Maximising ROI: The business case for improving internal controls
The Financial Reporting Council’s (FRC) recent update to the UK Corporate Governance Code introduces a requirement for companies to make an annual declaration confirming the effectiveness of their internal controls. The premium-listed companies in the scope of the Code, and other organisations that choose to comply with it as a matter of best practice, must now prepare to deliver the new declaration for financial years commencing on or after 1st January 2026.
The revised Code requires companies to report on the effectiveness of all controls, not just financial controls. As a result, the new reporting obligation is also an opportunity for companies to examine how they approach internal controls across the full range of material factors including ESG, health and safety, modern slavery, and more. Capitalising on this opportunity will require investment, however, so GRC professionals need to build a strong business case underlining the ROI that improving internal controls will deliver.
Recently Francis Yeates, Director of Digital & Risk Advisory at BDO, and Michael Lucas, Co-Founder of governance consultancy Brave Within, shared their insight on how companies can maximise ROI and build competitive advantage through improving internal controls.
Building the business case for investment in internal controls
The first step is identifying the key stakeholders and aligning their concerns and priorities with the benefits that improved controls deliver. Relevant stakeholder groups include:
- Executive committees: Strong risk management and confidence in reporting is a primary driver for this group. Improved internal controls will deliver greater confidence in the company’s numbers, while also broadening out to cover nonfinancial statements in the front half of the annual report.
- Investors: Effective controls help build investor confidence in management’s assertions, creating a more positive investment environment and potentially unlocking future finance.
- Customers: The widening of the controls declaration to include ESG and other material factors should underpin customer trust that a company is following through on its commitments in areas that are important to them. These increasingly include environmental factors and ethical practices.
- Employees: Better controls allow an organisation to differentiate itself in terms of transparency over financial, ESG, safety, and other measures that are important to employees. It’s a chance for the business to promote itself – with evidence – as somewhere people should really want to work.
Once key stakeholders are identified, messages must be tailored to respond to what matters to them, says Lucas. “Identify hotspots around organisational issues,” he advises, while also recalling that he “worked with one group that had a real issue with low-level fraud that was costing a lot of money. There was a clear business case for reducing this, and the organisation welcomed investment in controls to address it.” He underlines that investing in internal controls is a major opportunity to improve operational procedures with the potential to make significant savings.
Yeates adds: “It’s crucial to capture the value and set a business case that articulates why this initiative is a springboard for competitive advantage.”
Validating the business case for internal controls automation
The case for internal controls automation is “clear and present”, according to Yeates. “Fewer manual controls, fewer human interactions mean you have less risk of error and will do things right the first time more often… there’s less risk of things going wrong for a cheaper price. Automation is the nirvana that should be sought.”
However, internal controls automation is not a greenfield investment. Legacy manual systems and existing technology must be taken into consideration, and starting small with a pilot project is preferable to a "big bang" approach to change.
Pilot projects enable project leaders to validate that automation is the right thing to do and gain trust from key stakeholders. Both Lucas and Yeates recommend focusing on the first line of defence and thinking about whom you are building the automated controls for. Lucas advises, “You want to be building [controls] for the operational managers who’ll be using [them], so ask ‘what information do they need to do their work better?’ rather than focusing solely on what information you need to be reporting externally.”
It's also important to check that the process you have selected for automation are effective: “Don’t automate bad processes,” says Lucas. “Get processes right during the pilot phase and then move to automate them.”
Designing a delivery roadmap and engaging with key stakeholders
Successful internal controls automation requires board-level sponsorship and a clear delivery roadmap, as Yeates explains: “Automation often crosses many function lines in the organisation and if you have siloed functional management – and I’ve never met an organisation that doesn’t – you will quickly come up against those siloes, so you need board-level sponsorship to get success.”
A comprehensive but agile delivery roadmap is also essential, with clear accountabilities. It should include consideration of issues such as data migration, sunsetting systems, process design, and dependencies across other parts of the business – all elements that can trip up a programme if they aren’t considered in advance.
Third parties are another important consideration. Where organisations have extended operating models with third parties intrinsic to key processes, those third parties need to be brought along on the journey to controls improvements.
Engaging with existing process owners is vital, too, says Lucas: “We’re now looking at controls over a much wider area, which is going to involve more stakeholders who have built their own way of looking at controls over, for example, health and safety or environment data. I suggest building a working group to coalesce around the project and advise you on how to do it. Everyone works on different scales, with different preferences, so you need to get them behind the idea of standardisation.”
Key takeaways: Start early, be clear on value, and meet stakeholder needs
Investing in internal controls improvements, including automation, can deliver considerable benefits to the business beyond basic compliance with the new Code. However, the time to act is now, believes Yeates: “The extra year granted by the FRC is not a signal to do nothing for a year. Start now and make the transition better, with more chance of success.”
Lucas also notes that stakeholders go through change at differing paces: “Time is the most important asset you have, so start early. Some people need more time to engage with change and need to hear it six or seven times before they are ready to start.”
Messaging needs to be empathetic, too. “You’ve got to put yourself in the shoes of a busy business manager and think ‘what is this going to give them?’ and communicate in those terms,” urges Lucas. “Start off by being really clear with the stakeholders and business process owners. Start small and build something that really meets the needs of your first line business managers.”
For Yeates, the key is about communicating both benefits and risks: “Be clear about the value focus on the upside, and be realistic about what the risks are. There is huge amount of potential and this [meeting the code requirements] is something that organisations have to do, so embracing it and doing it in a way that adds value has got to be the most compelling way to approach this.”
Watch the full on-demand webinar to learn more about maximising ROI from investment in internal controls.
Discover the Diligent One Platform’s advanced internal controls automation tools.