Automated Internal Controls Examples

RPA in finance: How to automate 90% of your company’s internal controls?

Blog: RPA in finance: How to automate 90% of your company’s internal controls?

This article discusses modern ways to set up and document internal controls and how you can automate 90% of internal controls to increase efficiency and effectiveness.

What is internal control?

The COSO framework defines an internal control as a process carried out by an organization’s board of directors, management, or other personnel that is designed to provide a reasonable assurance of the achievement of objectives in:

  • Operational effectiveness and efficiency
  • Financial reporting reliability
  • Applicable laws and regulatory compliance

Different types of internal controls

Internal controls can be divided into four categories based on their implementation methods:

  1. Manual controls
  2. IT-dependent manual controls
  3. Automated controls
  4. IT system controls

Manual controls are based entirely on actions performed manually by a person outside of any information system. These might include recalculating inventory or the approval of a timesheet.

IT-dependent manual controls are performed manually but based on system reports or data. This might include reviewing and auditing income statement deviation reports, reviewing the purchase payables on sub-ledger reconciliation reports, or reviewing a sales margin deviation report.

Automated controls are control operations performed automatically by an information system or, for example, a software robot. An example of automatic control includes ERP system three-way matching where the ERP system automatically reconciles the purchase invoice to the underlying purchase order and goods receipt.

Automated control could also be performed by external software such as Robotic Process Automation (RPA) that can, for example, review the validity of customer credit information.

IT system controls ensure the reliability, security, and integrity of the company’s key information systems. For example, access rights and changes to key financial applications are managed in a systematic and controlled way.

Building a control catalog and producing adequate documentation

How to build a control catalog?

A key part of documenting internal controls is building a control catalog that describes the activities that the company plans to control along with control objectives and risks.

In practice, control catalogs are usually the preserve of large organizations, but they can be equally important for smaller companies. Plus, less effort is required: smaller companies are able to compile their control catalogs much faster since they have a narrower scope of operations and, often, simpler processes.

A good starting point when building a control catalog in a smaller company is to describe, in general terms, the measures the company plans to take to ensure the reliable operation of its processes and preservation of its critical assets, such as cash, machinery, and equipment, inventory, intellectual property rights, etc.

Next, the control catalog’s design phase determines how much time and resources will be allocated to implement the desired internal controls. In this phase, we recommend using “automation first” principle – to design controls in a way that enables the control goal to be achieved via automated actions.

Manual controls should be planned only if automation is not cost-effective or feasible.

How to prepare control documentation efficiently?

Once the planned control activities are described in the catalog, detailed documentation of performed control activities are described in the control documentation. The control documentation should contain information about who, when, and what has been done to achieve the objective.

Performed activities must be well documented to strengthen the process and people’s commitment to it, and to allow actions to be tested retrospectively. Usually, descriptive evidence of control activities, such as system logs, are directly attached to the control documentation. Alternatively, the documentation can be prepared with a direct audit trail evidenced from the company’s IT systems. Note that this requires the evidence to remain available for the course of the archiving period (as defined in any applicable legislation or company standards).

Control documentation is typically prepared manually using an Excel template. Governance risk and compliance applications that are used in planning, managing, and documenting internal controls are still relatively rare and most commonly used in large multinational corporations.

According to the Journal of Accountancy, inadequate documentation of internal controls is the most common reason for fraudulent activities being detected too late. Such negligence often occurs because the documentation process is perceived as too time-consuming. To avoid these issues, time-efficient options for documenting internal controls can be implemented with the help of RPA.

RPA in finance: The benefits of automating internal control processes

1// Efficiency

Retrieving evidence and preparing control documentation is often the most time-consuming part of any control process. Often, this means that there may be little time left for the phases that require professional judgment.

The retrieval of control evidence and the preparation of control documentation can be fully automated with the help of RPA. Implementing RPA for this purpose has been shown to regularly result in 90% savings of time spent.

2// Effectiveness

Automation should be specifically targeted to those control measures that are repetitive in nature and/or require a large number of transactions or extensive rule-based documentation.

Automation significantly improves the quality of control procedures by eliminating human error!

Examples of RPA use cases in internal control

In our experience, more than 95% of internal controls are still performed manually or include manual extraction of data from different systems.

Click here to see 8 examples of implementations where automation has been used to eliminate manual work, radically improve the efficiency and effectiveness of internal controls.

In each example, more than 90% of the documentation and execution of the internal control has been automated.

The last two examples on the list describe control measures in which Artificial Intelligence (AI) has been used to extend the capabilities of RPA and the degree of automation through machine-aided reading of non-structured data such as images, e-mails, and PDFs.



Author: Teemu Vieruaho, Head of Intelligent Automation, Digital Workforce

More about RPA in finance:

To discuss your particular needs for automation book a meeting here.