With governmental regulations for compliance becoming all the more rigorous, chief audit officers (CAOs) are finding themselves between a rock and a hard place regarding controlling costs and satisfying these more rigorous compliance demands. At the same time, external auditors are getting more sophisticated in their investigations of compliance — delving deeper into organizations’ controls.
The situation can be likened to Edgar Allan Poe’s short story, “The Pit and the Pendulum.” Every year, the audits get more onerous. The “blade” of the auditors cuts deeper.
The ongoing economic crisis presents a whole other challenge. Companies are strapped and trying to do more with fewer resources. Increasing scrutiny, coupled with less budget — and, in general, less liquidity for devoting dollars to compliance — presents a dire picture.
Yet, difficult times such as these offer organizations of all sizes the opportunity to reflect on ways for driving process improvements, innovation and ultimately competitive advantage. What if CAOs and their organizations could automate repetitive tasks and free up their people to do more strategic activities?
Powerful second-generation governance, risk, and compliance (GRC) technology enables just that. It brings focus to compliance automation, which reduces the cost and hassle of demonstrating compliance, and converts active auditing into value-added initiatives for business.
Honing Compliance and Business Processes
When the Sarbanes-Oxley Act was first passed, the main focus was segregation of duties to a very granular level. The time, energy, and resources devoted to internal audit and supporting the external audit saw no limits.
Today, organizations are being asked to provide results they didn’t have to in the past, with fewer resources. Companies are thinking hard about how they can provide the same level of compliance reporting within a finite budget.
Concurrently, auditors and companies alike are realizing well-managed and well-controlled systems extend beyond SOD to a number of IT processes. Companies have a genuine interest in soundly-managed IT and financial systems — not only for compliance, but also for safeguarding investors and mitigating risks, such as fraud, theft of data, system failures due to lack of controls, and catastrophic outages.
Therefore, a new focus is emerging — embedding compliance into business processes. A few years ago, the phrase “quality is free” was the rage in the manufacturing sector. The idea was that if an organization embedded quality in its manufacturing processes, then it didn’t have to bolt it on afterward.
The same can be said for compliance today. Compliance is not a once-a-year root canal or a great effort trying to produce compliance reports. It is embedding compliance into day-to-day operations and into business processes — getting compliance for free, if you will — while accelerating the business processes from which compliance originates.
Asserting Value, Leveraging New Technologies
While the role of compliance executives has always been challenging and daunting, embedded compliance and automated workflows can make their lives easier, and offer an opportunity for them to assert their value to their enterprises.
What are some of the ways to accomplish this task?
Look for tools that support business processes with automated workflows, but also capture audit reporting information. In an SAP application, for example, the process for configuring changes — from the request, development, testing, approval, and movement-into-production stages — is tedious and time consuming.
By utilizing a GRC tool, the automated workflows not only manage the migration of those changes through the development cycle, but also document who made the request, who developed it, who tested it, the test results, and when it was moved into production. Such data satisfies the auditor’s need for controls and tracking information. Automated workflows dramatically reduce the labor and the time lag of moving changes efficiently into production.
User provisioning also is tedious. If organizations want to bring on new users or change the roles of existing users, they have to follow a very rigorous process for permissions and documentation, including who received which roles, why they received them, who approved them, etc.
GRC tools significantly reduce the time it would take to prepare for an audit. And they reduce the time spent by control owners, process owners, IT security, and administrative folks doing tedious tasks, freeing people to bring more to the business through value-added initiatives.
Such tools also can reduce the level of scrutiny by auditors. Automated processes tend to be deemed more trustworthy than manual processes. If they know that a company has embedded compliance and automated reporting, auditors are more quickly satisfied. The reporting becomes a byproduct of the compliance process, too, one that satisfies the audit need — not only internally, but externally as well.
Growing the Strategic Mindset
Freed of onerous, repetitive tasks, CAOs and their organizations can perform strategic activities. For example, they can roll out a plant in China sooner, address the backlog of enhancement requests more quickly, and evaluate new technologies to benefit the enterprise. Instead of preparing for an audit, they can focus on the question, “How can we leverage our expertise into new markets?” Or, “How can we utilize our core competencies for more competitive advantage?” Their answers can add value to the business and improve the income statement.
From a business perspective, it can take months to manually prepare for an annual audit. That means that people in these organizations aren’t doing their regular jobs. They could be assigned to perform activities that the C-level wants done to impact the top-line or bottom-line.
For some IT organizations, meanwhile, productivity is measured by the time they spend administering systems compared to the time they spend implementing new initiatives. Automated workflows and embedded compliance allow companies to change the equation so that they can spend a greater amount of time improving the business and not just operating the business. Innovation becomes a core value across the board.
Often, business units come forward with requests for IT to implement new technologies. IT finds itself in the difficult predicament of having to resist the never-ending queue of requests partly because of the fear of having new compliance concerns.
This mindset becomes a speed bump to productivity. If organizations can innovate more with IT processes, then their opportunities grow exponentially. GRC helps removes the backlog in IT.
From an audit perspective, GRC technology gives CAOs an opportunity to become part of the solution. They can become real players in process innovation. In fact, progressive companies have kicked around the title of chief process innovation officer. Their mission: reduce costs, increase efficiency, and increase the organization’s nimbleness to rapidly respond to market opportunities — all attainable by being able to model and fine-tune the business processes, not just focusing on proving that they have controls for them.
These same companies are looking at what may be viewed as overhead operations and trying to convert them into sources of competitive advantage. The opportunities for process improvements, innovation, and business growth do exist. Companies don’t have to fall into the pit, even in a down economy. CAOs and organizations that seize opportunities will best be positioned when the recession ends.
Dan Wilhelms is President and CEO of SymSoft Corporation, the makers of ControlPanelGRC, professional solutions for compliance automation. He can be reached at [email protected].
