Properly Manage Your GRC Initiatives with Standardization, Optimization, and Automation

  • by Keerthana Mainkar, Senior Consultant, Enterprise Risk Management Service, Infosys Technologies Limited
  • Raghupathi Cavale, Associate Vice President, Infosys Technologies Limited
  • February 15, 2008
Effective controls ensure that a company complies with regulatory requirements, but they should also be cost effective. Standardization, optimization, and automation can improve the efficiency and cost-effectiveness of compliance.
Key Concept

CFOs frown on the idea of reducing the number of controls in a process. However, having many controls does not necessarily yield all the needed results and can reduce efficiency. To optimize controls, you should categorize control activities in a process as either key or non-key controls. Key controls are those controls for which failure would result in a failure of the process. For example, GR/IR three-way matching in the procure-to-pay process is a key control. Non-key controls are those for which failure would not affect the process execution. Key controls detect fraud or a mistake that non-key controls could not prevent or detect.

Compliance is not a one-time activity but instead is repetitive. As a result, it can be very expensive in terms of cost and resources. If not handled efficiently compliance results in a huge burden on IT, finance, and audit departments. Mid-size companies can’t afford top consultants or to keep a large number of consultants in-house for regular compliance reviews. It is not a revenue-generating core activity for companies in most verticals, such as manufacturing or banking, and is commonly treated as a support activity without the proper focus.

So what is the best way to achieve efficient compliance? A company should follow a precise compliance methodology rather than approaching it haphazardly. We believe that using an interrelation of standardization, optimization, automation, and optionally offshoring, is the best way to approach compliance (Figure 1). We’ll go through an approach to achieve this next, and then look at the individual processes.

Keerthana Mainkar

Keerthana Mainkar has more than 11 years of operations and systems management and information systems audit experience. She is the anchor of Infosys Technologies Sarbanes-Oxley compliance and enterprise risk management team. She is a Chartered Accountant and a Certified Information Systems Auditor (CISA). Prior to joining Infosys, she was with PricewaterhouseCoopers’s information systems audit division. She is currently developing the ERMS practice within Infosys. She has managed and led several Sarbanes-Oxley projects for Infosys. She has specialized in SAP security and controls and has used PwC ACE, ACL, Approva, and SAP GRC tools. She has developed many work programs for Sarbanes-Oxley compliance which have been successfully deployed in various Sarbanes-Oxley projects done by Infosys.

See more by this author

Raghupathi Cavale

Raghupathi Cavale is associate vice president with Infosys Technologies and has worked in engineering, consulting, and IT. He set up and heads the enterprise risk management practice at Infosys. He has worked extensively in India and the US in various operational functions during the last 22 years.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.