Insights on governance, risk and compliance

January 2013

Smart Control
Transforming controls to reduce cost, enable growth and keep the business safe

Contents
Introduction. ........................................ 1 Value of Smart Control. ........................ 2 Discovering pain points in your control environment. ............................ 4 Our approach to achieving Smart Control...................................... 6 Risk and Controls Analysis Platform (RiCAPTM)............................ 10 Want to learn more about Smart Control?.................................. 12

Companies that align risk management with strategy protect and enhance shareholder value. Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.
Source: Turning risk into results, Ernst & Young, 2012.

iii

Insights on governance, risk and compliance | January 2013

Introduction
There is a common failure to recognize controls as foundational to all business processes and a key contributor to process costs. Our experience indicates that up to 30% of process cost relates to controlling activities including reviewing, approving and reconciling process activities as well as securing access and data. In addition, there are significant testing and assurance costs associated with control-related activities. Despite this significant spend, todays control environment is not fit for purpose. A companys control environment should support the execution of a profitable growth strategy. However, many organizations view their control environment as expensive, of limited value and, in some cases, a hindrance to the agility needed to respond to a dynamic economic environment. The following are common trends in controls for large multinational companies: Companies spend increasing amounts on control without any real ability to quantify the outflow or gain certainty that they are achieving the expected return on investment. Despite these expenditures, companies still experience significant control deficiencies and, as a result, are still exposed to risks. As companies have allocated material resources in response to years of growing regulatory pressures, they have accumulated layers of redundant, ineffective and misaligned controls. Moreover, attempts to optimize these controls have primarily focused on reducing the level of testing and monitoring, forfeiting any real opportunities to drive efficiencies in the operation of controls. Companies have developed control systems that are complex, duplicative, manual and disconnected from business operations. Instead of addressing the root cause of deficiencies, many organizations respond by installing controls in duplicate or even triplicate. We frequently find that up to 40% of controls are duplicative or can be removed because they are misaligned with the risks deemed most important to the business. E RP systems are generally underutilized. While companies have invested heavily in ERP systems, which often have built-in features to monitor financial or business controls, most only harness a fraction of their value. A 2011 Ernst & Young survey on risk management (Turning risk into results, 2012) revealed that only 3% of the executives surveyed have fully automated more than half of the key controls available through the system, while only 22% had automated more than a quarter of the key controls. Organizations also have to contend with a lack of transparency and confidence. Despite the significant investment weve mentioned, many stakeholders still report that they are not confident that controls will mitigate unforeseen risks from internal influences (e.g., operational deficiencies, employee turnover) or external influences (regulations, economy, customers and suppliers). In addition, strategic initiatives such as process transformation, shared service and outsourcing, offshoring, enterprise cost reduction, and mergers and acquisitions often change the risk profile of an organization, including risk tolerance, likelihood and impact. Organizations often fail to consider the impact of these initiatives on controls and often do not realign controls with the new strategic focus of the organization. This can and does strain performance and drive up execution costs.

Insights on governance, risk and compliance | January 2013

Value of Smart Control

Organizations have been reluctant to consider opportunities to remove excessive costs from controls. There is a common fear that streamlining controls would reduce quality and expose the enterprise to risk. Even where organizations recognize there is an opportunity to improve their approach to controls, we believe they often adopt a suboptimal response that does not realize the full potential benefit. For example: Deploying a monitoring tool on top of the existing controls rather than addressing the root cause of control deficiencies Retrofitting instead of integrating controls to an existing transformation program such as an ERP implementation or shared services program Not considering the changes needed in organizational design, technical proficiencies and behavior to reduce risk Using compliance or assurance requirements as a lever to enforce change instead of motivating change as a business imperative

Companies are not fully leveraging automated controls

More than one out of five companies (22%) do not leverage automated tools to manage governance, risk and compliance (GRC) and rely solely on manual efforts. Four out of 10 companies indicate that too much staff time is consumed in managing IT risk issues, but only 14% of respondents indicated that 51% or more of their GRC-related controls are automated.
Source: Joseph McKendrick, Moving to New ERP Environments: 2011 OAUG Governance, Risk and Compliance Best Practices Survey, Unisphere Research, February 2011.

Insights on governance, risk and compliance | January 2013

We have challenged these paradigms by helping our clients simplify their process and controls to be efficient (optimal costs and timely) and effective (preventive and detective) and focused on the risks that matter most. Ernst & Young has developed a Smart Control approach that helps companies realize reductions in the cost of controls, enable growth and keep the business safe by creating an integrated, streamlined and dynamic control environment. Our Smart Control solution can deliver the following: Reduced controls spend considers the key drivers for controlling spending, calculating the costs, and comparing financial outlay to risks and acceptable levels of risk exposure. This approach identifies any spend on controls that is not aligned with the companys risk profile and initiates an effort to transform or overhaul the process.

Improved accountability for risk supports the assignment of key risk assessment and mitigation activities to key people throughout the organization, empowering employees to manage risk through ongoing communication, training and reporting. Accelerated process execution eliminates or automates labor intensive, duplicative or unnecessary process and control activities. Alignment with strategy to confirm how well strategic objectives are supported by clearly defined and prioritized risks, as well as risk management effort/resources. When strategies, risks and controls are misaligned, the organization needs to look for ways to transform processes and realign workflows as necessary.

Balancing value, cost and risk in their processes and controls helps companies create a competitive advantage.

Align with strategy

Reduce controls spend Smart Control

Accelerate process execution

Improve accountability for risk

An integrated, streamlined and dynamic control environment provides the agility to anticipate and respond to changes.

We help companies realize 20% to 40% reductions in the cost of controls by creating an integrated, streamlined and dynamic control environment.

Insights on governance, risk and compliance | January 2013

Discovering pain points in your control environment

Complete the following questionnaire to evaluate key indicators of maturity for your control environment controls spend, accountability for risk, process execution and strategic alignment.

Rating 1 Strongly disagree 5 Strongly agree

Attributes of your control environment

Controls spend
Amount spent on control design, execution and monitoring is visible Controls are aligned with risk tolerances Automated controls are fully leveraged Preventive and detective controls are properly balanced Ownership (responsibility) for each control is defined Controls are standardized across business units Entity-level and monitoring controls exist and are reliable Control redundancies are minimal

Accountability for risk

Board and management are structured to provide effective oversight and management of risk Communication to stakeholders is consistent and effective The assignment of responsibilities for risk and control activities is timely and consistent The organization is effective in leveraging technology

Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and operating effectively. Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.

Insights on governance, risk and compliance | January 2013

Rating 1 Strongly disagree 5 Strongly agree

Attributes of your control environment

Process execution
Internal controls make process execution more effective Metrics and reporting are used to monitor process effectiveness Processes and initiatives directly support strategic objectives Processes are standardized throughout business Policies and operating procedures are periodically reviewed and updated Resources and competencies are sufficient to support process objectives Information technology is used to make processes more efficient

Alignment with strategy

Risks taken are aligned to your business strategies and objectives Risk management activities are integrated with planning and execution Your acceptable level of risk is defined and communicated Change management is employed and tracked to support new strategies Your enterprise risk management plan is robust and well communicated Metrics and reporting are used to monitor strategic initiatives Strategic plans and initiatives are documented and communicated

Insights on governance, risk and compliance | January 2013

Our approach to achieving Smart Control

Ernst & Youngs Smart Control approach is a well-defined work plan that leverages normative process and control models and data analysis to help clients build a business case, design and implementation plan for controls transformation. In the same way that shared services have driven the efficiency of finance functions, the ultimate goal of this approach is to provide controls as a service to realize efficiencies, embed new working practices and create a sustainable operating model for controls.

Optimizing a control environment

Ernst & Young helped the company create a single streamlined set of controls and embed the controls into its ERP system (SAP) to provide real-time assurance that the control environment was working effectively. The company anticipates that the new control environment will help it reduce control costs by 50% and absorb future growth in the business without incurring higher costs.

Controls are not well aligned with the risks that matter
A study by the Economist Intelligence Unit found that half of those responding had gaps in their coverage of risks even though a majority had seven or more risk and control functions across the business. Only 55% of respondents plan to use a formal risk management methodology when they upgrade their ERP system.
Source: The future of risk, Ernst & Young, 2009.

Insights on governance, risk and compliance | January 2013

Develop strategy

Design and build

Run and operate

2
Understand the opportunity

Create zero-based controls framework

Leverage existing or invest in new technology enablers

Embed low-cost, effective, sustainable operating model

Create clarity, alignment and commitment in the business Understand the current state of the control environment including the prociency of risk management functions Understand control cost drivers and compare to benchmarks Align business case to overall enterprise strategy

Create a business case and execution plan Design a zero-based controls framework aligned to process objectives Evaluate technology enablers and integrate into existing technology infrastructure

Create a functional operating model Execute new control capabilities applying a cost-effective operating model Document revised control model Execute, monitor and remediate new controls Measure return on investment

Zero-based controls framework a single, global, streamlined set of controls aligned to risks that matter, leveraging technology and implementing continuous monitoring capabilities

Insights on governance, risk and compliance | January 2013

Smart Control a four-step approach

Key steps
1. Understand the opportunity
Align stakeholders across the organization create a shared understanding of the opportunity Benchmark performance against Ernst & Youngs reference models Evaluate the alignment of process and control activities to business and strategic objectives Identify high control cost areas as well as over- and under-controlled areas, and prioritize improvement opportunities Deploy proven reference models for Smart Control covering process, risks, controls, and system design and build for financial and operational processes

Ernst & Youngs input

A cceleration event to stimulate and engage C ost and alignment analysis through Ernst & Youngs proprietary RiCAP tool R isk tolerance maturity framework for business processes Benchmarking and peer comparison to challenge perception and illustrate potential P rocess- and industry-specific normative models and ERP controls models B usiness case preparation

2. Create a zero-based controls framework

D esign and build zero-based control set that is aligned to and supportive of business and strategic objectives Challenge and justify every control in alignment with risk tolerance levels Eliminate unnecessary manual activities

Risk management and governance organizational design that defines accountability for risks and controls Control environment maturity assessment Process, risk and controls mapping and automated process control playbook Control automation and optimization advice

Insights on governance, risk and compliance | January 2013

Key steps
3. Leverage existing or invest in new technology enablers
I mplement automated prevent controls within existing IT systems and processes Make better use of out-of-the-box systems capability to turn on prevent controls Review master data standards and processes Embed control operation into the fabric of the business process and governance structure Target the most labor-intensive areas first to drive efficiency Select and implement relevant GRC tools to automate control execution and monitoring activities P romote transparency through dynamic dashboards and reporting Accelerate benefits delivery through insightful analytics

Ernst & Youngs input

ERP design/architecture Automated control implementation Controls design Process, risk and controls analytics ERP GRC module implementation Controls testing Continuous controls/process monitoring design Control self-assessment Program risk management

4. Embed low-cost, effective, sustainable operating model

Design the operating approach, consolidating Organizational design control monitoring and reporting activity to Change management a single controls shared services function Service implementation guidance Implement new ways of working Benefits realization advice Continuously improve and automate controls life cycle (design, operate, monitor, remediate and report)

Top-performing organizations use analytics five times more than lower performers. Leading companies were twice as likely to use analytics to guide future strategies as well as to guide their day-to-day operations as lower performers.
Source: Turning risk into results, Ernst & Young, 2012

Insights on governance, risk and compliance | January 2013

Risk and Controls Analysis Platform (RiCAPTM)

Ernst & Young has developed a technology platform called RiCAPTM to evaluate an organizations control environment and identify opportunities for Smart Control. This platform evaluates key inputs, such as enterprise objectives, risks, controls, cost drivers and acceptable risk levels. The results provide insight on areas that are over- and under-controlled.

Understand the control environment and alignment with strategic objectives

Current state inputs

Strategic objectives Business objectives Entitylevel risks Processes
Transactional level risks

Controls

IT impact
Collect process, risk and control data (including cost of controls)
Degree of risk
(risk tolerance)

Control cost drivers

Analyze risk and control data Identify gaps and improvement opportunities

(Risk and Controls Analysis Platform) Output reanalyzed TM

by RiCAP

RiCAP

TM

Needs improvement

Over/under controlled

Prioritized improvement opportunities

Future state design

10

Insights on governance, risk and compliance | January 2013

Continuous monitoring

RiCAPTM provides actionable data and reports that can be shared with multiple stakeholders and used to support a business case for transformation. The output helps organizations to: Align control expenditures to meet organizational objectives Compare spend to the risk profile and degree of risk Identify potential process inefficiencies and risk exposure Identify controls that are unmapped to any risk resulting in immediate cost savings

Tools and enablers

Detailed Assessment Results
Alignment with strategy Risks that do not correlate to strategic objectives
This slide should be used to list out risks that are currently being tracked and mitigated by the process but do not directly correlate or impact the defined strategic or business objectives of the process and organization. The objective of this analysis is to determine the cost that is being spent on managing risks that do not matter and identify improvement opportunities to address this issue.

The following risks are included in the current risk listing but do not directly correlate to the <Organizations Name>s strategic/business (select one) objectives:
Description of Risk Process Name Estimated cost of controls Other impacts Improvement Opportunity

Example: Description of Risk Process Name

Record to Report

Estimated cost of controls

$200K

Other impacts

Improvement Opportunity

Manual depreciation entries for fixed assets are not accurately calculated and recorded.
Page 9

Current ERP system is not being fully leveraged

Evaluate current risk management function at a process level Consider automating manual controls

Client Name Controls Transformation Detailed Assessment Summary

Standardized data collection templates

RiCAP data analysis platform

Dynamic reporting tools for analysis results

Assessment report design

RiCAPTM and our overall Smart Control approach are designed to accommodate the unique needs of more than 16 principal sectors. We combine our industry-specific perspectives and deep risk and controls experiences to create tailored solutions for our clients.

Insights on governance, risk and compliance | January 2013

11

Want to learn more about Smart Control?

After an initial exploratory discussion to understand the challenges you are seeking to address or that have been revealed through your completion of the questionnaire in this brochure, Ernst & Young will conduct a free interactive workshop for your executive team to help your organization in exploring the potential benefits of the Smart Control approach.

12

Insights on governance, risk and compliance | January 2013

Ernst & Young Assurance | Tax | Transactions | Advisory

About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. About Ernst & Youngs Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. Its how Ernst & Young makes a difference. 2013 EYGM Limited. All Rights Reserved. EYG no. AU1355
In line with Ernst & Youngs commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

How Ernst & Young makes a difference

At Ernst & Young, our services focus on our clients specific business needs and issues because we recognize that these are unique to that business. Effective risk management is critical to helping modern organizations achieve their goals and it offers the opportunity to accelerate performance while protecting against the uncertainties, barriers and pitfalls inherent in any business. Integrating sound risk management principles and practices throughout operational, financial and even cultural aspects of the organization can provide a competitive advantage in the market and drive cost-effective risk processes internally. Our 6,000 Risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective support wherever you are in the world. We work with you to develop an integrated, holistic approach to managing risk and can provide resources to address specific risk issues. We understand that to achieve your potential, you need tailored services as much as consistent methodologies. We work to give you the benefit of our broad sector experience, our deep subject-matter knowledge and the latest insights from our work worldwide. Its how Ernst & Young makes a difference. For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or a member of our team listed below.

Contact details of our leaders

Global
Paul van Kessel Randall J MIller +31 88 40 71271 +1 312 879 3536 paul.van.kessel@nl.ey.com randall.miller@ey.com

Areas Americas
Michael L. Herrinton Bernard R. Wedge +1 703 747 0935 +1 404 817 5120 michael.herrinton@ey.com bernard.wedge@ey.com

EMEIA
Jonathan Blackmore Manuel Giralt Herrero +44 20 795 11616 +34 91 572 7479 jblackmore@uk.ey.com manuel.giraltherrero@es.ey.com

Asia-Pacific
Jenny S. Chan Rob Perry +86 21 2228 2602 +61 3 9288 8639 jenny.s.chan@cn.ey.com rob.perry@au.ey.com

Japan
Yoshihiro Azuma Haruyoshi Yokokawa +81 3 3503 1100 +81 3 3503 2846 azuma-yshhr@shinnihon.or.jp yokokawa-hrysh@shinnihon.or.jp

ED 0114