Internal control transformation
How to accelerate on data digitization for internal control?
According to the latest PwC Global Risk Survey, 75% of risk management functions plan to increase their technology spend and prioritize three areas: data analysis, process automation, and risk detection and management tools.
The trajectory is given, and it concerns at the forefront internal control and its ability to connect to data to simplify and drive internal control. The market is very active with profusion of solutions, what is it really?
Our conviction: there is no miracle solution for internal control.
The promise of a tool that would be enough to plug in to obtain very quickly all the necessary analyses and controls giving comfort on the realization of the controls may seem attractive.
What feedback have we heard?
First of all, it is illusory to imagine a tool that can connect to all the systems that a company can use. The tools are often targeted on some ERP, the main ones obviously, and even in this case may not understand the specificities of configurations between the different subsidiaries.
Extending to additional systems requires investment and the publisher’s ability to follow the ERP roadmap to continuously adapt its own developments.
Then, these solutions sometimes offer a very (too?) wide choice of control requests, which can in some cases work in “black box” mode. Exploiting all results and understanding them can be a significant investment.
Finally, some tools require to take out all the accounting data of the company, which does not fail to generate concerns about cyber risks.
Which criteria should be preferred in the target solution?
The offer is constantly growing. The feeling is that, in order to speed up the use of data in internal control, it is probably necessary to favour solutions that meet the following criteria:
- An ability to process any type of data, whether from traditional ERP or proprietary systems: this means being able to query databases directly or having a fairly wide range of connectors;
- An accessible query writing language for new generations of auditors and internal controllers, and above all ensuring transparency and maintainability;
- A limitation of the company’s data outputs to the atypies or indicators sought;
- Availability of documented analysis workflow systems, easily implemented, ideally via a cloud solution;
- Dashboards that facilitate the user experience;
- A wide distribution of the solution or at least a dimension of the company that carries it, guaranteeing the sustainability of investments and a projection, if necessary, worldwide.
All these factors will allow the internal control function to become autonomous on the deployment and use of the chosen solution.
Is the ideal technology for internal control on the market?
The ideal would obviously be to be able to fully integrate the data into the processes managed by the applications already used by the internal control functions to manage the control repositories, pilot the self-assessment or test campaigns, manage action plans and prepare reports.
The publishers of governance, risk and compliance (GRC) solutions are increasingly planning towards continuous control, adding a data dimension to their internal control solutions, and benchmarks increasingly incorporate this dimension in their evaluation of GRC solutions.
The approaches can be different, with publishers who have a more data-oriented historical base that allow them to better respond to the factors mentioned above. Others start from a more complete historical base on the classic dimensions and add data integration capabilities.
For companies already equipped with a CRM tool that does not fully meet the needs of continuous monitoring, moving towards a new, more integrated solution will be complex. The decision-making processes will be long with certainly tradeoffs with respect to the functionalities of the existing solution that will not be present in the new, not to mention the impact on users beyond the internal control function...
Alternatively, keeping two solutions and justifying the coexistence of two GRC systems offering similar functionalities, for example for self-assessment campaigns or the management of internal audit missions, would be difficult.
This is probably why we still see few fully integrated solution implementations.
What’s next? Make digitalisation and added value synonymous
There is no doubt that data solutions for internal control will continue to evolve, with startups emerging. The roadmaps of CRM solution providers will also continue to expand.
Artificial Intelligence also holds many promises. We are not there yet, but the investments of consulting players, startups and publishers will bring us there.
Meanwhile, most French companies are facing the requirements for accounting controls Sapin 2. The choice of the solution is key to make it not only a compliance tool but also to generate a real added value from the digitization of internal control.