Control automation: Reduce risk and cost with innovationHow to conquer the costs and demands of compliance

Control automation: Reduce risk and cost with innovation 2

ContentsTraditional approach versus the automated approach 4

The technology behind the approach 6

Control automation in 2025 7

Adoption: Transforming a good idea into a standard practice 8

How Grant Thornton can help 9

Control automation: Reduce risk and cost with innovation 3

The costs of traditional compliance are increasing. At the same time, new technologies accessible to companies of all sizes make it possible to transform the compliance function to become a more efficient and cost-effective machine. This results in a more comprehensive view of an organization’s risk profile. Framed another way, compliance is now the byproduct of good risk management practices enabled by grouped data management technologies that were previously cost prohibitive to the risk function.

When we say the costs of compliance are increasing, we mean three distinct types of costs. The first is the investment you make in ensuring compliance — the cost of identification, documentation, analysis, remediation and monitoring. The sheer increase in the amount of available data is exponentially increasing the demands on the compliance function. More and more transactions are digitized and recorded; cloud storage allows vast data repositories that were barely imaginable 10 years ago.

The second cost is the financial consequences of failing to achieve compliance. These take the form of financial losses, damage to reputation, regulatory interventions and potential legal actions. They can result in profound financial and personal consequences that are virtually impossible to quantify.

The third cost of non-compliance is the opportunity cost created by inefficient and outmoded processes. Grant Thornton estimates the opportunity cost of traditional Sarbanes-Oxley Act compliance among its clients across a range of sizes to be about $1.9 million. In traditional compliance, we needlessly divert human resources to rote, tedious and manual processes and remove those people from more creative and valuable work. Once finance professionals are freed to devote their time to root cause analysis as opposed to redundant process execution, they can add significant value and move into the role of providing sophisticated insights aligned with the vision of the modern finance organization.

So what were the barriers to entry that no longer exist, and what is now enabling this shift to automation? With the advent of modern cloud platforms, it is no longer necessary to have the infrastructure and staff to manage data repositories and hardware. Many of the cloud software solutions also minimize the cost for licensing expensive new tools. Additionally, the level of training necessary to use the tools is minimal when compared to past requirements. For example, an experienced SQL developer and a database administrator are no longer required when you have data management tools, such as Data Factory, that enable drag-and-drop data processing.

Control automation: Reduce risk and cost with innovation 4

Traditional approach versus the automated approach The traditional model is ill-suited to the current compliance function. That model relies on episodic data sampling and manual data review. In addition to being time consuming and costly, this approach demands high levels of attention while delivering low levels of assurance by using non-statistical sampling. With a traditional approach, continuous monitoring is impossible and turnaround can take days, weeks or even months.

By contrast, approaches using a cloud platform and data analysis and management software promise enhanced efficiency, greater assurance, richer insights, continuous monitoring and faster turnaround at a lower cost. Grant Thornton and a Fortune 50 technology client have demonstrated that it is possible to reduce risk by continuously monitoring the full population.

Control automation: Reduce risk and cost with innovation 5

You can increase efficiency by up to 80% by automating the process and eliminating human error, which is a greater risk in rote processes. You enable time-trend analysis and capture the surprising trends and emerging insights that the mining of deep data enables. You allow near real-time response and simplify the remediation process.

The benefits that automation can deliver in this approach are powerful, and they are compounded by the benefits that trained people can deliver. By freeing your people to concentrate on root cause analysis and gathering insights, you put them in a position to creatively solve problems and proactively add value. This could mean faster or more profound insights that can lead to quick action. It could also lead to evolving the control environment itself — adjusting controls to increase their precision, relevance, responsiveness, efficiency and reliability.

With the additional focus on audit and assurance coverage using the technology, resources are being allocated toward value-added activities and away from verification activities. In other words, rather than testing several dozen samples manually at a cost of $250 per sample, we are able to assess the full population at a cost of pennies per sample — enabling significant cost savings or reallocation.

10/01/2019to

12/31/2019

FY19 Q4Period

41Population

82.9%Pass rate

Pass rate — trailing 12 months

100%

90%

80%FY19 Q2 FY19 Q3 FY19 Q4

79.5% 80.5%82.9%

Target: 95%

Automated control dashboard

Control definition

Control

Control risk

Control objective

Application

Classification

Type

IT-001

Invalid access

Ensure the security andintegrity of core systems

System ABC

Revenue

Preventative

Control automation: Reduce risk and cost with innovation 6

The technology behind the approach Technological advances enable all of these benefits. The increased storage capacity and processing capability of cloud computing allow massive amounts of data to be manipulated. Software solutions can automate manual processes, simplify data acquisition, enhance analytic capabilities and help compliance teams deliver integrated reporting.

Each compliance challenge requires its own array of software. Fortunately, there’s plenty available. Consider this case study:

• A Fortune 50 technology client working with Grant Thornton wanted to add value to their internal controls while achieving greater efficiency through automation. To demonstrate value, the project focused on control testing automation.

• By using cloud-based services, the team automated data import, formatting, testing and reporting to:

– Ensure high-volume, cloud-based data storage with built-in intelligence

– Automate repetitive, time-consuming tasks

– Simplify and integrate large-scale extract, transform and load operations

– Introduce artificial intelligence (AI) solutions in an interactive workspace (e.g., Apache Spark)

– Build, test and deploy predictive analytics solutions

– Visualize the resulting data

The resulting solution enabled the relevant data to be continuously monitored. That monitoring yielded time-series analysis for each of four controls — user access, account reconciliation, data entry and approval authority. For example, continuous monitoring allowed the team to immediately identify issues and quickly address their root causes. With traditional approaches, this could take weeks or months; with continuous monitoring, issues can be surfaced and addressed within days.

The solution expanded control coverage from small samples to the entire population, increased test frequency, enabled real-time response to risk gaps and improved real-time reporting. Ultimately, the automated approach increased the efficiency of the testing by more than 50%.

Control automation: Reduce risk and cost with innovation 7

Control automation in 2025 In the near future, control automation will continue to deliver increased efficiencies and greater insight throughout the risk cycle. In fact, one of the ways in which the technology promises to evolve is in its ability to address processes in their entirety. While we are currently able to test 100% of the population, we may soon be testing 100% of the process.

Access to large amounts of data will enable more robust analysis and yield more immediately actionable insights. By analyzing large amounts of data, solutions can uncover new value and root causes of issues. High-level analytical work will define the roles of the future.

The control automation process

Riskidentification

Riskdocumentation

Reporting andremediation

Risktesting

Cognitiveanalysis

Processautomation anddata modeling

Onlinetools

Root causeanalytics and

data visualization

Control automation: Reduce risk and cost with innovation 8

Adoption: Transforming a good idea into a standard practice While good ideas will eventually find a home, the speed of acceptance depends on a receptive culture, a clear business case and energetic communications.

Cultural acceptance begins with leadership. Executives often support automation, but they need to communicate their support in two ways. First, they need to help the people who are implementing the initiative to think of themselves as driving cultural change rather than just auditing processes. These implementation teams will increasingly welcome automation as they accept its results and see that it is improving efficiency. Secondly, the team needs to change its perception of automation. Ethan Rojhani, Grant Thornton partner, Risk Advisory, noted that an analogy has proven useful: “We use the metaphor of Excel and spreadsheets for our industry and what happened in the mid-1980s when people started using PCs and spreadsheets. That fundamentally transformed our industry.

“And in order to get to that point, you had to learn how to use a spreadsheet. Now you have to learn how to use these modern tools like Power Automate and Data Factory. We’re seeing that coming online really quickly now. We are training our people in order to meet the demands of our clients.”

In addition to the work of changing perceptions, automation requires formal training on specific skills. As an example, Rojhani referenced Grant Thornton's system. “It starts with online training and then moves to a three-to-four-day in-person boot camp and an internship rotation, where you’re working with someone who has done this before so that you can continue to expand your skill set.”

The final obstacle to adoption is not cultural but operational. Automation is a digital process that works best when the underlying process is also digital. Without a digitized process, it is hard for the team to automate testing activities consistently.

Control automation: Reduce risk and cost with innovation 9

Get the help you need Control automation can help you achieve measurable efficiencies and generate actionable insights. While its implementation requires a commitment in rethinking your approach as well as training and technology, the costs of control automation decisively outweigh the costs of compliance as usual.

While each compliance challenge requires its own array of software, there is fortunately plenty available. Regardless of the size of your company’s footprint, the right professionals can help you assess and automate your compliance controls, working with you to drive significant efficiencies and greater transparency across the compliance function.

Contacts

Ethan Rojhani Partner, Controls Advisory T +1 303 813 3478

Greg Haberer Senior Manager, Controls Advisory T +1 703 373 8735

GT.COM

“Grant Thornton” refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.

© 2020 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd