Measuring the ROI of internal control automation
Calculating a return on investment (ROI) for internal control automation isn't easy. Most executives know that the potential damage from a cybersecurity threat or material misstatement can be severe: disruption of operations, reputational damage, loss of customers, and regulatory penalties.
But control failure costs are potential costs, and internal control automation programs are actual costs, making automation initiatives a hard sell. So, how can you identify and quantify the ROI of internal control automation in an environment where buyers are inundated with buzzwords and new technologies that sometimes succeed but often fail?
What are internal controls, and what is control automation?
Internal controls are policies, procedures, and IT mechanisms designed to create safeguards against damage or loss. More specifically, internal controls are activities that:
Increase operational efficiency
Protect the accuracy of your data
Ensure appropriate access and use of your IT systems
Maintain compliance with regulations, and
Defend against fraud and data theft
Manual controls rely on human intervention. Automated controls, on the other hand, are control activities that are performed automatically through a system or software. Strong internal controls are essential to governance and critical enablers for growth and operational efficiency. Reliance on manual controls has limitations because of its dependence on error-prone human intervention.
How to calculate ROI
Buyers and executives are looking for assurances that their investment in new technology will produce a return. And that return on investment is typically defined as "a financial ratio used to calculate the benefit an investor will receive in relation to their investment cost. It is most commonly measured as net income divided by the original capital cost of the investment. The higher the ratio, the greater the benefit earned."
Automated access governacne solutions can produce ROI in the following ways:
Time saved in application access provisioning
Efficiencies gained through SOD automation
Improved access certifications
Privileged access management
Operational efficiency gained through faster employee onboarding
Reducing inherent risk in roles assigned to users in ERP systems
"According to Gartner, a company with 10,000 employees can realize an
ROI of approximately 300 percent and save $3.5 million over three years simply
by switching to automated provisioning."
Before using SafePaaS, a multinational corporation with thousands of employees manually performed identity and access governance responsibilities utilizing a combination of on-premises and homegrown tools that required significant upkeep and time because their solutions were not integrated. The customer's lack of integration and manual efforts exposed them to a high risk of security breaches, non-compliance penalties, audit fines, and potential reputational damage. After their investment in SafePaaS, the customer gained efficiencies by streamlining several internal identity and access governance processes, such as application and employee access provisioning, access certification, and segregation of duties (SOD) tasks. This eliminated 20 hours of work annually for 10,000 managers and compliance staff, resulting in a cost savings of $10,000,000.
10,000 managers worldwide to certify the access of their staff
$50 per hour at 20 hours per year for 10,000 managers = $10,000,000
The problem with ROI
While this ratio can help you lay the groundwork for calculating ROI where you have no previous investment, it lacks the context to explain how you can achieve ROI in an environment where you have already invested in technology with minimal return.
Most internal control automation solutions tend to focus on specific aspects of internal controls, like ITGCs or ICFRs. These solutions may relieve your pain points, but their ability to deliver ROI is limited. The ability to truly deliver ROI is only as good as a solution's integration with your existing technology.
In the case of identity and access management and ITSM solutions, the ROI gained is minimal due to their lack of integration capabilities. Because most of these solutions cannot integrate with your existing technology, they create new pain points diminishing their ROI.
The highest ROI is generated in three ways:
Alignment between strategy and risk across the enterprise: Organizations must govern resources by executing strategy. What gets in the way of execution is a risk. Risk can happen anywhere, and leadership needs a governance platform that looks at the complete enterprise and everything in it to manage the business effectively.
Integration of execution activities: SafePaaS bring it all together in a unique platform which ensures that these activities are creative, collaborative, and integrated as opposed to operations occurring in silos. This drives your processes to align with governance objectives.
Controls embedded in processes: By embedding controls into your operations, you are the first to know if there is a control failure. This allows you to PREVENT control failure before you lose business to competitors or incur a hefty penalty in the market. Therefore the ROI is higher.
Where you’re losing ROI
The following are the top challenges internal control automation solutions create when they cannot integrate with your existing technology.
Inadequate user provisioning
A significant challenge with IAM is the lack of visibility into fine-grained privileges. IAM solutions only allow you to request access at a role level and don't provide visibility into what that underlying access entails. Without understanding the underlying access, you may be unknowingly creating segregation of duties conflicts.
Time to provision and deprovision access, consistency of provisioning, a central source of truth, and management of a single identity are all benefits that provide security with the added benefits of knowing who has access to what and when and, more importantly, why.
ROI of user provisioning - Through policy-based user access provisioning, SafePaaS automatically provisions proper access and de-provisions inappropriate access. In addition, SafePaaS simplifies granting added access safely through access and approval workflows.
Lack of privileged access management (PAM)
Most IAM solutions allow you to request privileged access and create workflows for approval. However, that is where the support for PAM ends. These tools do not monitor what users do in your system, track when privileged access was taken away, or record what the user did in the system while they had privileged access.
ROI of PAM - SafePaaS FireFighter provides on-demand privileged access management with built-in monitoring and reporting capabilities. FireFighter privileged access enables organizations to temporarily elevate emergency access permissions while simultaneously controlling the risk that elevated permissions can introduce.
No user activity monitoring in your ERP
Many organizations struggle with lookback analysis during their external audits when former employees retain access after departure. During your audit, you will be required to provide evidence that the departed employee didn't log in to your system and tamper with data or perform other malicious actions. IAM solutions don't offer insight into user actions once in your application.
ROI of user activity monitoring - Save time and stress during your audit digging through archived data. SafePaaS allows you to take snapshots of your enterprise system to reconstruct a past year's audit and investigate a past event. This is a unique feature of SafePaaS. SafePaaS allows you to set the snapshot intervals to create a separate audit history. With SafePaaS, your data is kept in a separate vault, enabling you to go back to any historical point. If you discover a problem, you can see what the data looked like each year and see who had access.
Insufficient user access certification
IAM solutions that are not integrated with your other applications cannot support access certification because they cannot provide the entire picture of user access across the IT landscape. Integrated identity governance is required to prevent security threats and streamline operations to mitigate inherent application risks.
ROI of automatic access certification - The manual process of reviewing user access privileges requires weeks per application to complete. SafePaaS enables you to complete an access certification automatically, eliminating hundreds of hours needed to perform access certification.
Outdated ITSM catalog
Managing user access requests from ITSM systems also creates a headwind on ROI because ITSM systems rely primarily on a catalog of abstract roles that need to be manually mapped to the ERP system and then determined whether that user should have access. While ITSMs enrich your basic roles with privileges and attributes, without a governance solution, your ITSM is not governed by company policies and is vulnerable to error and risk.
ROI of customized role design - Many organizations face challenges when granting roles and access to applications. To ensure that the user's access fits their role and your information security policies, you need a policy-based governance solution that only permits a safe combination of privileges and attributes.
Managing controls manually is impossible due to the cost and risk associated with human error. When done correctly, control automation can enhance compliance, lower costs, reduce cyber vulnerability, and allow staff to work on value-generating projects.
Organizations should consider what is lacking in their existing control automation solutions and integrate their existing solutions to create a system that spans across on-premise and cloud applications. At that point, the organization will reap the full benefits and generate ROI by boosting user experience, reducing cyber risk, streamlining processes, and placing processes around policies from the top down so that you're always strategically aligned and generating the highest potential for ROI.
If you want to learn more about how your company can benefit from an enterprise-level governance platform that connects, automates, and integrates your business talk to us. We can drive the ROI specifically for you and your business.
Still not convinced? Here are a few more examples of how we helped our customers maximize their ROI:
20% reduction in internal controls testing from 136,000 hrs to 108,800 @ $50/hr = $1.36M per year
20% reduction in external controls testing (SOD) expense from 12,000 to 9,600 @ $165/hr = 0.4M per year (*immediate value)
Reduction in cost of retesting failed controls = $0.4M per year (*may occur in yr 2-3)
Reduction in external audit fees = $0.4M per year (*may occur in yr 2-3)
Ready to maximize your ROI?