Metric analysis

The best performers automate 40% of primary controls: indicator of the month

If you’re not already automating your internal controls, you should.

The cost of controls technology has dropped dramatically as its capabilities have increased. Automation of advanced controls is now accessible even to small organizations, and the return on investment is high. Not only does automation effectively identify risk, but it can also allow your team to focus on high-value work while providing detailed insights and analytics to help you better understand many aspects of your business.

Perry D. Wiggins

Automating at least some of your internal controls is quickly becoming the bare minimum for effective corporate governance these days. But automated controls need to send the right alerts to the right people to be fully effective. After reviewing cross-industry benchmarking data on the prevalence of primary control automation, we highlight the benefits of automated controls and discuss the importance of having the right reporting and communication structures in place for them.

Thanks to the responses to his Internal controls survey, APQC finds that the lowest performers (organizations in the 25th percentile) automate only 15% of their primary controls. The top performers automate more than double the percentage of their core controls at 40%. (See table below).

Why should you automate primary controls

Organizations with a higher percentage of automated internal controls have better safeguards to reduce the risk of fraud, protect their business assets, prevent costly human error, and ensure accurate financial records.

There will always be a need for qualified finance professionals to assess the risk of any misstatement identified by internal controls. However, when internal control processes rely heavily on manual intervention, it greatly increases the opportunity for fraud and abuse to occur and go undetected. Organizations that have automated a high percentage of primary controls have a more comprehensive approach that provides greater confidence in protecting organizational assets.

Automating internal controls allows organizations to quickly analyze huge volumes of data from multiple systems, flagging potential fraud patterns as they occur. Instead of a laborious and hands-on process of performing spot checks on random samples of data, automated bots work continuously in the background, doing the tedious work of analyzing everything from emails to purchase orders, looking for patterns and anomalies, and flagging outliers for further investigation.

Automating this process frees auditors from manually digging through records and gives them more time to dig deeper into red flags and determine if there is a logical explanation for irregularities. Automated checks also detect common errors that can be corrected before they become vulnerabilities for the organization.

Inform the right people

Imagine a vehicle with modern diagnostic systems capable of detecting low oil, faulty sensors, failing brakes or other mechanical issues. These extensive detective checks will make no difference if the computer never communicates the information to the appropriate personnel – in this case, the driver.

Likewise, as we increase our reliance on technology to perform internal control activities, the flow of information and communication to the right people becomes increasingly critical. Top performers ensure their organization can answer questions such as:

  • How do I know if the control is working?

  • How do I know if the check has worked?

  • Who in the organization is responsible for receiving reports and logs of control activities?

  • Based on the information you receive, can you diagnose when the automated controls are not working as expected and make the necessary corrections?

When creating your communication flows, you need to think about the reporting structures that will work best for your organization. If reports are delivered via a dashboard on the home page of your ERP system, are you sure executives and staff will see these screens when they log in? If reports are delivered via system-generated emails, are you sure employees will read them?

I have to admit that I often pick the most important emails for me as CFO myself while ignoring the others – your colleagues and employees will probably do the same. Large organizations set up reporting structures and communication flows in a way that makes sense for their culture and, where possible, gives people choice in how they can view and consume the information.

When automated controls are implemented effectively, the data they produce is useful for many types of decision support beyond auditing. An automated system that detects unusual extremes in employee expense reports can also be used to study average expense costs for various cities where the organization operates. When this data is combined with sales plans, it’s easy to accurately plan next year’s business travel.

If your organization has a lower percentage of automated primary controls or none at all, it’s time to take a look at the tools that can help you process a lot more data, more thoroughly, and in less time. When implemented well with the right reporting structures in place, you’ll wonder how your finance team ever got along without them.

Perry D. Wiggins, CPA, is Chief Financial Officer, Secretary and Treasurer of APQCa nonprofit benchmarking and best practices research organization based in Houston, Texas.