Operational Excellence through Internal Controls
Thursday, November 1 2007
Not since the 1930s--when the "alphabet soup" agencies of the New Deal were formed--have government mandates caused as much confusion and controversy, or been as sweeping, as the new international laws that dictate higher levels of corporate governance, risk management and compliance (GRC).
From the Sarbanes-Oxley Act of 2002 (SOX) in the U.S., to Bill 198 in Canada, to Japan's Financial Instruments and Exchange Law (so-called J-SOX), the current global regulatory environment is one that demands that enterprises take every step to ensure the integrity of their finances, their data, their processes and their employees.
Coming on the heels of major corporate scandals, Sarbanes-Oxley, for example, created a huge increase in internal costs and external audit fees, a call for additional staff and expertise and a need for new and more sophisticated process automation. For the entire business world, a whole new frontier lay uncharted, with many company fortunes tied to meeting the new challenges.
Effective Controls: No Simple Task
Since then, CFOs have been faced with the difficult compliance challenge of finding a way to reduce the cost of compliance while simultaneously ensuring that the access to data and business process controls that their companies had in place are operating as designed and working effectively to minimize financial reporting risk. However, many companies have deployed disconnected, tactical approaches to internal controls, usually requiring manual control design and testing efforts that result in duplicated activities, high costs, wasted time and resources and limited GRC effectiveness.
This reactive approach makes it impossible to implement a cohesive GRC strategy for monitoring, identifying and managing risk across the enterprise. This fragmentation--when replicated many times across different business applications and functional groups--creates a complex situation that actually introduces new risks and prevents transparency into the efficacy of controls in the organization.
But putting an effective control environment in place is no simple task. Companies need the ability to document and monitor business processes that cross multiple enterprise divisions and regions, span entire business processes and monitor multiple, often disconnected information technology (IT) applications. A company's business processes and the various regulations impacting them often also vary by country and business unit.