Companies are Choosing to Invest More in Internal Control

Survey shows improved operational performance not just regulatory compliance driving investments
30 April 2007 — Three-quarters (75%) of respondents — comprising some of the world's largest organizations — plan to invest more in internal control after seeing significant business benefits, according to a new survey by Ernst & Young.
However, despite investments already made, the Ernst & Young "Internal Control Survey 2007" — conducted among non-SEC company registrants with a turnover in excess of €1bn in 17 countries — shows that many CFOs and Heads of Internal Audit still believe some internal controls are ineffective, with the biggest 'blind spots' being controls over expansion into international markets, post-acquisition integration, and real estate and construction projects.
Controls over IT program change management and user access and security were also singled out as areas of concern.
The survey investigates whether those organizations not subject to Sarbanes-Oxley are investing in internal control; the effectiveness of controls in financial, operational, and IT areas; and whether business benefits are being derived from these investments.
Adrian Godfrey, of Ernst & Young's Risk Advisory Services, explains: "There is now widespread recognition that effective internal control directly impacts business performance in a number of areas. What arises from the survey is that this is a highly dynamic area, with management exploring the ways that taking a more professional approach to internal control can contribute to driving competitive advantage."
Survey Findings With international investors increasingly demanding more transparency and "no surprises", an interesting point to note from the survey is that 50% of respondents cite "positive influence over investor confidence" as a key business driver for future investments in internal control. Other drivers for future investments were also business benefit related, focusing mainly in enhancements to processes and the underlying control structure (89%) and better understanding of major risk areas (86%).
However, many respondents were also aware of control weaknesses or "blind spots" to potential areas of significant risk.
For financial controls, areas of potential concern were in contract accounting (48%), deferrals (37%) and tax (37%). In all cases, the proportion of respondents claiming that financial controls were "very effective" was relatively small.
In non-financial control areas there is significant scope for improvement in almost every category (between 20-40% saying "room for improvement"), and a worrying level of "don't knows/did not replies" (between 10-30%), suggesting blind spots in the organization's controls profile. The main business and operational areas with opportunities for improvement are:
Expansion into new international markets (59%)
Post-acquisition integration (58%)
Real estate/construction projects (55%)
Business continuity planning (54%) and
IT implementation/upgrades (51%)
Adrian Godfrey comments, "If the 'control professionals' are saying they don't know what is going on, that's a major concern for the board and other stakeholders in the business. Fortunately, many acknowledge the dangers and half are saying they will invest in these areas in the next 12 months."
While most respondents to the survey (57%) take a balanced approach to controls monitoring, covering strategic, compliance, operational, and financial reporting controls, 21% monitor financial reporting controls only. Adrian Godfrey continues, "This imbalance could mean that controls over some major operational risks may not be receiving any real scrutiny."
One notable absence for companies in the survey is the existence of a formal fraud prevention program — 68% do not have one in place, despite over one-third of respondents rating this as important or very important to have in place.
Analysis also suggests that the perception of the status of internal control differs according to an individual's role. While 36% of CFOs responding to the survey say that their risk assessment covers operational and business areas, only 19% of Heads of Internal Audit believe that these risk areas are assessed in their companies.
Inge Boets, Global Business Risk Services Leader for Ernst & Young, adds, "CFOs are beginning to ask questions about where to take the controls agenda wider than compliance — the answer is to shift the balance between financial controls and wider business and operational controls."
She concludes, "Establishing an internal control infrastructure that effectively covers all parts of the organization will mitigate the risks in areas that are currently overlooked or underestimated, and this will deliver major business benefits. Businesses need to ask whether they have an agenda for internal control within their organization, as the ultimate prize from effective controls is not simply a compliant business, it is a better business."
Other key findings of the survey are:
75% plan additional investments to strengthen internal controls in next 12-24 months, including key business/operational risk areas (51%); IT (49%); better alignment of internal controls to company strategy and key risks (44%); strengthening company-level controls (42%)
Over one-third (35%) do not conduct an annual risk assessment
Despite 72% assessing risks in strategic, compliance, operational, and financial areas, only 57% have a monitoring program focused on financial and operational controls, with 21% focusing monitoring on financial controls only
40% of Audit Committees are active in making sure effective internal controls exist and are operating effectively, with 16% having a limited involvement.
End
Ernst & Young Internal Control Survey 2007"From Compliance to Competitive Edge: New Thinking on Internal Control"Ernst & Young spoke to 140 large companies in 17 countries, spread across 20 industry sectors, which are not SEC-registered and therefore are not bound to comply with the requirements of Sarbanes-Oxley, although many are subject to local regulatory requirements. Respondents included CFOs, CROs, Controllers and Internal Audit Directors. Half the sample (52%) were businesses with annual revenues between €1bn and €5bn, with over 20% having revenues greater than €10bn.
About Ernst & YoungErnst & Young, a global leader in professional services, is committed to restoring the public's trust in professional services firms and in the quality of financial reporting. Its 114,000 people in 140 countries pursue the highest levels of integrity, quality, and professionalism in providing a range of sophisticated services centered on our core competencies of auditing, accounting, tax, and transactions. Further information about Ernst & Young and its approach to a variety of business issues can be found at www.ey.com/perspectives. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, a UK company limited by guarantee, each of which is a separate legal entity. Ernst & Young Global Limited does not provide services to clients.