Smart Controls and RiCAPS

Smart ControlTransforming controls to reduce cost, enable growth and keep the business safe

Insights on governance, risk and compliance

January 2013

iii Insights on governance, risk and compliance | January 2013

Introduction ........................................ 1

Value of Smart Control ........................ 2

Discovering pain points in your control environment ............................ 4

Our approach to achieving Smart Control ..................................... 6

Risk and Controls Analysis Platform (RiCAPTM) ........................... 10

Want to learn more about Smart Control? ................................. 12

Contents

Companies that align risk management with strategy protect and enhance shareholder value. Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.Source: Turning risk into results, Ernst & Young, 2012.

1Insights on governance, risk and compliance | January 2013

IntroductionThere is a common failure to recognize controls as foundational to all business processes and a key contributor to process costs. Our experience indicates that up to 30% of process cost relates to controlling activities including reviewing, approving and reconciling process activities as well as securing access and data. In addition, there are significant testing and assurance costs associated with control-related activities.

Despite this significant spend, today’s control environment is not fit for purpose. A company’s control environment should support the execution of a profitable growth strategy. However, many organizations view their control environment as expensive, of limited value and, in some cases, a hindrance to the agility needed to respond to a dynamic economic environment. The following are common trends in controls for large multinational companies:

• Companies spend increasing amounts on control without any real ability to quantify the outflow or gain certainty that they are achieving the expected return on investment. Despite these expenditures, companies still experience significant control deficiencies and, as a result, are still exposed to risks.

• As companies have allocated material resources in response to years of growing regulatory pressures, they have accumulated layers of redundant, ineffective and misaligned controls. Moreover, attempts to optimize these controls have primarily focused on reducing the level of testing and monitoring, forfeiting any real opportunities to drive efficiencies in the operation of controls.

• Companies have developed control systems that are complex, duplicative, manual and disconnected from business operations. Instead of addressing the root cause of deficiencies, many organizations respond by installing controls in duplicate or even triplicate. We frequently find that up to 40% of controls are duplicative or can be removed because they are misaligned with the risks deemed most important to the business.

• ► ERP systems are generally underutilized. While companies have invested heavily in ERP systems, which often have built-in features to monitor financial or business controls, most only harness a fraction of their value. A 2011 Ernst & Young survey on risk management (Turning risk into results, 2012) revealed that only 3% of the executives surveyed have fully automated more than half of the key controls available through the system, while only 22% had automated more than a quarter of the key controls.

• Organizations also have to contend with a lack of transparency and confidence. Despite the significant investment we’ve mentioned, many stakeholders still report that they are not confident that controls will mitigate unforeseen risks from internal influences (e.g., operational deficiencies, employee turnover) or external influences (regulations, economy, customers and suppliers).

In addition, strategic initiatives such as process transformation, shared service and outsourcing, offshoring, enterprise cost reduction, and mergers and acquisitions often change the risk profile of an organization, including risk tolerance, likelihood and impact. Organizations often fail to consider the impact of these initiatives on controls and often do not realign controls with the new strategic focus of the organization. This can and does strain performance and drive up execution costs.

2 Insights on governance, risk and compliance | January 2013

Organizations have been reluctant to consider opportunities to remove excessive costs from controls. There is a common fear that streamlining controls would reduce quality and expose the enterprise to risk. Even where organizations recognize there is an opportunity to improve their approach to controls, we believe they often adopt a suboptimal response that does not realize the full potential benefit. For example:

• Deploying a monitoring tool on top of the existing controls rather than addressing the root cause of control deficiencies

• Retrofitting instead of integrating controls to an existing transformation program such as an ERP implementation or shared services program

• Not considering the changes needed in organizational design, technical proficiencies and behavior to reduce risk

• Using compliance or assurance requirements as a lever to enforce change instead of motivating change as a business imperative

Value of Smart Control

Companies are not fully leveraging automated controls• More than one out of five companies (22%) do not leverage

automated tools to manage governance, risk and compliance (GRC) and rely solely on manual efforts.

• Four out of 10 companies indicate that too much staff time is consumed in managing IT risk issues, but only 14% of respondents indicated that 51% or more of their GRC-related controls are automated.

Source: Joseph McKendrick, Moving to New ERP Environments: 2011 OAUG Governance, Risk and Compliance Best Practices Survey, Unisphere Research, February 2011.


We have challenged these paradigms by helping our clients simplify their process and controls to be efficient (optimal costs and timely) and effective (preventive and detective) and focused on the risks that matter most. Ernst & Young has developed a Smart Control approach that helps companies realize reductions in the cost of controls, enable growth and keep the business safe by creating an integrated, streamlined and dynamic control environment.

Our Smart Control solution can deliver the following:

• Reduced controls spend considers the key drivers for controlling spending, calculating the costs, and comparing financial outlay to risks and acceptable levels of risk exposure. This approach identifies any spend on controls that is not aligned with the company’s risk profile and initiates an effort to transform or overhaul the process.

• Improved accountability for risk supports the assignment of key risk assessment and mitigation activities to key people throughout the organization, empowering employees to manage risk through ongoing communication, training and reporting.

• Accelerated process execution eliminates or automates labor intensive, duplicative or unnecessary process and control activities.

• Alignment with strategy to confirm how well strategic objectives are supported by clearly defined and prioritized risks, as well as risk management effort/resources. When strategies, risks and controls are misaligned, the organization needs to look for ways to transform processes and realign workflows as necessary.

An integrated,streamlined anddynamic control

environmentprovides the agility

to anticipate andrespond to changes.

Align with strategy

Reduce controls

spend

Improve accountability

for risk

Accelerate process

execution

SmartControl

Balancing value, cost and risk intheir processesand controls helpscompanies createa competitiveadvantage.

We help companies realize 20% to 40% reductions in the cost of controls by creating an integrated, streamlined and dynamic control environment.


Discovering pain points in your control environment

Complete the following questionnaire to evaluate key indicators of maturity for your control environment — controls spend, accountability for risk, process execution and strategic alignment.

Attributes of your control environment

Rating1 – Strongly disagree5 – Strongly agree

1 2 3 4 5

Controls spend

Amount spent on control design, execution and monitoring is visible

Controls are aligned with risk tolerances

Automated controls are fully leveraged

Preventive and detective controls are properly balanced

Ownership (responsibility) for each control is defined

Controls are standardized across business units

Entity-level and monitoring controls exist and are reliable

Control redundancies are minimal

Accountability for risk

Board and management are structured to provide effective oversight and management of risk

Communication to stakeholders is consistent and effective

The assignment of responsibilities for risk and control activities is timely and consistent

The organization is effective in leveraging technology

Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and operating effectively. Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.


Attributes of your control environment

Rating1 – Strongly disagree5 – Strongly agree

1 2 3 4 5

Process execution

Internal controls make process execution more effective

Metrics and reporting are used to monitor process effectiveness

Processes and initiatives directly support strategic objectives

Processes are standardized throughout business

Policies and operating procedures are periodically reviewed and updated

Resources and competencies are sufficient to support process objectives

Information technology is used to make processes more efficient

Alignment with strategy

Risks taken are aligned to your business strategies and objectives

Risk management activities are integrated with planning and execution

Your acceptable level of risk is defined and communicated

Change management is employed and tracked to support new strategies

Your enterprise risk management plan is robust and well communicated

Metrics and reporting are used to monitor strategic initiatives

Strategic plans and initiatives are documented and communicated


Ernst & Young’s Smart Control approach is a well-defined work plan that leverages normative process and control models and data analysis to help clients build a business case, design and implementation plan for controls transformation. In the same way that shared services have driven the efficiency of finance functions, the ultimate goal of this approach is to provide “controls as a service” to realize efficiencies, embed new working practices and create a sustainable operating model for controls.

Our approach to achieving Smart Control

Optimizing a control environment Ernst & Young helped the company create a single streamlined set of controls and embed the controls into its ERP system (SAP) to provide real-time assurance that the control environment was working effectively. The company anticipates that the new control environment will help it reduce control costs by 50% and absorb future growth in the business without incurring higher costs.

Controls are not well aligned with the risks that matter• A study by the Economist Intelligence Unit found that half of

those responding had gaps in their coverage of risks — even though a majority had seven or more risk and control functions across the business.

• Only 55% of respondents plan to use a formal risk management methodology when they upgrade their ERP system.

Source: The future of risk, Ernst & Young, 2009.


Run and operateDesign and buildDevelop strategy

Understand the opportunity

Embed low-cost, effective, sustainable operating model

► Create clarity, alignment and commitment in the business

Understand the current state of the control environment including the proficiency of risk management functions

Understand control cost drivers and compare to benchmarks

Align business case to overall enterprise strategy

►

►

►

►

►

Zero-based controls framework − a single, global, streamlined set of controls aligned to risks that matter, leveraging technology and implementing continuous monitoring capabilities

►

►

►

►

1Create “zero-based”controls framework

Leverageexisting or invest in newtechnology enablers

2

34

►

Create a business case and execution plan

Design a zero-based controls framework aligned to process objectives

Evaluate technology enablers and integrate into existing technology infrastructure

Create a functional operating model

Execute new control capabilities applying a cost-effective operating model

Document revised control model

Execute, monitor and remediate new controls

Measure return on investment

►


Smart Control — a four-step approach

Key steps Ernst & Young’s input

1. Understand the opportunity • Align stakeholders across the organization — create a shared understanding of the opportunity

• Benchmark performance against Ernst & Young’s reference models

• Evaluate the alignment of process and control activities to business and strategic objectives

• Identify high control cost areas as well as over- and under-controlled areas, and prioritize improvement opportunities

• Deploy proven reference models for Smart Control covering process, risks, controls, and system design and build for financial and operational processes

• ►Acceleration event to stimulate and engage

• ►Cost and alignment analysis through Ernst & Young’s proprietary RiCAP™ tool

• ►Risk tolerance maturity framework for business processes

• Benchmarking and peer comparison to challenge perception and illustrate potential

• ►Process- and industry-specific normative models and ERP controls models

• ►Business case preparation

2. Create a zero-based controls framework

• ► Design and build zero-based control set that is aligned to and supportive of business and strategic objectives

• Challenge and justify every control in alignment with risk tolerance levels

• Eliminate unnecessary manual activities

• Risk management and governance organizational design that defines accountability for risks and controls

• Control environment maturity assessment►

• Process, risk and controls mapping and automated process control playbook

• Control automation and optimization advice

9Insights on governance, risk and compliance | January 2013 9

Key steps Ernst & Young’s input

3. Leverage existing or invest in new technology enablers

• ► Implement automated “prevent” controls within existing IT systems and processes►

• Make better use of out-of-the-box systems’ capability to turn on prevent controls►

• Review master data standards and processes►

• Embed control operation into the fabric of the business process and governance structure

• Target the most labor-intensive areas first to drive efficiency

• Select and implement relevant GRC tools to automate control execution and monitoring activities

• ► Promote transparency through dynamic dashboards and reporting

• Accelerate benefits delivery through insightful analytics

• ERP design/architecture

• Automated control implementation

• Controls design

• Process, risk and controls analytics

• ERP GRC module implementation

• Controls testing

• Continuous controls/process monitoring design

• Control self-assessment

• Program risk management

4. Embed low-cost, effective, sustainable operating model

• Design the operating approach, consolidating control monitoring and reporting activity to a single controls shared services function►

• Implement new ways of working►

• Continuously improve and automate controls life cycle (design, operate, monitor, remediate and report)

• Organizational design

• Change management

• Service implementation guidance

• Benefits realization advice

Top-performing organizations use analytics five times more than lower performers. Leading companies were twice as likely to use analytics to guide future strategies as well as to guide their day-to-day operations as lower performers.Source: Turning risk into results, Ernst & Young, 2012


Ernst & Young has developed a technology platform called RiCAPTM to evaluate an organization’s control environment and identify opportunities for Smart Control. This platform evaluates key inputs, such as enterprise objectives, risks, controls, cost drivers and acceptable risk levels. The results provide insight on areas that are over- and under-controlled.

Risk and Controls Analysis Platform (RiCAPTM)

RiCAPTM

(Risk and Controls Analysis Platform)

Collect process, risk and control data (including cost of controls)

Understand the control environment and alignment with strategic objectives

Analyze risk and control data

Identify gaps and improvement opportunities

Over/under controlled

Prioritized improvement opportunities

Future state design

Cont

inuo

us m

onito

ring

Output reanalyzed by RiCAPTM

Needs improvement

Strategicobjectives

Business objectives

Entity- level risks Processes Transactional

level risks Controls

Degree of risk(risk tolerance) Control cost drivers

Current state inputs

IT impact


RiCAPTM and our overall Smart Control approach are designed to accommodate the unique needs of more than 16 principal sectors. We combine our industry-specific perspectives and deep risk and controls experiences to create tailored solutions for our clients.

RiCAPTM provides actionable data and reports that can be shared with multiple stakeholders and used to support a business case for transformation. The output helps organizations to:

• Align control expenditures to meet organizational objectives►

• Compare spend to the risk profile and degree of risk

• Identify potential process inefficiencies and risk exposure►

• Identify controls that are unmapped to any risk resulting in immediate cost savings

Standardized datacollection templates

RiCAP data analysis platform

Dynamic reportingtools for analysis results

Assessmentreport design

Tools and enablers

Client Name – Controls Transformation Detailed Assessment SummaryPage 9

Detailed Assessment ResultsAlignment with strategy – Risks that do not correlate to strategic objectives

Description of Risk Process Name

Estimated cost of controls

Other impacts Improvement Opportunity

The following risks are included in the current risk listing but do not directly correlate to the <Organization’s Name>’s strategic/business (select one) objectives:

This slide should be used to list out risks that are currently being tracked and mitigated by the process but do not directly correlate or impact the defined strategic or business objectives of the process and organization. The objective of this analysis is to determine the cost that is being spent on managing risks that do not matter and identify improvement opportunities to address this issue.

Example:

Description of Risk Process Name

Estimated cost of controls

Other impacts Improvement Opportunity

Manual depreciation entries for fixed assets are not accurately calculated and recorded.

Record to Report

$200K Current ERP system is not being fully leveraged

• Evaluate current risk management function at a process level

• Consider automating manual controls


Want to learn more about Smart Control? After an initial exploratory discussion to understand the challenges you are seeking to address or that have been revealed through your completion of the questionnaire in this brochure, Ernst & Young will conduct a free interactive workshop for your executive team to help your organization in exploring the potential benefits of the Smart Control approach.


Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.

© 2013 EYGM Limited. All Rights Reserved.

EYG no. AU1355In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

ED none

At Ernst & Young, our services focus on our clients’ specific business needs and issues because we recognize that these are unique to that business.

Effective risk management is critical to helping modern organizations achieve their goals and it offers the opportunity to accelerate performance while protecting against the uncertainties, barriers and pitfalls inherent in any business. Integrating sound risk management principles and practices throughout operational, financial and even cultural aspects of the organization can provide a competitive advantage in the market and drive cost-effective risk processes internally.

Our 6,000 Risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective support — wherever you are in the world. We work with you to develop an integrated, holistic approach to managing risk and can provide resources to address specific risk issues. We understand that to achieve your potential, you need tailored services as much as consistent methodologies. We work to give you the benefit of our broad sector experience, our deep subject-matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference.

For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or a member of our team listed below.

Contact details of our Risk leaders

How Ernst & Young makes a difference

Global RISK Leader

Paul van Kessel +31 88 40 71271 [email protected]

Area RISK Leaders

Americas

Jay Layman +1 312 879 5071 [email protected]

EMEIA

Jonathan Blackmore +44 20 795 11616 [email protected]

Asia-Pacific

Iain Burnet +61 8 9429 2486 [email protected]

Japan

Shohei Harada +81 3 3503 1100 [email protected]

Documents

Smart Controls and RiCAPS