how to choose the right internal control tools · governance, risk, and compliance (grc) platforms...
TRANSCRIPT
How to choose the rightinternal control toolsto optimize your process
The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.
Is this guide for you?
This e-book is an introduction to how and why companies
are leveraging new internal control tools and technology to
optimize collaboration and increase focus on the productivity
of those involved in the internal control process.
The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.
Overview
Pros and cons:
Desktop-based spreadsheets
GRC systems
The move to the cloud
Next steps
Contents
The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.
Internal controls management has been in the spotlight for two decades,
but companies have yet to master their processes.
Due to increased requirements from the PCAOB, the adoption of the 2013 COSO
Framework, and board focus on risk and compliance processes, many programs continue to
undergo major modifications.
In order for companies to come out on top, they need to implement internal control tools that:
• Optimize collaboration
• Enhance productivity of all involved in the process
Most companies have undergone several attempts to master their processes utilizing several
types of tools. Keep reading to find out how—and why—companies have made the move to
different platforms.
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
The Case for Desktop-BasedSpreadsheets
When the internal control requirement was initially
implemented, Sarbanes-Oxley (SOX), internal
control, audit, and finance teams were already
major users of desktop-based spreadsheets. It
was an obvious choice to use spreadsheets for
the new requirements, too.
The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.
Why Desktop-Based
Spreadsheets Haven't Held Up
There's a catch with the traditional methods. Additional complexities in finance and internal
control regulations have proven spreadsheets to be lacking in several key areas, including data
quality, time-savings, and mobility.
Version control
Only one user may edit a document at a time, causing tight deadlines
and increased pressure for all involved. There's no way to determine if
every single change has been captured or if the information is accurate
and current.
Lack of transparency
With spreadsheets, it's difficult to show the vital relationships between
risks, controls, testing, and risk-acceptance decisions. Transparency is
critical to internal control processes.
Security and reliability risks
Desktop spreadsheets exist on hard drives, on file servers, and in email
attachments—without user permissions and comprehensive audit trails.
Additional costs
Even though most companies and their auditors have enterprise-level
licenses, companies need to factor in time consumed by internal staff,
costs of any consultants, and the time charged by external audit.
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
The Rise of GRC Platforms
Governance, risk, and compliance (GRC) platforms offered an
alternate approach to internal control tools, like desktop-based
spreadsheets, by unifying information in a single environment.
For the internal control management process,
GRC platforms promised:
• Streamlined risk, compliance, and control activities
• A singular, connected environment to house control information
• Simplification of complex processes
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
Where GRC Platforms Went Wrong
The promise was not all it was cracked up to be, and many
organizations learned the hard way.
The productivity and simplification that was advertised gave way to the following shortcomings:
Lack of optimization for internal controls
Structured by design, legacy GRC platforms end up defining
the process. Companies pay for features they may not even use.
Costly implementation and maintenance investments
Built for on-premise deployment, many systems come with high
internal IT costs and maintenance investments.
Regular, painful upgrades
Legacy software models focus on major releases every 12–18 months,
typically resulting in business disruptions, downtime, costs, and
difficult roll forwards of previous customizations.
Lost productivity
GRC platforms were built for structure, not productivity. They often
leave much to be desired: automation, broad standardization, and
ease of engaging all contributors to the risk and control process.
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
What's the next stage in the software saga? The answer is in the cloud.
Cloud-based, productivity-driven solutions have changed the game by allowing companies to
simplify collaboration while keeping data in sync. Freeing companies from costs, complexity, and
on-going maintenance and upgrades, cloud-based internal control tools offer:
Moving to the Cloud
Streamlined evidence
collection and testing
Send digital requests to control
owners, and attach samples
directly to testing documents.
Review and annotate evidence,
and store marked-up samples in
a single location that's easily
accessible and protected.
Complete collaboration
Bring all users—including process
owners, control owners, and
auditors—together into a single
environment to create and edit
documents. Use the cloud-based
solution as a repository of all controls
and testing documentation.
Automated certifications
Eliminate babysitting and
automate the sign-off process
to meet deadlines, improve
compliance, and gain consensus
of large groups with ease.
Single source of the truth
Hyperlink text, control identifications,
and other information across all SOX
documentation. This ensures updates
are made seamlessly across risk
assessments, risk control matrices,
flowcharts, process narratives, testing
documents, dashboards, and audit
committee presentations.
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
What Now?
Regardless of your internal control process's maturity, resist the temptation
of a quick-fix using desktop-based spreadsheets or legacy GRC platforms.
Instead, look for a long-term answer: a cloud-based productivity solution.
As your business and processes mature and requirements become more
complex, companies need to invest in internal control tools that focus on and
drive efficiencies.
The information contained herein is proprietary to Workiva and cannot be copied,
published, or distributed without the express prior written consent of Workiva © 2016.
Find out how and why companies are leveraging technology,like Wdesk, to optimize collaboration, improve the quality of documentation, and create an efficient process.
Wdesk is designed to help organizations transform the internal controls planning and scoping, design, testing, certification, and reporting process.
workiva.com | [email protected] | +1.888.275.3125The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.