Strong internal controls are essential given the sensitive regulatory environment and high cost of fraud. Compliance managers and risk officers are turning to technology to streamline and automate their internal controls for long-term, sustainable compliance as paper based manual process, electronic document management and generic desktop tools have proved to be inadequate.
MetricStream solutions for Governance, Risk and Compliance (GRC) support Automated Testing for Internal Controls and provide dependable automation and protection from a regulatory standpoint. Automated testing of internal controls ensures effective compliance, creates opportunities for cost savings, increases profitability, improves fraud detection and operational efficiencies and above all, gives the true status of a company’s compliance health through a transparent view of its internal controls.
Steps in Automated Testing of Internal Controls
Identifies controls which need automatic testing
Sends alerts for controls which need manual testing
Automates testing with push of button
Assimilates results of manual and automatic tests and sends reports
Sends report of records
Creates repository of tests and results for future reference
Challenges Posed by Prevalent Systems
A strong internal control system has become a prerequisite as organizations strive to become fraud free and compliant with regulations such as Sarbanes-Oxley (SOx). However, applying proper internal controls is an ongoing and complex process. Controls have both implicit and explicit rules. Tracking and applying these rules requires a rigorous approach to ensure full compliance. Also, evaluations and tests need to be conducted at frequent intervals for every control making the process highly resource intensive.
- Resource Intensive: Manual processes consume significant resources including manpower and time, thereby decreasing the overall productivity and affecting the bottom-line
- Unreliable: Based completely on human expertise, manual testing can be unreliable
- Expensive: Huge costs incurred to recruit people for testing controls and the time and resources spent on the process
- Risk Prone: Manual interference and negligence pose risk of discrepancies, undetected fraud and noncompliance
- Non-repeatable: Owing to lengthy and complex procedure, the repeated verification of tests at standard intervals becomes difficult
Consider a control that ensures that the orders should only be processed within a customer’s credit limit. This control is typically implemented within an organization’s ERP system, but can be overridden for exceptions with proper authorization. In general, most companies would print a report that lists out all orders that were processed within the last quarter, their credit limit at that time and if the override was applied, who applied the override and their role/title at the time the override was applied. To evaluate this entire data is not just difficult but demands flawless accuracy-a feat difficult to achieve manually.
Once, this record has been assimilated the internal audit team would have to manually review each and every entry in the report and ensure that the control worked for every situation to score the control test as ‘passed’ or ‘failed’. The team would have to manually record every instance where the test failed, so that proper disclosures and remediation processes could be triggered. Being lengthy, cumbersome and unreliable the benefit of such a system is generally questionable.
Benefits of MetricStream Solution
40%-60% Reduction in initial test run
70%-90% Reduction on subsequent test runs
Increased test runs with higher confidence and larger sampling
Automated Testing of Internal Controls
From unreliable to optimized
MetricStream enables automated testing of internal controls significantly lowering costs and improving the effectiveness of internal controls. Tests related to completeness, accuracy, validity, authorization, and segregation of duties can be configured and scheduled with the ability to define process-level manual and application controls within a single test. This configuration is wizard driven and does not need custom coding.
By integrating the management of IT application controls, IT general controls, and manual controls, the solution eliminates the key challenges of existing paper and spreadsheet based systems.
Areas under Inventory where Testing is Automated
- Access Control
- Inventory Approval / Processing
- Costing Approval / Processing
- Authorization / GL Recording
- Backorder / Overexposure
- Perpetual Records
- Waste / Returns / Reserves
- AR Adjustments
- Standards Testing
- Variance Analysis
- Cost Rollups, Carry Forward
- Variance Absorption / COGS
- Reliable: Captures detailed scoring of each test, generates automatic reports and integrates data to give comprehensive, accurate results
- Cost Effective: Saves key resources like manpower and time by enhancing productivity
- Alleviates Risk: Reduces risks through automated tests that are conducted on basis of previously created checklists, leaving no scope for fraud thus ensuring regulatory compliance
- Sustains Compliance: Significant portions of the testing process can be completed seamlessly without manual intervention
- Optimizes Operations: Strong internal controls help streamline operations by allocating responsibility and verification of the same at regular intervals
- Exhaustive: Built-in library of over 1500+ tests for automating the testing of key financial controls
- Real Time Monitoring: Reports can be assessed in real time while simultaneously a repository of previous results is maintained, giving the auditors a complete track of events, at click of a button
Key Features of SOX Solution
Environment & Process Design
Assessing Internal Controls
Training and Audits
Architecture of Automated Testing of Internal Controls
The solution provides an out-of-the-box library containing hundreds of tests for automating the testing of controls within general ledger, procure-to-pay, order-to-cash, inventory, cost accounting, asset management and payroll processes within the popular ERP systems such as SAP, Oracle and PeopleSoft.