Better testing assists in regulatory compliance and cybersecurity
As asset managers shoulder the burden of increasing regulatory requirements and confront relentless cybersecurity threats, control test automation (CTA) is emerging as a virtual necessity for successfully addressing these two critical areas.
Asset management and banking CFOs identified regulatory compliance and cybersecurity as their top two concerns in a recent Grant Thornton survey. By automating control testing that’s designed to enable compliance and protect data and systems, asset managers can reduce the demands on their staffs.
CTA can enable regular and even continuous testing of controls using full populations of data in a tiny fraction of the time that it would take humans to test a small sample of data. This can reduce the risk of human error and eliminate potential gaps that can arise through sampling, leading to increased confidence, reliability and accuracy.
Asset managers work to satisfy an imposing volume of regulatory requirements, compliance tasks where asset managers may use CTA include:
- Regulation Best Execution: CTA-enabled continuous monitoring tools can provide dashboards that show the adherence with standards to meet FINRA’s reporting requirements related to rules requiring brokers to use reasonable diligence to buy or sell to clients at a price that is as favorable as possible under prevailing market conditions.
- Regulation Best Interest (Reg BI): Testing of the controls that enable the timely delivery of required disclosures to retail customers can be automated. CTA may also be implemented to monitor the effectiveness of controls that enforce the updating of a firm’s inventory of all conflicts of interest, and controls that monitor employees’ status with respect to conduct, culture and compliance requirements.
- SEC Registered Investment Adviser requirements: Some testing of controls related to the Compliance Rule, Custody Rule, Code of Ethics Rule, Books and Records Rule, Privacy Rule, and Form ADV and other regulatory filings is manual, but others can be automated. In many cases, automated dashboards help advisers track and monitor their progress toward compliance.
- KYC and controls: Ongoing monitoring can be implemented to maintain Know-Your-Customer compliance.
“Firm compliance officers can use automation to test 100% of a control’s population and create reports to be distributed to the relevant stakeholders, and the automation can be configured to streamline the testing as it takes place on a regular or continuous basis,” said Charmone Adams, Asset Management Advisory Services Leader for Grant Thornton.
Asset managers also can use CTA as a tool to assist with fulfilling their duties under the Exchange Act’s Market Access Rule, which requires firms that have market access or provide access to their customers to maintain controls that manage the financial, regulatory and other risks associated with trading. FINRA’s 2024 annual regulatory oversight report describes numerous examples of insufficient market access controls at firms that it has discovered through its supervision, regulation and enforcement programs.
FINRA recommends regular testing of market access controls, and CTA can be used for many of those tasks, such as determining whether a hard block is triggered when a parameter is triggered. Both pre-trade and post-trade control testing can benefit from automation.
“Firms are implementing technology that can streamline the testing and reduce manual hours in the testing of pre- and post-trade controls so that the compliance officer can be more effective and efficient in this regular testing and reporting,” Adams said.
“Automated control testing is one component of a move toward embedding technology throughout asset management firms that can lower operational costs.”
Cybersecurity, meanwhile, is a compliance task where asset management firms often create controls that are far stronger than what regulators require. Client trust is among the most valuable resources an asset management firm possesses, and cybersecurity breaches can seriously damage that trust.
Security access controls and multi-factor authentication controls can be tested through CTA, and automation can also be created to alert employees and their supervisors when employees have failed to complete their cybersecurity training requirements. Penetration testing also can be automated to identify gaps in security before cyberthieves can find and exploit them.
Ultimately, although automation of control testing requires a significant upfront expense, it can produce future labor cost savings that far exceed the initial investment. At a time when the asset management industry is under intense pressure to reduce fees, these labor cost savings can make firms more competitive.
“The asset management industry is under fee pressure like never before,” said Grant Thornton National Managing Partner for Asset Management Michael Patanella. “Automated control testing is one component of a move toward embedding technology throughout asset management firms that can lower operational costs — and perhaps lead to lower fees.”
Related resources
The ABCs of CTA
Advances in technology have introduced new capabilities for control test automation that are creating added value for internal and external auditors as well as for management — wherever controls are embedded in an organization’s business processes or its financial reporting.
When technology is used to test the operating effectiveness of controls:
- The full population of data could be tested, rather than just a sample.
- Automated testing that once was manual can relieve personnel from labor-intensive, often repetitive work.
Take a deeper dive into CTA
Get a detailed analysis of the use of CTA related to internal control over financial reporting — and an illustrative example of CTA over a user-access provisioning control. This publication co-produced and published by Grant Thornton and the AICPA sheds light on CTA relevant to organizations and their internal and external auditors.
Many of today's advanced automation technologies were in their infancy in 2013 when the revised Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described how technology can support ongoing evaluations of controls.
The COSO framework described how continuous monitoring techniques can provide a high standard of objectivity and enable efficient review of large volumes of data at a low cost. The framework indicated that, combined with robust review and analysis of results by knowledgeable personnel, automated monitoring can provide for efficient, effective ongoing testing.
Today’s most tech-savvy companies and internal and external auditors are delivering on COSO’s vision. CTA activities are being designed and implemented in organizations’ continuous monitoring activities, providing management with valuable feedback and even customized alerts when deviations exceed acceptable thresholds.
CTAs also are being designed and implemented as supervisory control activities, such as authorizations and approvals or reconciliations. When implemented skillfully and reviewed and monitored by competent personnel, CTAs can provide benefits that include:
- More frequent or continuous testing of controls.
- More timely information for decision-making.
- Identification of errors or issues that may be missed due to human error or the limitations of a sample-based approach.
CTA industry insights
A powerful tool
Regardless of the industry, CTA can be a powerful tool for internal and external auditors who are testing the operating effectiveness of controls to support or gather evidence about the effectiveness of internal control over financial reporting (ICFR). Manual tests of these controls often are labor-intensive and rely upon sampling, while automated tools and techniques have the potential to reduce the need for repetitive human labor while extending testing to the entire population.
Within ICFR, the uses of CTA may vary widely based on industry. Take revenue recognition, for example. A company in an industry or sector with a subscription-based business model that recognizes revenue over time may have different CTA opportunities than a company with a point-in-time revenue model based on discrete individual sales.
Asset management firms are increasingly finding benefits from implementing CTA technology for internal control over financial reporting. Replacing manual efforts with automated control testing can reduce potential errors and lead to expedited closing for monthly, quarterly and yearly periods.
“If they close the books faster, this can, in turn, lead to an earlier audit delivery date,” Patanella said.
Outside of ICFR, CTA can be implemented for controls over operations, reporting or compliance objectives. These CTA opportunities may also vary widely based on the industry.
Getting started
All controls are not created equal with respect to CTA, as automated testing can be easier to implement for some controls than for others, such as those that are objective rather than subjective. It would be more straightforward to set up an automation that compares all vendor billings and reimbursements and sends an alert if the amount of a check sent to a vendor does not equal the amount billed on the invoice. It’s more difficult to create an automated test to tell you whether the amount on the invoice is reasonable considering the services the vendor provided. The best candidates for CTA often are controls with attributes that can be clearly defined, such as tolerances, distinct values or pass-fail conditions. These may include:
- Authorizations, approvals, verifications and controls over standing data.
- Segregation of duties.
- Certain general IT controls, such as authorization, provisioning, deprovisioning, privileged access and security configuration controls.
“When you’re automating a process, you also reduce the likelihood of human error.”
For asset management firms that are just getting started with CTA, recurring manual processes should be the focus. Areas such as trade confirmation (e.g., pre/post monitoring) and settlement systems may be a good place to focus.
Automating the testing of confirmation controls can enable the timely and accurate confirmation of trades in compliance with regulatory requirements.
“Control test automation builds synergies and efficiencies into a process,” Adams said. “And more importantly, when you’re automating a process, you also reduce the likelihood of human error. The efficiency goes up and human errors can be reduced, so that’s a win from two angles of the process.”
The more advanced uses of CTA may revolve around artificial intelligence. Strictly speaking, AI is not a necessary component of CTA because control test automation often involves repetitive testing of full populations of controls that doesn’t require the learning or (sometimes) creative elements associated with AI.
But Adams said AI is a hot topic in the industry, and it’s being used in robo adviser tools that asset management firms are using. Robo advisers are being used to assess portfolio risk, market risk and credit risk in the context of investors’ risk tolerance, ultimately advising on products and services in a streamlined fashion for clients.
When the robo advisers are making the recommendations, though, best interest and best execution tools become even more important. Ultimately, CTA may be the answer to enabling the operating effectiveness of those investor-protection tools — the technology serving as a check on technology — with robust human governance, development and oversight providing the ultimate authority.
Rooted in data
As with most automation efforts, CTA is only as good as the information it relies on. Whole-population testing is ineffective if the population is not complete or the input data is not accurate. When the information used is complete and accurate, a CTA can be run on large volumes of transactions or activities, quickly and with more precision.
This is one of the biggest benefits of CTA programs. If an organization sends tens of thousands of checks to vendors every year, CTA may be used to test that all of the checks match the amounts on the respective invoices and were approved based on the organization’s policies or procedures in a tiny fraction of the time it would take a human to test only a sample of such transactions. CTA is generally designed to extract information directly from existing systems or applications, further reducing human effort.
Nonetheless, human involvement in the form of strong governance is essential for developing and maintaining a CTA program and related IT environment that accomplishes the desired objectives. Responsibilities and accountabilities need to be established for designing, implementing and maintaining effective governance over the IT environment — including general IT controls — that will support a CTA program.
When CTA is being implemented, validation often requires test runs, with manual testing compared to CTA results to verify accuracy and consistency. Controls may need to be modified and CTAs recalibrated several times before automation is ready to be implemented.
Another critical role for humans in CTA implementation resides in the appropriate treatment of deviations and control failure rates. Leaders need to carefully determine an acceptable failure rate for a control or control objective to appropriately evaluate the results and conclude on operating effectiveness. In some cases — for example, a security access approval — that acceptable failure rate may be zero.
Many times, though, an acceptable failure rate may be greater than zero. Consider, for example, a control that requires a manager to approve an employee’s expense reimbursement forms. If the acceptable failure rate is zero for this control attribute, what happens when a manager takes a two-week vacation? The acceptable failure rate for such a control could be set at something higher than zero, with the provision that a separate control or control attribute is implemented, such as deviations being investigated by finance to identify whether an appropriate delegate designated by the manager approved expense reimbursements when the manager was unable to do so.
Great care needs to be taken in developing and implementing CTA programs; the considerations become more complicated as the controls and automated testing become more complex. Nonetheless, precision in the development and implementation phase often is worthwhile because of the additional, timely insights that CTA can provide later with a reduction of manual labor that can offset the costs associated with automation.
An effective CTA program — whether it’s used as a monitoring activity, supervisory control, or both — can lead to better risk management by enabling detailed analysis, pattern and deviation identification and more timely decisions. These are benefits that can provide an important edge in an environment where effective controls are essential.
Contacts:
Maria Manasses
Partner, Deputy Chief Auditor
Grant Thornton LLP
Principal, Grant Thornton Advisors LLC
Maria is a partner with Grant Thornton with over 25 years of experience in accounting and auditing. She acts a steward to the accounting and auditing
Downers Grove, Illinois
Service Experience
- Audit & Assurance
- Employee Benefit Plan Audits
Ethan Rojhani
Principal, Risk Advisory Services
Grant Thornton Advisors LLC
Mr. Rojhani is a principal in Grant Thornton’s Risk practice with experience leading the full lifecycle of risk management and consulting engagements.
Denver, Colorado
Service Experience
- Advisory
- Transaction advisory
Content disclaimer
This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
For additional information on topics covered in this content, contact a Grant Thornton professional.
Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
CTA insights from other industries
Our fresh thinking
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share