When costs are not measured and accounted for, they tend to rise, so companies may be experiencing an increase in the hidden costs of ICOFR. Companies that merely look at compliance costs are therefore likely missing their greatest opportunities to reduce ICOFR costs and add further value. If companies do not sufficiently understand the level of effort incurred to perfom controls, they will miss opportunities to operate controls more cost-effectively.
This article’s focus is on cutting costs, but an analysis of a company’s controls can also uncover the potential for additional value. Details on how controls are functioning across the company can indicate ways to increase external auditor reliance and provide new insights into how different processes are functioning.
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft
1. Understanding the hidden costs of ICOFR
Costs related to ICOFR may be higher than you realize, in part because they often take a different form than you might expect. When most companies measure ICOFR costs, they typically only look at compliance costs, focusing on testing and external audit expenses. But the larger cost components related to ICOFR draw on other resources throughout the company for tasks such as:
- Performance: Your company has to design, execute, and administer its controls. These tasks often add up to more than half of the total ICOFR cost. Yet, since other departments often absorb performance costs, companies usually fail to include these costs as part of ICOFR. The Public Company Accounting Oversight Board (PCAOB) has continued to focus on management review controls and levels of precision, as well as on management's validation of completeness and accuracy for key reports. As these focus areas flow down to the company, they require additional time and expense for control owners to perform and document control activities.
- Errors/Corrections/Turnovers: How often does your company spend time and resources reperforming or redesigning controls? How often do you train new employees on the control activities when experienced ones leave? These costs add up quickly and generally are not considered when evaluating ICOFR costs.
- Management review: In addition to the time spent performing control activities, management also spends time reviewing and administering these activities, with more manual control activities requiring an especially time-intensive review process.
2. Moving beyond control rationalization
Typically, companies try to get a handle on their ICOFR spending by rationalizing their controls. It is a well-intentioned idea, and KPMG's 2016 Internal SOX survey found that 59 percent of companies that have engaged in rationalization efforts have succeeded in reducing the number of key controls. But the survey also showed that only 37 percent of those companies achieved a corresponding reduction in the amount of time they spent on testing, and only 15 percent managed to also reduce time and costs associated with control performance.
Having a smaller number of key controls does not correlate to a reduced burden on a company's resources if it is still mostly doing the same work in the same way. The key to a cost-effective ICOFR program that accomplishes its mission of managing risk and adding value is not just reducing the number of controls - though that is one element - but also choosing the right controls, focusing efforts on the most critical among them, and creating the right control environment.
3. Focusing on automation
Creating a cost-effective control environment requires an effective use of automation. Most companies perform the majority of controls manually - an approach that can lead to higher costs as well as higher inherent risks from human error. Only 18 percent of total key controls are automated in an average company, according to KPMG's 2016 Internal SOX survey. This low figure illustrates a significant opportunity to generate cost savings, often for both control performance and testing, by automating control activities.
The benefits go beyond lower costs and increased reliability. For example, using automated key reports - instead of spreadsheets and queries - makes it easier for companies to meet regulators' increased demands to validate the completeness and accuracy of information used in controls.
Many companies have already invested heavily in implementing ERP and other key systems, as well as designing IT general controls over those systems. Despite these investments, companies often are not fully harnessing these systems' capabilities. One reason is that, since costs to perform controls manually are often hidden within the business, ROI calculations for automating certain activities or reports may not take these costs into account. But, when their capabilities are leveraged effectively, these systems can help create a highly automated and cost-efficient control environment.
4. The big picture: analyzing the control portfolio
To get a handle on the total cost of ICOFR, the place to start is a five-step analysis that looks at how controls operate across finance, IT, and operations:
Understand the controls.
Where are risks, redundancies, and opportunities? Where might risk mitigation not be cost-effective?
Understand operating costs.
Bring these costs, usually hidden within business processes, into the light to find possible efficiencies. This information will help find opportunities for automation.
Understand testing and other compliance cost factors.
Determine if you have inefficiencies in your testing approach.
Calculate the total cost of control and analyze the results.
The results, including costs normally buried elsewhere in the company, may surprise you. Perform internal comparisons of business processes to identify variations, based on control differences, that may be impending effectiveness and raising costs in certain areas of the company.
Evaluate opportunities and determine next steps.
Estimate savings possible from controls rationalization, process improvements, increased automation, and other control enhancements. Develop a prioritized list of opportunities for improvement.
Common drivers of control costs include not just the level of automation, but also the frequency and duration of control performance, the time spent and salaries of staff who perform and review the control, and the number of locations in which the control is performed. Assessing such costs offers opportunities to review process effectiveness with an eye to the controls' costs and benefits - for both the ICOFR program and the business.
5. Value beyond cost-effectiveness
Understanding the control portfolio and associated costs helps establish an enhanced, consistent, and more automated control environment that can improve performance, bolster transparency, and reinforce investor and market confidence.