Five key ways to help rethink your enterprise controls approach

March 7, 2022

When used strategically and responsibly, technology can power growth, innovation, more efficient operations and better experiences—all while building capabilities that will likely  increase trust in your business.

In fact, the right technology can make nearly every part of your operations more trusted, including your approach to internal controls. The use of automation can reduce time and increase precision and scale by streamlining processes and minimizing errors. When was the last time you reviewed the hours and cost associated with operating your business’s internal controls?

Simply put, tech-enabled solutions can make radically better outcomes attainable, while simultaneously building and reinforcing stakeholder trust. With executives under pressure to drive down both cost and compliance risk, internal controls may be just the place where a new approach is needed.

Regulator focus on controls has intensified, especially as it relates to Internal Controls for Financial Reporting (ICFR). Meanwhile, the velocity of regulatory change continues to accelerate. Operating a control environment is extremely time consuming when done manually, adding to both the cost and complexity of compliance. Conducting business as usual with internal controls may not be sustainable much longer.

It’s time to rethink your approach. Here are five key considerations to help guide you in gaining the most benefit when you introduce a human-led, tech-powered approach.

1. Use cloud transformation as the catalyst for change

Many companies are in some stage of moving to cloud-based enterprise applications. While movement to cloud-based systems can create uncertainty, it also provides an excellent opportunity to assess and consider digitizing your compliance activities. An ERP cloud transformation can be a great catalyst to review compliance requirements and consider how the company can better manage and automate its internal control environment—particularly as the system design is still underway. Designing controls within your new Cloud ERP versus around the ERP will help deliver the most beneficial outcomes.

Very few companies operate in a single ERP environment. If multiple ERP systems are in place, consider how your enterprise controls solution can be built to be automated across a multi-system environment. The goal is to automate the ability to look into multiple ERP platforms, extract data and test system-based security and transaction controls consistently across your entire organization. Doing all of this at the click of a button isn’t just convenient—it can help eliminate duplicative activities and unnecessary costs.

2. Automate repetitive tasks to help reduce the cost of compliance

The return on investment from automating testing can be significant. PwC has helped clients automate the testing and documentation of workpapers for both systematic and manual controls that otherwise would have taken people hundreds or thousands of hours, year after year.

We’ve found that it’s feasible to automate the testing of more than 80% of an organization’s control environment. When thinking through a digitized approach, consider how to address the entire control framework (not just systematic controls). And leverage technology to help build the capability to automate the testing and documentation of workpapers for all controls; in other words, testing data sources that may be both structured and unstructured in nature.

Structured data sources

Structured data resides within a system. Controls related data generally represents how the system is configured, how security roles are provisioned, how master data is maintained or how transactions are executed day to day.

Many organizations often struggle to fully benefit from interpreting data directly from a system because extracting enterprise system data can be complicated—especially when it relates to the completeness and accuracy for audit purposes. Testing a control effectively usually requires wrangling data from multiple discrete locations in an ERP, with the help of an administrator or system expert. The sheer volume of data, data modification and how efficiently system data can be extracted can also pose challenges.

When done correctly you can test system-based controls quickly and accurately by directly connecting to an ERP system and leveraging technology to interpret the system’s data. Automated testing means risk mitigation can happen faster while simultaneously driving down the cost of manually operating or testing system controls.

Unstructured data 

Not all controls can be tested with structured data, however. Unstructured data are artifacts that support the control that may come in the shape of PDFs or other formats that can make control testing even more time consuming.

The good news is that testing of controls that relies on unstructured data sources can still be partially automated—saving up to thousands of hours annually—by introducing optical character recognition (OCR) technology capabilities. This technology can help streamline information gathering by scanning for key and required fields on the document or artifact and documenting them automatically. This kind of automation can give you more time for the critical thinking needed to interpret the results and act accordingly.

3. Test full populations, increase trust and stay ahead of auditors

Staying ahead of your auditor is another motivation to automate monitoring and testing. External auditors are embracing automation and analytics at an escalating pace. Instead of depending on sampling methodologies, they are now starting to rely more heavily on technology to assess full populations to target testing. Automation makes it quite feasible to test full populations and helps identify outliers or erroneous transactions.

Testing full populations inherently increases the level of trust around your internal controls environment while reducing the risk of the identification of control exceptions an auditor might locate at a later point. Adopting a data-driven, tech-enabled testing approach can reduce the amount of time spent on audits and, subsequently, the associated cost.

4. Minimize the need for hard-to-find skills by relying on technology 

In a recent PwC Pulse Survey, nearly a third of Chief Risk Officers indicated that they were concerned about being able to find the right risk talent. This was particularly the case as it pertained to qualified ERP resources. A tech-powered, automated approach to enterprise controls can help business leaders respond to today’s competitive talent landscape by reducing the need for specialized ERP skills provided by outside organizations. Technology precludes the cost of hiring third-party resources—and lowers the overall cost of compliance as a result. 

In addition, having a continuously operating, automated control testing solution in place helps solve the challenges companies have likely experienced in trying to operate controls remotely in  hybrid or remote work environments similar to that posed by the recent global pandemic.

5. Find ways to more easily maintain compliance with changing regulatory requirements

The SEC continues to increase its efforts on transparency of Financial Reporting for public companies. This has put a substantial amount of pressure on companies to be aware of how their processes and IT are supporting their business. How can digitizing compliance activities help your company stay in compliance with changing regulations?

Shifts in the focus of regulators continue to emerge and in many cases resulted in organizations having to develop a more microscopic lens into events occurring inside of their enterprise systems. A good example of this was the release of the ASC 606 guidelines—and how the regulators subsequently required companies to provide more transparency and trust around their revenue recognition (e.g., P*Q) calculations. When this guidance was released and a new focus emerged, organizations needed to manage how their enterprise systems would align with the new steps, across people, process and technology. New and updated internal controls had to be implemented.

The types of controls required were complex and voluminous in nature. System-based configurations and setups were often difficult to control and manage. Demonstrating the continued operational effectiveness of these controls without technology was challenging for many of our clients.

A technology platform infused with PwC experience

With these five considerations in mind, PwC has worked with clients across industries to reinvent the monitoring and testing of both manual and systematic controls. Our expertise-driven, technology-enabled approach has delivered significant client outcomes. We’ve helped PwC clients save thousands of hours (annually) by digitizing and automating the testing of both Manual and Systematic Controls.

By combining our team’s experience and innovation with our proprietary Enterprise Control platform, PwC offers companies proven automation and analytics capabilities to help drive greater value from enterprise controls monitoring and testing, including bolstering stakeholder trust. Isn’t it time to take a fresh look at your company’s approach to internal controls?

Connect with our team

Contact us to discuss how your company could reduce your cost of compliance and redirect resources to focus on more value-added activities through automation of enterprise controls.

Download this eBook


Check out other related risk management insights

How technology can enable proactive risk management

Learn more

Addressing the cyber skills shortage

Learn more

Meet modern compliance: Using AI and data to manage business risk better

Learn more

Explore our products

Stay ready for new risks and remain compliant with products and technologies designed by industry experts — and built for your needs. Our consultants are here to help you keep your business protected and prepared so you can focus on what’s next.

Learn more