Case study: pharma company achieves automation and globalization
A global pharmaceutical company decided to align and redefine the risk and controls in connection with a global SAP implementation. The company asked Ernst & Young to help them optimization of controls to achieve enhanced automation and globalization.
To build the business case, we used a single business process — Requisition to Payment (RTP) — for a pilot review. This process covered the capital expenditures, goods receipt/invoice receipt, inventory and receiving sub-processes.
We compared the RTP risk and control framework against leading practices, combining the knowledge of the company's environment with third-party resources with extensive knowledge and experience with SAP control functionality.
Through this process, the company identified several opportunities, including:
- Potential reduction in the number of risk points associated with the business process
- Potential replacement of manual controls by application controls
- Reduction of the overall testing effort by management and internal and external auditors, freeing up resources for other activities and potentially reducing the external cost of compliance
The pilot demonstrated how the company could be more efficient while improving risk coverage.
Benefits the company realized included:
- A reduction in controls from 25 to 19
- A 24% reduction in the number of tests
- Better use of SoD, user access and user change management controls around SAP
The company is now expanding its optimization project to include other processes supported by SAP.
Address today's internal control issues to better position your company for tomorrow.
Summary: The economic landscape is settling, slowly, and economic uncertainties are less severe. Now is the time to take a fresh look at your internal controls and ensure their effectiveness.
The last five years, a one-two punch
The past five years delivered a one-two punch that has left internal controls departments reeling. After Sarbanes-Oxley and the recession, many are finally regaining their footing.
The increased reporting requirements have forced internal controls functions to do more; and the global recession mandates to do more with less.
The global economic landscape is settling, slowly, and economic uncertainties are less acute.
The time is ripe to refocus on internal controls
If you're responsible for internal controls, you should take advantage of this recovery period to make your control frameworks as efficient and effective as possible.
By refocusing your efforts on controls optimization, rationalization and control redesign, you can more efficiently leverage technology to meet the expectations of their demanding stakeholders.
Benefits of an optimized control environment
- Lower costs due to a reduction in the number of controls, enhanced standardization, reduction of effort related to (internal) compliance and enhanced coordination and alignment between functions
- More appropriate risk coverage with a keen focus on the risks that really matter
- Improvement of the risk assessment process through a risk-based approach
- Better return on IT investments due to use of application controls rather than manual controls
The struggle: balancing cost with risk
If you knew that the cost savings of a more effective control environment would eclipse the cost of the risks, you would not question the investment. Yet companies are still struggling to create optimal control environments that balance cost with risk.
Here are three major explanations of why companies have remained stuck in inefficient control environments:
Duplication of risk and control activity
Reporting and compliance are a core part of doing business. As such, significant effort and cost are expended to build controls that address potential risk.
But often, the correlation, intersection and duplication of controls across different groups are not clearly visibly or easily understood because of multiple, overlapping and sometimes conflicting lines of reporting and responsibility.
Duplication of risk andcontrol activity
- Too much of some, not enough of others
Most organizations have too many controls to address some areas, and not enough controls to address others. Control activities tend to be added over time, but not taken away or reduced when the need has been extinguished.
Also, to comply with regulators' requirements, a lot of effort goes into controls around the daily transaction processing without properly addressing the higher-risk areas.
- Failure to sufficiently leverage technology
A company may invest significantly in enterprise resource planning (ERP) systems. But there still may be a systematic lack of controls automation. This leaves a significant portion of the ERP investment unrealized — a missed opportunity to increase efficiencies.
A better way to efficiency
Recently, companies have pushed for control efficiency by improving their approach and their corresponding frameworks. The objective has been to:
- Remove redundant controls
- Identify and deploy controls that address multiple risks
- Replace multiple manual controls with more efficient application controls
By leveraging a robust five-step framework, you can be confident of the value you'll achieve from control environment improvement activities. The steps will identify, diagnose, design, deploy and sustain a company's control environment improvements.
Framework for controlenvironment improvement
Assess current state
To find efficiencies:
- Have a clear view of the current number of processes, risks and controls.
- Understand the composition of controls (manual vs. automated) and the nature of the IT applications supporting those controls.
- Gather information related to the level of effort around performing, documenting and testing current controls. This will help identify high-impact areas (effort, cost and potential benefits) for prospective pilots.
Establish the scope
Scoping prior to the project begins reduces unnecessary and wasted effort. For example, it's wasted effort to optimize locations and processes not relevant to the organization's overall risk management requirements.
Take a top-down, risk-based approach
A risk-based approach involves identifying and assessing material financial reporting risks and allocating resources and efforts based on the severity and likelihood of those risks.
Typical results before and aftera top-down, risk-based approach
Management will need to:
- Determine what is material to the consolidated financial statements
- Conduct a thorough risk assessment that considers the likely sources of potential misstatement with significant enterprise-wide processes
- Associate the nature, timing and extent of testing of the corresponding control that can most efficiently monitor it
The benefit of a top-down, risk based approach is illustrated in the graphic below. Allocating control attention and effort where risks are highest is a more efficient and effective use of available control environment resources.