How to Build and Integrate Internal Controls, Governance and Technology

Jason Juliano:And I'm Jason Juliano. I'm the Director and Practice Leader for Digital Transformation within EisnerAmper Digital.

JR:
So with the topic today, we talk about this a lot and I'm super excited that we're actually talking about it again, given that everything is going on in the world. The looming recession, digital transformation, you name it, we've been talking about this for 10 years.
So the first thing I want to bring up is just overall definition of the convergence of internal controls, governance, and technology. Why is it so important? And I think it's good to level set, right, build the foundation.

And I'll start with internal controls. The most important thing in internal controls is really recognizing that there are activities that mitigate risk, right? I talk about peace of mind quite a bit, and we talk about it as a group, peace of mind around risk and opportunities. So internal controls are all the things that we do, an organization, personally and professionally, that we do to make sure that we're mitigating risk, but also seizing the opportunity. So I like to define it that way.

When it comes to governance, it's really about oversight, right? Monitoring things that are happening within those activities, the things that we receive, whether it be data, information, reports. So what the boards do, what executives do, what we even do within the firm and within EisnerAmper Digital, I think that's important.

And then obviously technology. How much more technology have we implemented over the years, even with the pandemic? How many things are we doing with tech today? And I use an analogy a lot about our homes, right? When you think about your house, your internal controls are really about the alarm, maybe the dog that's in the house, the roof over your head. What is the roof doing? It's really preventing the rain to come in. So you have these preventative and detective controls, right?

How do you govern? As a family, you have certain governance and oversight over the home, right? You may be looking at your expenses. You may be looking at certain things in the home that you need to do. And then with technology, think about all the things that we have in our house, the Alexa. I can open my garage from my phone. I could turn on my washing machine, right? All the internet of things, how am I making sure I'm watching over those things? So I want everybody to think about that as they look at internal controls, governance, and tech. And that definition, I think, resonates with a lot of our clients as well.

So can you guys briefly explain the relationship between the three, internal controls, governance, and tech, and how they come together? So Nina, can we start with you?
NK:Sure. So I truly think it all starts with governance and what we like to think of as tone at the top and really leading by example.

So what that means is if you're the leader of your household, your kids are going to emulate what they see their parents do. It's similar with companies, in that if executives are living and breathing controls and technology and oversight, that's what the rest of the company will do. And so really, when you take a look at internal controls, they only work when they're integrated into business process.

And then technology really can enhance the speed at which controls can be executed, the amount of effort that it takes for controls to be executed. And really then it rolls back to governance and oversight, because you're able to get better data with technology as to what's going on in your control environment. And then that feeds back into governance.
JJ:That's great. So in my past life, I actually headed up information risks, operation risks, cybersecurity. And from my perspective, it's all about the business processes. It's all about the controls that you have to mitigate those risks within your processes. So you need to fix that first before looking at technology. Technology's a tool to help you monitor those specific risks that could happen, help you monitor which controls are deficient, help you monitor what's working, what's not working, aligned to your business processes.
JR:So in essence, they have to come together.
JJ:Right.
JR:For sure, they have to integrate.
JJ:And leveraging technology to integrate that, right?
JR:Yeah. So why is it so important to do this now, given what's going on? Obviously, people hear in the news, the FTX crash. Many years ago, when Sarbanes-Oxley came out, we had the Enron fraud and everything that went on there. And with public companies having the report on their risk and controls, just a lot going on, right, especially with digital transformation. So tell me why it's so important to bring it together.
JJ:So like I mentioned before, technology is the glue that ties everything together, right? So you're leveraging technology to basically bring in your risk and controls library, looking at external risk factors, right, looking at the what's happening in the market today, and then leveraging risk management tools to help you monitor and stay in control of those new underlying business processes and risks associated to the condition of the marketplace today.

So one of those use cases could be preventing fraud, right? Today, we are leveraging AI to look at specific risks, look at transactions, and identify more from a preventative perspective what possible frauds that you have, and then bringing down, communicating that to either the board or the line of business managers.
JR:Right. And it sounds like it's really difficult in this day and age to not have it integrated, right, to do it effectively-
JJ:Right.
JR:... to mitigate risks effectively, even given the recession that everybody is thinking is going to happen. That's at the top of everybody's mind, especially at the board level. And certainly, cybersecurity is still a big issue, right? So these are probably the top two that I would say they're thinking about. And then how do we actually keep our talent going? So it sounds as though these three elements, it's really more important now than ever to bring them together, especially the technology piece that you're talking about.
JJ:Yeah. And the regulators are increasing their processes and guidance and rules. And the SEC right now is telling companies that they have to disclose their cybersecurity activities within their financial reports.
JR:Right. Right.
NK:That's other thing. Management has to say how their internal control environment's effective, and you have to disclose that to the public. Oftentimes, they have a conversation with our clients, and it's really centered around... Management's like, "Well, I think everything's great." And okay, that's great that you think everything's great, but the harder, more scrutiny that the PCOB puts on your external accountant, your external order is going to look for more from management.

So that's great that you think it's great, but now you have to show us how it's great. And that becomes a very manual exercise and laborious, which, if you can incorporate technology into doing it, will not only help with governance, but it'll also help you show that everything's great by either providing an audit trail or a change log and things of that nature.
JR:Yeah. We have to do more with less, right?
JJ:Yeah. Yeah.
JR:At this point in time. So-
JJ:Especially this year, right?
JR:Exactly. Exactly.
JJ:So Jerry, let me know what your insight is on how companies could integrate and create our approach around internal controls, governance, and technology.
JR:Yeah. It's interesting because this has been at the forefront ever since I've been here at the firm for almost 19 years, and even several years prior to that, with a passion for technology and trying to bring that in. But the real steps that they need to take starts at the top, right? Someone needs to be a champion.

And you also need to look at risk appetite and risk tolerance. There are many companies that don't necessarily have to check every box. But what's important to you and how does that relate to strategy? So to effectively integrate the three, we really have to think about where you can actually mitigate the right risks. And you have to talk about that. These are discussions, even in a change management exercise with executives and boards, that need to happen. And when they do, usually you get to the right place in terms of focusing your attention on the right areas.

And then you can start to integrate the technology into an area that's important. And one big problem that I've seen and I've seen a lesson learned, so there's good and bad in this. The good, I would say, starting there, is when you do that, again you're focusing your attention. You're able to implement the right technology. The bad is the reverse of that. So in essence, if you don't have a good risk assessment, you don't know where your risks are, and you don't even know what your appetite is, you potentially may bring the technology in, and you could spend a lot of resources and dollars doing that without actually focusing that technology on the right areas. And again, that's ineffective.

So when it starts at the top and the culture's built, and you bring that risk management exercise into play, and that's part of the culture, usually it works out very well and you get the return on investment.
JJ:Yeah. It's like creating a culture of compliance, right-
JR:Right.
JJ:... from the top and bottom up.
JR:Yeah.
JJ:Nina, you got anything to share?
NK:No. Just, well, I guess really that risk assessment. Many companies start easy with just going down their financial statement risks. But that's not the full picture of the risks of a company. So we're really talking about taking a step back, looking at your risks across the enterprise. What are your operational risks? Where are your fraud risks? Even as we integrate technology, that also means then there's a little bit more technology risk and how the culture of compliance then applies to new and emerging risks and really how the company deals with them.
JR:Yeah. And one other area just on that, when you talk about monitoring, so let's say we do this risk assessment, and we've had this happen across many clients, they do a risk assessment, sometimes robust, sometimes not enough. But when it's robust, you have to actually monitor these risks. And again, that's where the technology comes into play.

Many times, we see clients think about that at the end. And you really need to plan for that right at the beginning. You need to understand how you're actually going to look at the reporting, the managing, the measuring, and the monitoring of that risk assessment, because down the line, you actually want to monitor it. And what you find out is you probably have too many risks. Maybe you can't monitor all of them. So then you can truncate them. But that's a big consideration that you have to think about.
NK:Right. And that-
JJ:And... Yeah, sorry.
NK:Sorry. Go ahead.
JJ:Go ahead.
NK:I was going to say, and that exercise is ongoing. In the past, companies would maybe do that once every three years. That's just not enough these days, right? As you maybe undergo an internal audit of an area, you constantly are updating your risk assessment. When you hear things in the news such as FTX, it causes people to take a step back and say, "Oh, do we have that risk here or not? And how are we preventing it?" So it's a living, breathing document.
JR:Yeah. Absolutely.
JJ:Yeah. I was going to say part of that risk assessment is also understanding and doing a business impact assessment, understanding the line of business, understanding the applications within those business, and then if there's outages or potential risks, making sure that you have controls and availability plans to cover on those specific impacts.
JR:Jason, what opportunities do you foresee integrating? And can you talk a little bit about the technology that's being used in this space?
JJ:Sure. Absolutely. So with new ERP systems, they're looking at access management specific processes around segregation of duties within those access management. There's tools also on the identity access management side, where you're provisioning across the firm, you're looking at what controls you have within those provisionings, re-certifying access per user, per access rights.

Some additional tools are monitoring. There's a big hack with SolarWinds many years ago, but the hack actually affected thousands of companies, because SolarWinds, their managed service model was tied into data, tied into that specific company. So there was potential risks all over.

So having tools, really looking at access management, audit logs, monitoring, these are the type of tools that you have to leverage to create a better risk program for your business.
JR:Yeah. And with technology or with the data, right, we have so much more data today, it's more important than to have that analytical mind or that mindset that we can bring the monitoring tools into play so we can actually analyze what's going on with that data.
JJ:Yeah. Yeah. And we see leveraging data analytics programs to pull in audit data, for instance, and looking at what are the outliers, right? If you have potential access issues or you have issues around multi-factor authentication breaking for specific applications as we create these open platforms, right, there's risk potentially on each of those applications. So have you done a proper risk assessment on all those applications?
JR:Yeah. And on the technology side, I want to add one thing. So what if I'm using the Microsoft stack or my existing ERP has some of this capability, but I'm actually not using, it's not enabled? We talk about technology enablement a lot, right? So can you talk a little bit about how that gets integrated? Because I know Microsoft and Power BI and Power Automate and a number of different tools are really coming into the organization. Maybe they're not using it, but I know we've helped a number of clients actually do that. Can you talk a little bit about that?
JJ:Yeah, yeah. Absolutely. So depending on the company, the industry, there's many companies that have more enterprise resource planning tools, where it's a single pane of glass. There's other companies that have several point solutions.

So we're coming into these engagements really looking at how these separate disparate systems are connecting to each other, and then figuring out how we leverage data analytics, AI automation. Even with ERPs now, they're incorporating automation and AI. But there's still disparate solutions out there. There's not processes that are covered with one solution.

So we come into play to make sure that we're connecting all those solutions together. We're creating good business processes for our clients.
NK:What would you say then for companies that are mid to smaller size, that they say, "Maybe I don't need a full ERP solution?" Is there ways they can incorporate technology perhaps to help with their budget constraints by not having a higher additional head count? What would you say on that?
JJ:Yeah, absolutely. So from my perspective, ERPs are going through a maturity cycle where it's not the best solution or it may not be the worst solution for you. So depending on the business, if it's a small manufacturing company, they may have a legacy manufacturing resource planning tool that's 25 years old. So it may not make sense to go into an ERP. But they'll have disparate systems.

So we just have to go in there, making sure the systems talk to each other, to give leadership better decision making and even take that data and do more predictive analytics where they see patterns within their business and react quickly and make smarter business decisions.
NK:So there are things that can be done without a huge-
JJ:Absolutely. Yeah.
NK:... investment of capital.
JJ:Yeah.
NK:So we've talked a lot about the benefits of integrating governance, internal controls, and technology. But Jerry, can you talk a little bit about some of the challenges you foresee?
JR:There are so many right now, actually more than ever. Just again, we talked about the environment that we're in. I could tell you that boards are certainly concerned about oversight today, especially going into 2023, providing more oversight, right, changing the way they have a cadence with management.

So one challenge may be having that expectation set with the board. So if you're management, what is the board really looking for? Where do they see the risk assessment going? What do they want to focus on? Because they will pay more attention going into 2023, especially as we still have this looming issue with getting the right talent, et cetera. So that's one challenge.

And then with management, I think it's still having that champion, being able to make sure that the tone at the top is set the right way, and setting that expectation throughout, so management and then into operations. That's going to be really key as we go through 2023 and setting the stage for internal controls and governance and technology.

We talked a little bit about the regulators and even the external auditors. Nina, you brought that up. I think there's going to be a lot more scrutiny. So the challenge is being ready for that as well. So taking all of this in and setting the stage right in that planning process, just like you would do in a budget process, you want to make sure that it's still nimble, that you can pivot and change, but ultimately be ready to set the stage right from the beginning.
JJ:Yeah. So, yeah, I think spending more time with risk management, too, planning, as you mentioned, looking for champions from a change management perspective, creating that culture of compliance is important.

I said this many times, but technology's a tool. It's not a solution to solve your business needs, right? You have to fix your business processes first. You have to make sure you have the right people, you have those enablers, you have those innovators, you have those people that incorporate that culture of compliance, right? You fix that, and then you use technology as a tool to enable those solutions, whether it's monitoring, leveraging, pulling a lot of these controls into place, looking at external regulatory situations, pulling that, making sure that you have proper controls to adhere to some of those regulatory requirements.
JR:Yeah. In a lot of ways, we talk about team and culture, continuous improvement, and technology enablement. And in some ways, we can change roles, too, to make sure that we align to that, bringing the right people to the table, and in essence, maybe even assessing our people differently. So going to people, process, and technology is really important. That's a challenge. You really do have to think about that. This requires a lot of thought.

And what I would suggest to all of our clients... And I know we have, and we met with them in sessions around change management. And when you think about change management, you don't think of controls. But in essence, if he sets a stage with change management first, you're going to go down the path of creating the right culture. So that's really important.
NK:Yeah. I think maybe listening to the naysayers and getting them to see the importance of integrating the three will add to the culture and moving it forward.
JJ:Yeah. And making those naysayers into your cheerleaders, right?
NK:Mm-hmm.
JJ:What's waking them up in the morning? And how can we create a culture of compliance that they'll basically jump onto?
JR:And so Jason, who do you think in the organization needs to take the lead in implementing proper internal controls, governance, and tech?
JJ:So I would say it's a group environment where everyone takes the lead, right? So it's your chief risk officer, your chief compliance officer, your head of information risks, your CEO, your CEO of the line of business leaders. So everyone has to collaborate and identify the potential risks that they have within their line of businesses, but also as an organization. So I think it's everyone's responsibility and everyone should be accountable for it.
NK:And I would say that was specifically addressed around the lead, but all stakeholders in the company, which are all of the employees, really need to, as you said, be cheerleaders or champions.

So controls aren't so that someone's looking to get you or see if you're doing something wrong, right? The technology's not to put people out of a job. It's to look at the positives of controls and oversight and technology. It's to free up your time so that now you can start analyzing more. You can invest your time in other areas of the business and grow.
JR:Yeah.
JJ:Yeah. I would also want to add leverage your partners, too, right? Your partners should be your trusted advisors. And if you're not getting any value of your partners, then get new partners. But you should incorporate that in the overall decision making too. Get them involved in what your business plan is for the next five years.
JR:Yeah, I totally agree. We talked about team and culture so much today in this session. I think it's, again, the most important piece of integrating this and dealing with the challenges. But ultimately, if I'm a leader and I'm not excited about it, no one else is going to get excited about it, right?
JJ:Yeah.
JR:And how do you really get excited about risk management and risk assessment? And I will tell you, the way I get excited about it and the way my clients get excited about it, or our clients, they think about the process efficiencies. They see individuals working until 2:00, 3:00 AM because they have all this information that they have to deal with, controls that they have to make sure they manage.

What happens when you bring tech in to actually make that process more efficient? They will get really excited about that. They're going to get excited to wake up in the morning, like you said, Jason, right?
JJ:Yeah.
JR:So we have to think about those things to make sure we incorporate that, because those are meaningful across the board. And then each individual group, like you said, Nina, they may have different needs. They may be naysayers, but how do you turn those naysayers? And how you do it is where do they see the benefit? What's going to get them excited about putting the proper controls in place and integrating the technology?
JJ:Yeah. And as I mentioned before, your partners should be that trusted advisor, right? So we actually do SOX audits, right? And we're not just checking the boxes. We're looking at how can we provide value once we give our clients this report. What are recommendations we can make and help them transform their business?
JR:Yeah.
JJ:Right? So it's not just checking the boxes, paying them a report, and then walking away. It's saying, "What can I do for my client to provide them as much value and opportunity to grow their business as possible?"
JR:Yeah. And 80% of the value will be in making sure that we can be analysts and analyze the information, not in the role of production, right? So-
JJ:Understand their business. Yeah.
JR:Yeah. Understand the business and making sure that reporting that's happening doesn't require a ton of time to actually produce that report, but that report actually can be automated with data behind it. So you could become an analyst.
JJ:So Nina, as a business leader, I come to you and I ask you, "So what do governance and controls look like?" What's a good approach?
NK:Right. So I think we've talked quite a bit about tone at the top and a culture of compliance. But I want to talk where does that start? How do you move the needle there?

And the first way to incorporate controls really is through SOX. I know people like to think of it sometimes as a necessary evil, but I want to shift that mindset. Really, it's a starting point. It's a slice of your enterprise risk assessment. And it's really about ensuring that the information that you are giving to the public about your financials is correct.

And I think we can all agree that that's what we want to do. So once you have controls set up and you have the starting point, it starts to get people more acclimated and closer to that culture of compliance mindset. When you have the controls down, then you can start integrating technology, and then you can move into other areas and apply more controls. Jerry?
JR:Yeah. And I think ultimately the flip side of that is when you're not doing that, you usually do have a check the box exercise, you're getting less value. The people that are implementing and managing their controls are usually unhappy, because they're doing things and they don't understand why they're doing it. So it starts at the beginning.

And our clients that are really good at it do exactly what you said, right, Nina? I think it's something that we coach our clients into many times, and it's been happening for years. So I feel like there's a lot of times we talked about change management. We have to come in the beginning and help bring that to fruition with the entire environment, starting with management.

But you could have bad controls. But in essence, how do you look at changing that, right? So we tend to go into an optimization exercise every year, right, with our clients, especially around Sarbanes-Oxley and SOX. So optimize your controls. Make sure you have the right controls. Ask for feedback to change that. When you're not doing that, then you literally are in a check the box exercise.
NK:Our most successful clients are the ones that start the process early, management's behind the process, and really look at it with a way to improve.
JJ:Yeah. What I've seen in past engagements is that the clients will give us their standard controls and say, "Okay, this is what we want you to monitor." It's like, "Well, let us give you some recommendations on other controls that you should have based on your industry, your market size, and provide as much value back to you, making sure that you're mitigating all those risks that's tied into your specific marketplace."
JR:Yeah. Yeah. Totally agree with that. And unfortunately, we have seen issues with clients that do the check the box exercise, don't do what you're talking about, Jason and Nina. And ultimately, what happens, they end up with a material weakness or they have a lot of issues. And they just continue, and it doesn't get any better until you actually look at it a different way. So ultimately, that's a scenario where they can have a lot of improvement. And again, it's a change the mindset exercise.
JJ:And that's another way how we leverage technology, right? We tie into our risk controls library. We basically put in the market size of the company and get suggestions from our risk controls library and ways to create an overall plan to help them mitigate a lot of their risk.
JR:Right. Right. Getting back to risk appetite too, right?
JJ:Yeah.
JR:You don't have to do all these things for an area that may potentially be low risk.
JJ:Right.
JR:But you know what? For the higher risk areas, it's important to you, it's important to the stakeholders, the public. You will do more, but make it efficient-
JJ:Yeah.
JR:... at the same time.
JJ:And what's that business impact, right?
JR:Right. Yeah.
Well, I really want to thank you guys for participating in this with me. This is super exciting. So any closing remarks before we leave?
JJ:Go ahead, Nina. You can take it first.
NK:Oh, sure. No. I was thinking maybe we should just give them some quick tips or takeaways, which really would be to create a culture of compliance.
JJ:Yep.
NK:Really look at your risk assessment.
JJ:Mature it, right?
NK:Uh-huh.
JJ:Constantly looking at that, monitoring that overall risk management program that you have. And that cultural compliance is huge. That's a huge takeaway. And then leveraging your partners. And if you don't have the right partners, make sure that you bring in trusted advisors that can help you navigate through the marketplace, making sure that you have controls for specific risks, mitigate those risks, and have best practice business processes to grow your business.
JR:Excellent. Spot on. Well, thank you guys again.
JJ:Thank you.
JR:I really do want to thank-
NK:Thanks.
JR:... the audience for joining us today. This has been super exciting. And I would say if you're looking at providing some peace of mind over your risk and opportunities, this is a great place to start. So thank you again. Really appreciate your time.

^{Transcribed by Rev.com}