When costs are not measured and accounted for, they tend to rise, so companies may be experiencing an increase in the hidden costs of ICOFR. Companies that merely look at compliance costs are therefore likely missing their greatest opportunities to reduce ICOFR costs and add further value. If companies do not sufficiently understand the level of effort incurred to perfom controls, they will miss opportunities to operate controls more cost-effectively.
This article’s focus is on cutting costs, but an analysis of a company’s controls can also uncover the potential for additional value. Details on how controls are functioning across the company can indicate ways to increase external auditor reliance and provide new insights into how different processes are functioning.
Costs related to ICOFR may be higher than you realize, in part because they often take a different form than you might expect. When most companies measure ICOFR costs, they typically only look at compliance costs, focusing on testing and external audit expenses. But the larger cost components related to ICOFR draw on other resources throughout the company for tasks such as:
Typically, companies try to get a handle on their ICOFR spending by rationalizing their controls. It is a well-intentioned idea, and KPMG's 2016 Internal SOX survey found that 59 percent of companies that have engaged in rationalization efforts have succeeded in reducing the number of key controls. But the survey also showed that only 37 percent of those companies achieved a corresponding reduction in the amount of time they spent on testing, and only 15 percent managed to also reduce time and costs associated with control performance.
Having a smaller number of key controls does not correlate to a reduced burden on a company's resources if it is still mostly doing the same work in the same way. The key to a cost-effective ICOFR program that accomplishes its mission of managing risk and adding value is not just reducing the number of controls - though that is one element - but also choosing the right controls, focusing efforts on the most critical among them, and creating the right control environment.
Creating a cost-effective control environment requires an effective use of automation. Most companies perform the majority of controls manually - an approach that can lead to higher costs as well as higher inherent risks from human error. Only 18 percent of total key controls are automated in an average company, according to KPMG's 2016 Internal SOX survey. This low figure illustrates a significant opportunity to generate cost savings, often for both control performance and testing, by automating control activities.
The benefits go beyond lower costs and increased reliability. For example, using automated key reports - instead of spreadsheets and queries - makes it easier for companies to meet regulators' increased demands to validate the completeness and accuracy of information used in controls.
Many companies have already invested heavily in implementing ERP and other key systems, as well as designing IT general controls over those systems. Despite these investments, companies often are not fully harnessing these systems' capabilities. One reason is that, since costs to perform controls manually are often hidden within the business, ROI calculations for automating certain activities or reports may not take these costs into account. But, when their capabilities are leveraged effectively, these systems can help create a highly automated and cost-efficient control environment.
To get a handle on the total cost of ICOFR, the place to start is a five-step analysis that looks at how controls operate across finance, IT, and operations:
Where are risks, redundancies, and opportunities? Where might risk mitigation not be cost-effective?
Bring these costs, usually hidden within business processes, into the light to find possible efficiencies. This information will help find opportunities for automation.
Determine if you have inefficiencies in your testing approach.
The results, including costs normally buried elsewhere in the company, may surprise you. Perform internal comparisons of business processes to identify variations, based on control differences, that may be impending effectiveness and raising costs in certain areas of the company.
Estimate savings possible from controls rationalization, process improvements, increased automation, and other control enhancements. Develop a prioritized list of opportunities for improvement.
Common drivers of control costs include not just the level of automation, but also the frequency and duration of control performance, the time spent and salaries of staff who perform and review the control, and the number of locations in which the control is performed. Assessing such costs offers opportunities to review process effectiveness with an eye to the controls' costs and benefits - for both the ICOFR program and the business.
Understanding the control portfolio and associated costs helps establish an enhanced, consistent, and more automated control environment that can improve performance, bolster transparency, and reinforce investor and market confidence.