GRC teams have a number of challenges meeting regulatory demands

Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer.

GRC regulatory demands

Results from a global external survey of over 200+ GRC leaders reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.

The results indicate a wider issue with cyber risk management. If GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.

41% of risk leaders feel ‘very confident’ that they can fulfill the security-related requests of a regulator in a timely manner. 27.5% are ‘very satisfied’ that their organization’s security reports align to regulatory compliance needs.

GRC leaders cited their top challenges in fulfilling regulator requests, as:

  • Getting access to accurate data (35%)
  • The number of report requests (29%)
  • The length of time it takes to get information from security team (26%)

The limitations of traditional GRC tools

The issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance. This does not reflect the current challenges from cyber.

92% of senior risk and compliance professionals believe it would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5% believe it’s important to automate security risk and compliance reporting. However, only 11% state that their risk and compliance reporting is currently automated end to end.

96% said it is important to prioritize security risk remediation based on its impact to the business, but most can’t isolate risk to critical business processes composed of people, applications, devices. Only 33.5% of respondents are ‘very confident’ in their ability to understand all the asset inventories.

GRC regulatory demands

Charaka Goonatilake, CTO, Panaseer: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests. These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing.

“The challenge is being exacerbated by new risks introduced by IoT sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”

Andreas Wuchner, Panaseer Advisory Board member: “To face the new reality of cyberthreats and regulatory pressures requires many organizations need to fundamentally rethink traditional tools and defences.

“GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing Continuous Controls Monitoring, an emerging category of security and risk, which has just been recognised in the 2020 Gartner Risk Management Hype Cycle.”

Tasks associated with SOX compliance continue to be significant

Only 46 percent of audit teams have been utilizing advanced technologies to optimize SOX compliance activities, a decrease from the previous year’s Protiviti survey findings.

SOX compliance activities

SOX compliance challenges

The longstanding challenges associated with compliance with the Sarbanes-Oxley Act, such as the cost of compliance and reliance on time-consuming manual tasks, are being exacerbated by the COVID-19 pandemic, as finance and audit teams are required to perform audit tasks remotely.

“The tasks associated with SOX compliance continue to be significant and time-consuming,” said Brian Christensen, executive vice president and global leader of Protiviti’s internal audit and financial advisory practice.

“The pandemic brings added burdens to the SOX compliance process, and it will be important for companies to reassess any temporary changes in control design and operation to ensure they continue to be aligned with their risk appetite as the business environment begins to normalize.”

SOX compliance hours increase

The survey revealed that the number of hours devoted to SOX compliance activities continues to rise, despite regulatory requirements remaining the same year-on-year.

Among companies that saw an increase in their SOX compliance hours, 67 percent reported the number of hours went up by more than 10 percent over the prior year, highlighting their lack of automation for simple functions. This finding can also be attributed to the increasingly more complex operations of modern companies.

Yet SOX teams that rely solely on spreadsheet and word processing applications, or legacy GRC (governance, risk and compliance) systems to manage their control environments, spend extensive time dealing with version control issues, manually making individual control changes across a dozen or so documents and preparing status reports.

While RPA (robotic process automation), GRC, data analytics and advanced technology tools would better enable SOX work to be performed more efficiently and effectively, many companies surveyed expressed reluctance about embracing centralized control testing and increasing their use of automation.

Leveraging technology

However, companies are starting to take notice, with a quarter of those who do not currently utilize technology tools in their organization’s SOX compliance process responding that they plan to do so in the next fiscal year and 48 percent responding that they plan to do so within two years.

Among the survey respondents already leveraging technology in their organization’s SOX compliance process, it is most frequently applied in testing the accounts payable process (48 percent), financial reporting process (43 percent) and account reconciliations process (43 percent).

“The current pandemic is a vivid reminder of how important it is for audit leaders to be resilient, adapt to unexpected and disruptive events and ensure they can complete SOX compliance activities even when they are dispersed and working offsite,” said Chris Wright, a Protiviti managing director and leader of the firm’s Business Performance Improvement practice.

“Now is the time to address longstanding industry resistance to using technology and automation that has been holding back the evolution of compliance teams for years.”