If it's not broken, don't fix it. Sounds like a wise adage from the past. What if you don't know something is broken? That is why we do preventive maintenance. In the case of internal control, billions of dollars have been spent on ERP systems to not only improve the efficiency and effectiveness of the business...the added bonus was to improve controls.
Of course, all is well and good, and then came the cybercriminals who exposed not only weaknesses in systems, it highlighted process and people failures. Finance officers have turned their attention to enterprise risk management and "SoX testing" to get some more comfort that they are taking prescribed actions to reduce risk. More attention is being placed on automating key finance operating functions...enter the bots...to reduce the human risk failure.
The reality is risk mitigation is not about reducing human capital costs, it's about nailing control deficiencies. Finance leads in risk management, investing in internal audit is a start, implementing improved technology to detect and mitigate risks is a best practice, and old school management by walking around and checking risk awareness with the team is best.
