Internal Controls: The Journey from Compliance to Risk Management

  • by Gary Dickhart, Vice President, SAP GRC Customer Advisory Office, SAP
  • March 15, 2008
See how to make compliance more operational with a more preventative, integrated approach that emphasizes risk management over compliance. By embedding more controls into this approach, your organization achieves greater efficiency and lower compliance testing costs than in the more manual report and review model that many companies use.
Key Concept

The Sarbanes-Oxley Act prompted management to report the controls enforced in its company’s systems. Initial responses to the act were strictly compliance-based, as organizations focused on providing enough information to pass external audits without worrying about the efficiency and effectiveness of their systems. Over time, many companies have decided that it is more cost effective to be proactive, using automatic processes and risk management strategies in conjunction with manual processes associated with compliance strategies.

Some organizations view the assessment and management of their internal controls solely as a compliance activity. On the other hand, other organizations view controls as an integral governance aid to help manage risk and reach operational goals. It is very important for managers leading implementation efforts for GRC initiatives to recognize their organization’s approach so they can succeed not only in achieving compliance but in enabling their organizations to embrace a risk management approach to sustain and reduce compliance costs.

Both approaches enable you to be compliant, but solely looking for compliance ultimately results in a short-term accomplishment that becomes more costly to sustain over time. In many companies, the person implementing cannot exert enough influence to change the view of compliance as something other than a one-time project. In addition, many large organizations take many years to take on the more strategic approach. Implementers need to be aware of two factors: management’s willingness to adopt a more strategic approach, and the capabilities to drive and manage changes in the organization during or outside the project. If management is unwilling, other “natural” change agents might help the implementation team, such as the drive for lower costs in sustaining the program, the desire to reach levels of their competitors, or weaknesses pointed out by auditors that need to be addressed over time.

I’ll compare and contrast the two approaches and explain why more organizations will be entertaining a more strategic part of their governance model over the next few years. I’ll start with an overview of the approaches, and then look at each approach individually.

Gary Dickhart

Gary Dickhart has 30 years of service with two Fortune 100 firms in senior positions in information security and internal audit implementing and improving governance programs. He has helped more than 50 organizations implement GRC products from 2004 and 2005. As the VP of the SAP GRC Customer Advisory Office he has interacted with more than 80 customers in the last 24 months on implementation approaches for SAP GRC solutions. He has held the Certified Information System Auditor designation since its inception in 1979.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.