Many Australian companies’ internal controls are patchy, undocumented, not automated and lacking clear ownership, a survey by KPMG has found.
The poll of nearly 300 respondents from 100 organisations in the listed, private and public sectors found that while many businesses are undergoing major change or structural transformation, their internal controls – the policies, procedures, systems and processes designed to support effective business outcomes, and ensure operational efficiency and compliance with laws and regulations – have not kept up.
Automation of controls, a key driver to improvement, has not yet started in nearly half of organisations surveyed. The poll was of financial risk managers, accountants, internal auditors and compliance managers across a range of industries and sectors, who participated in a recent KPMG controls transformation webinar.
The poll found:
- More than a third described their internal controls as either ’basic’ or ‘rudimentary.
- More than two-thirds said it was not clear, or only partly clear, who was responsible for overall controls standards.
- 85 percent said controls were not, or only partly, documented.
- In terms of controls automation, 47% said the process had not yet started, and 53% said semi-automated but more needed to be done.
Rowena Craze, KPMG Partner in charge of Governance, Risk & Controls Advisory services , said: “Over the last two to three years, there has been a lot of discussion about controls transformation, standardisation, and digitisation, but in many cases this has not yet led to practical action.
“This needs to change because if organisations are, for example, embarking on major ERP implementations or undergoing structural transformation then internal controls need to develop in line with that business change. The Covid era has also put more pressure on operating models and controls – some processes are harder to carry out virtually.”
“While some companies have already advanced to a system of Artificial Intelligence-enabled controls, many others urgently need to start the automation process. We would advise these organisations to start by identifying where the current pain points are experienced by the business, especially those that are manually labour intensive – such as collating data from multiple sources, and manual reconciliations – or known control points of failure. These are potential target areas where businesses can start to assess the feasibility of automating controls.”
KPMG found that while cost is often behind organisations’ reluctance to transform their internal controls systems, the risk is one of false economy. When assessing the costs of control, traditionally the focus has been on direct costs such as costs of execution or annual testing. But recent benchmarking by KPMG estimates those costs to be between $2,000-$3,000 per control each time it is performed.
There are also ‘hidden costs’ such as management review costs, correction of errors or remediation of control failures, and fraud risk. With some organisations operating hundreds of controls, costs can quickly add up to millions of dollars. KPMG believes this creates a clear case for control standardisation, digitisation and automation, as long-term efficiency benefits by far outweigh transformation costs.
Rowena Craze added: “One of the recommendations from the recent report by the Parliamentary Joint Committee on Corporations and Financial Services inquiry into auditing was that companies should be required to establish and maintain an internal controls framework for financial reporting. Under this proposal – which some have described as a ‘Sarbanes-Oxley-lite’ system for corporate Australia – management would have to evaluate and report annually on the effectiveness of that framework, and external auditors would report on management’s assessment.
“Whether or not this is taken forward, it seems clear there will be more focus on controls and our survey suggests there is much to be done in this area.”