Internal controls have traditionally been viewed as a requirement to avoid regulatory, legal and external audit/examination consequences. Rarely are they seen as a strategy for building business value and consumer confidence.
Yet, in virtually every industry, internal controls are becoming an important competitive differentiator. They are being elevated from a necessary evil to a valuable tool, due to increasingly engaged management teams, emerging risks and rapidly evolving technology – together with the growing expectations of customers, business partners and regulators. Internal controls are especially important in the investment management industry.
“There are a lot of moving parts in the registered fund world,” said Judd Wright, Grant Thornton Audit Services Partner and Mutual Fund Sector Leader. “The risk environment and control expectations for advisors, third party administrators and others are increasing and rapidly evolving. All of this is underscored by pervasive cybersecurity risks and the importance of protecting client data.”
The traditional role of internal controls
Internal controls have always served an important defensive function, and successful companies have embraced them enthusiastically. Their core objectives of protecting the effectiveness and efficacy of business operations, supporting the reliability of internal and external reporting, and complying with applicable laws and regulations can’t be underestimated.
Grant Thornton Advisory Partner Dennis Bell noted that “When I deal with leaders in regulated industries, such as investment management services, they’re very focused on controls. As a result, they all have very strong control environments.”
No organization, regardless of industry, welcomes the pain and costs associated with a financial statement restatement. Checking the compliance box is certainly critical – but it is the floor, not the ceiling, when it comes to the value controls can provide.
“A company that can demonstrate a strong control environment can gain increased consumer confidence, which is key to growing the business.”
Bell continued, “I think we can all agree that certain control failures can be very impactful on a company’s reputation. They can lead to a drop in customer confidence, profitability and shareholder value. But I think the opposite is true as well: a company that can demonstrate a strong control environment can gain increased consumer confidence, which is key to growing the business.”
Are there other ways that controls add value, beyond traditional risk management and compliance?
Yes – in fact, there are many ways controls can actually improve your business performance and give you a competitive advantage with current and potential customers.
Management engagement is the key to controls which proactively add value. If leadership views internal controls as core to company strategy and operations, the rest of the organization will follow.
In recent years, leadership expectations of internal controls have grown. Bell observed that “We find our clients are much less patient when it comes to internal control failures. They expect that controls are going to be strong, well-designed and operate effectively on a consistent basis.”
An Internal Audit Director at a Grant Thornton client emphasized the importance of “focusing on how controls relate back to business objectives,” adding that “a concern for compliance and regulatory conformance is a business objective, in and of itself.”
In recent years, it’s been proven that companies which embrace governance, risk management and internal control have stronger business performance than those that do not.
Emerging risks and opportunities
The relentless and rapid advancement of technology, increasingly complex business operations, and sophistication and speed of business transactions continue to create more instances where internal controls matter. As more aspects of the business and customer engagement are digitized, controls become more important, especially as suppliers and business partners are integrated into the value chain.
With the advent of pervasive digitization, technology and operations are moving beyond “your four walls” and now touch every financial, administrative, operational and customer-facing process. For outsourced processes and systems, it’s increasingly true that you can delegate the task, but not the responsibility of protecting your customer’s data and ensuring its integrity. Sure, you can transfer some of the risk with insurance and strong contracts, but that won’t address the negative impact on your reputation and future growth.
Many companies are embarking on transformational efforts – establishing shared service centers, redesigning business processes and operations, implementing new business applications (often in the cloud) and more. These companies are establishing intentional internal controls workstreams with dedicated and knowledgeable resources. This approach ensures controls are adequately considered and incorporated in future state design. Effective and intentional planning will result in a more successful outcome. In this context, controls that are incorporated into the fabric of systems and process design will undoubtedly result in controls that are more efficient and cost effective to operate, as well as to test and demonstrate operating effectiveness in the future.
“Controls done right should make it easier to do business, and for your customers to do business with you – they should not make it harder.”
Historically, controls have been used to look in the rear-view mirror and detect issues, with some being preventative and virtually none being predictive. The modern company leverages controls to not only proactively manage risk, but also to improve agility and speed, as well as identify revenue enhancement and cost management opportunities. This enables them to capitalize on opportunities in a timely manner. Grant Thornton Advisory Principal Adam Ross said, “Controls should not be a ‘tax’ on your process. They should help achieve business objectives and enable more timely risk-informed decisions. Controls done right should make it easier to do business, and for your customers to do business with you – they should not make it harder.”
A key component to this strategy is embracing risk and control analytics that integrate both internal and external data. Grant Thornton Advisory Services Senior Manager Charmone Adams described an assessment around controls and the valuation process for current investments and assets which uncovered “multiple process inefficiencies and reporting errors. By enhancing controls, we were able to dramatically improve the operational efficiency within the valuation process, in addition to better managing risk and improving the reliability of data.”
“By enhancing controls, we were able to dramatically improve the operational efficiency within the valuation process, in addition to better managing risk and improving the reliability of data.”
Bell added “As an external auditor that signs multiple System and Organization Control (SOC) report opinions annually, a client that takes controls seriously gives me confidence. I also see it in the eyes of client senior management. They are confident that their controls, and the teams who embrace those controls, will prevent or detect errors in a timely manner. This gives them more peace of mind.”
Controls equal confidence: Consumer confidence, stakeholder confidence, management confidence, auditor confidence and regulator confidence.
The COVID-19 global pandemic and remote work have dramatically increased the risk of error because of the reduced ability to coach and confer with colleagues in real time, sitting in the office together. Remote work also increases risk around tax liability and human resources compliance. Workers have become geographically dispersed, working from anywhere in the country and around the world.
Evolving best practices
Cyber and information protection risks have also risen sharply. When the world went to a full remote workforce model at the start of the pandemic, many companies were not adequately prepared. Employees were forced to email files to their personal accounts on their home computers to print materials, and many were not connecting their devices through secure communication channels. Not only did this expose data in transit to unauthorized access, but laptops and computers were not regularly receiving security updates, increasing their risk of compromise.
To add the most possible value, it’s important to consider some best practices. This starts with a spirit of collaboration and innovation for relationships, processes and controls. Educating stakeholders, involving first, second and third lines of defense, and aligning your risk management and assurance functions are also very important.
“The focus on internal controls even impacts the sales cycle, as customers not only care about the eventual output or performance, but the processes in place to achieve them.”
Wright added “The focus on internal controls even impacts the sales cycle, as customers not only care about the eventual output or performance, but the processes in place to achieve them.” To ensure these customers understand what you are accomplishing, Marketing and Sales should actively promote the company’s commitment to internal controls, and even involve members of their risk management and assurance functions in the sales process. This allows you to proactively and productively talk with potential business partners and customers, discussing relevant internal controls and how you take a systematic approach to effectively and efficiently managing risk.
Adding value also means working smarter:
- Know the risks you’re trying to mitigate before you even talk about controls.
- Find those “killer” controls that address multiple risks.
- Develop enterprise control standards to establish expectations and drive consistency across decentralized operations.
- Challenge the control mix – such as automated vs. manual, preventative vs. detective, and transactional vs. process vs. entity-level.
- Reduce control duplication, being careful not to be “over-controlled.”
- Maximize the use of technology in control operation and in your risk management and assurance functions.
Without discipline and intentionality, controls will inevitability grow in number and complexity over time. Staying focused on continuous improvement and challenging the status quo will ensure you are operating a lean and mean control environment. It’s important to strike the right balance of risk, cost and value.
There is also tremendous opportunity to dramatically improve efficiency and reduce cost associated with control monitoring and testing. Done right, control testing is a repeatable, recurring and predictable process. As a result, it is ripe for automation
using low code solutions, analytics and robotic process automation (RPA) platforms. Once established, control test automation (CTA)
dramatically reduces the time to test controls, allows you to test controls more frequently, reduces the cost of compliance and offers the added benefit of covering the entire transaction population.
Internal controls have always played an important role by protecting companies from negative consequences. But, employed intelligently, they are virtually guaranteed to help improve business performance and accelerate competitive advantages.
Principal, Advisory Services
+1 215 558 6530
Dennis M. Bell
Partner, Advisory Services
+1 215 376 6030
Partner, Audit Services
+1 215 656 8340
Senior Manager, Advisory Services
+1 212 624 5247