For years I have been thinking about Risk, Controls, Black Swans and Entropy; and more recently about Analytics and RPA. Only recently did I understand how these are all connected and impact large and small organizations – particularly in activities that are high-risk and strictly controlled. Sadly, these tightly controlled areas are often overlooked until it is too late. Which bring us to Risk and Controls.
Risk and Controls: Business processes rely on automated systems for controls and to support efficient and effective processes; and IT risks and controls are a part of, not separate from, business risks. In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls to address risks and opportunities is critical. The Chief Risk Office (CRO) and Chief Audit Executive (CAE) have processes in place to identify and assess current and emerging risks and to report to senior management and the Board. Typically, these processes examine the inherent risk – risk before the application of controls – and then the residual risk – risk after the application of controls. So far, so good.
Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk process must keep pace with this rapid change if it is to properly identify and assess emerging risks and controls that can impact the achievement of business objectives. For many organizations, the existing procedures - manual and automated - used to mitigate the controls were developed prior to organizational change, growth, existing IT systems. As technology continues to evolve, new opportunities and risks emerge. Wikipedia, social media, e-mobility, cloud computing, and block chain are but a few examples of how IT is changing the way organizations interact with their employees, suppliers, and even competitors. Technology offers opportunities but also increases risks around data leakage, security and privacy. Changing compliance requirements can further complicate matters. The result is that initial automated and manual controls are either not working or are no longer adequate. The CRO and CAE need to ensure that IT systems supporting business processes are not obstructing the very risk mitigation and operational improvements they were supposed to achieve.
Audit and Risk professionals need to keep up with technology and its potential impact on business. In addition, they must understand that even tightly controlled processes and systems are at risk. Which bring us to entropy.
Entropy: A simple notion of entropy is a measure of uncertainty, disorder or randomness in a system. The Law of Entropy states that entropy is always increasing (This is really a probability thing). It means that systems will tend move towards a more random, disordered state. Which brings us back to risk and controls.
A high-risk process/activity or whatever is likely to be subject to more controls (tightly controlled). As a result, when view from a typical risk perspective, the inherent risk is high, but the residual risk is low. This often means that the mitigation controls are not reviewed. However, entropy is working against the system of controls. Which bring us to ‘Black Swans’.
Black Swan - an unpredictable or unforeseen event, typically one with extreme consequences. Alternatively, an event that comes as a surprise, and has a major effect. For example, a tightly controlled system failing resulting in a high-risk event happening.
So, we have entropy which states that tightly controlled systems have a higher probability of moving to more disordered, uncontrolled states; and Black Swan theory that says unexpected events can and do occur. And yet, the CRO, CAE and most of senior management will ignore these activities because the residual risk is low. To be fair, it is also likely because the cost of constantly reviewing the adequacy and effectiveness of controls is high. However, the cost of analytical testing of critical controls is a tiny fraction of the cost of a manual review of the same controls. Which brings us to analytics and RPA.
Analytics and RPA: Data analysis and technology-enabled audit techniques are less obtrusive in today’s highly automated business environment. Business process run on data and this data allows for the full testing of controls - while having a minimum impact on operations and personnel. In addition, data analytic procedures are a much more cost-effective way to collect and analyze audit evidence. A study by the Audit Director’s Roundtable found that, for the same standard of evidence, analytic procedures cost $0.01 compared to $4.00, when performed manually. Despite this, Protiviti[i] reported that the use of automated control testing and Robotic Process Automation (RPA) is low even though these technologies are a significant opportunity for organizations to building efficiencies and reduce the cost of testing controls. This is particularly true when the automated testing is performed on a continuous basis as the initial setup costs will be spread over multiple testing activities. So why are more risk and audit professionals not embracing analytics?
The use of analytics and RPA to test the adequacy and effectiveness of the control to mitigate the risk requires an understanding of the cause and source of the risk, the operation of the control, and the business process relying on the control. Is the control still required? Does the current control address the root cause? Are there better ways to mitigate the risk? By answering these questions, you can identify unnecessary controls, ineffective controls, or identify better controls to address the current and emerging risks. All of which may reduce the cost of controls, while improving risk mitigation and the operational performance. But this requires a combination of risk, IT, business process, and analytics expertise. Not all organizations can support and maintain this type of expertise when functions are often siloed, and expertise localized. The quick solution is to hire the expertise.
River Automation and Analytics (RiverAA) can assist you. RiverAA has a proven track record of developing traditional analytical tests of controls and the application of AI and machine learning. Combining these approaches gives you the best of both worlds: the use of analytics to test for known risk and control weaknesses; and the use of AI and machine learning to identify unknown risks and controls weaknesses. We have developed hundreds of SAP-based tests that identify and assess risks, and highlight control weaknesses, inefficiencies and fraud. The analytics can be run on a continual basis – to identify problems when they occur. The tests can be run out-of-the-box with minimal configuration or totally customized to your unique requirements. The results can be exported to Excel and displayed using Power BI graphics and dashboards or even real-time alerts to appropriate management.
Conclusion: you cannot ignore high-risk areas simply because they are tightly controlled. Systems will naturally move toward uncontrolled states; and unlikely events can and do occur, often with devastating impacts. By performing continuous monitoring and testing of controls you can protect the organization from known and emerging risks while keeping costs at a minimum.
RPA and analytics can monitor segregation of duties controls, configurable application controls, business process controls, identify anomalies and outliers, perform regression and trends analysis, assess fraud risk, and produce real-time alerts and dashboards at a fraction of the cost of traditional control tests. It is not a question of should you be doing this, but when are you going to start.
[i] Protiviti: Benchmarking SOX Costs, Hours and Controls. https://www.protiviti.com/sites/default/files/united_states/insights/sarbanes-oxley_survey_2018_protiviti.pdf