. In addition, we have our own proprietary tools that are effective in diagnosing weaknesses in automated controls configuration during planning, audits and assessment engagements. We also have a deep understanding of major ERP systems such as SAP and Oracle, as well as expertise in audit and compliance requirements for SOX, J-SOX and other regulatory requirements.
A global consumer products company was running SAP throughout the organization. Protiviti’s experts worked with company management to assess the level of control automation and design and implement control improvements. The assessment determined that the company had more than 550 controls in six key business functions, and that more than 70 percent of the controls were manual. Protiviti’s project for the company resulted in the following improvements:
- Manual controls were reduced to less than 30 percent of the total controls in place.
- Through our control rationalization process, total controls were reduced by 34 percent.
- The resulting business processes were judged by management not only to be measurably more efficient, but considerably better controlled.
- Since it is estimated that 60-75 percent less time is required to test an automated control compared to a manual control, considerable savings in manpower resulted from the project.
- As part of the project, the Sarbanes-Oxley control framework was updated to reflect the new process and control environment.
The client now has a control environment with greater use of automated controls that is more efficient and less prone to error.