IFAC & cloudThing's PAO Digital Assessment Tool Part 9: The Role Governance Plays in a Digital Transformation

IFAC recently teamed up with cloudThing to offer our members a free Digital Readiness Assessment Tool to assess an organization's digital readiness ahead of a digital transformation project. The Digital Readiness Assessment Tool has been designed to measure how digitally 'mature' an organization is, or where they already are on their individual digital transformation journey.

IFAC strongly believes in the power of digitalization for PAOs, and digitalization will continue to be a long-term endeavour. IFAC’s main objective presently is to help PAOs complete the Tool and understand, interpret, and prioritize their results. The results, (after being thoroughly anonymized) will allow IFAC, working in conjunction with cloudThing, to assess the digital readiness of the accountancy profession as a whole and strategize future support.

The Digital Readiness Assessment Tool is broken down into 11 different pillars. So far, we have blogs covering the following sections:

We recommend reading the previous articles before proceeding to Part 9 on Governance & Digital Transformation.

Good Governance in A Digital Transformation

Good governance is at the heart of any successful organization. A PAO needs to achieve its objectives and drive improvement while maintaining good legal and ethical standing in the eyes of its members, partners, employees, and the wider community.

That is why the ninth pillar of the digital assessment tool seeks to evaluate to what extent an organization has implemented a governance framework and its approach to updating and improving it over time. It also seeks to understand how widely this has been adopted across the organization and what measures are in place to ensure compliance.

Some of the benefits of good governance include:

Streamlined processes due to repeatability and consistency of tasks.
Increased visibility of errors, meaning they can be resolved much sooner.
Positive behaviour encouraged amongst employees.
Reduced cost of capital.
Improved top-level decision-making.
Assured internal controls.
Enhanced strategic planning.
Talented leaders attracted to the organization; and ultimately
An organization known for culture of excellence and a well-respected reputation.

Building a Strong Foundation with Your Policies & Frameworks

Policies and Frameworks establish solid processes and good practices within an organization. They provide operating principles and a foundation that define a PAO’s practices, accountability, and processes to ensure a standard approach in delivering goods and services to its members.

They also define the organization’s approach, rules, responsibilities, expectations, and standards governing a specific area of business. The right policies and frameworks reduce the risk of fraud and reputational damage while also ensuring compliance with applicable laws and regulations to prevent consequences non-compliance, such as regulatory fines and penalties.

Other benefits include providing control over the organization’s operational activities and ensuring consistency in the delivery of products and services; providing clarity on expectations, structure, accountability, and responsibilities of individuals in the organization; and improvements to high-level decision making in the business all while promoting a positive and honest culture within.

How Does Your PAO Run Its Internal Audits?

Internal Audits assess the adequacy and effectiveness of internal controls, policies, procedures, and processes within an organization. They also act as a monitoring tool to ensure that all areas of the organization and its internal control processes are operating effectively. Internal audits provide the senior management team with an understanding of the organization’s culture and risk profile and highlight the areas that need attention.

They improve risk management processes by assessing current risks and treatments; identifying new or potential risks; and evaluating the appropriateness, adequacy, and effectiveness of internal controls, processes, and procedures in place by identifying gaps and discrepancies.

Involving your internal audit function in your digital transformation will help all areas of a PAO by providing recommendations that address identified risks, discrepancies, and gaps, and opportunities for improvement.

What Is Your Employment Screening Process?

Employment screening is a process to verify a current or potential employee’s identity, background, suitability, previous experience, criminal records, and references from previous employers or academic institutions.

This is undertaken as part of the recruitment process and ensures that prospective employees are suitable and that all current employees can continue to work well within a safe and secure environment.

Rolling this into your governance as part of a digital transformation:

Demonstrates that the organization acknowledges employer due diligence and ensures high-quality hiring.
Reduces the risk of fraud and reputational damage.
Reduces the risk of hiring illegal candidates.
Increases the security and safety of current employees and provides assurance to relevant stakeholders, e.g., customers, partners, etc.
Ensures that all new hires joining the organization have the required skills, qualifications, experience as stated by the candidate, and as expected of the role.

Evaluating Your Supplier Management Processes

Supplier Management refers to the process of evaluating a supplier’s ability and reliability to provide the products and services they are engaged in. This includes assessing the quality of goods and services offered, cost, associated risks, and identifying areas of improvement while engaging with a supplier throughout their lifecycle.

Good supplier management processes help PAOs to expand delivery channels, realize cost efficiencies, and leverage skills and expertise. PAOs can be assured of a supplier’s ability to provide the necessary goods and services to effectively meet business needs.

Of particular importance to PAOs during their supplier management process is evaluating suppliers’ compliance with all applicable regulatory and legal requirements so that everyone remains compliant with relevant legislation. It is also helpful for defining contractual obligations, including service standards and expectations, and maintaining a positive relationship with supply chains, often resulting in cost-saving opportunities.

Effective Risk Management Tooling

Risks are inherent in any business, and therefore, a PAO needs to assess, control, mitigate, and monitor possible and relevant risks to support their business planning and strategy. The process of managing those risks throughout their lifecycle is known as risk management. It helps organizations determine appropriate actions using a selection of risk management tools.

Risk management tools allow the risk to be addressed by identifying and generating metrics then prioritizing, developing responses, and tracking them.

Depending upon the type of risk assessment approach used by an organization (qualitative or quantitative), appropriate tools can be selected to calculate and manage risks, such as probability and Impact Matrix, risk register, etc. These will ensure risks are assessed and managed consistently.

Good risk management tooling dramatically improves fact-based decision-making by creating adequate controls and mitigations to manage said risk. It also helps strengthen the monitoring and tracking of risks and maintains historical records of risk assessment and treatment.

Ensuring Membership Satisfaction with Quality Management

Presently, many PAOs might be thinking of ‘quality management’ from an audit standard-setting approach. In digital transformation, quality management provides a structured approach for a PAO to ensure member satisfaction and continually improve its own operational processes, products, and services by understanding its position in the market and its risk profile.

Establishing and assessing review processes, defining and measuring quality, and improving objectives and standard operating processes ensures quality and consistency across the business.

They also ensure that organizations and their stakeholders work together to improve processes, products, services, and culture to achieve success and members’ satisfaction.

Other benefits of quality management processes include:

Maintaining and retaining all required documentation effectively.
Establishing a PAO’s reputation and reducing the risk of ongoing and future revenue losses.
Ensuring continuous improvement in processes, products, and services.
Using defined monitoring and measuring methods to reduce deficiencies.
Most importantly, ensuring organizations plan for change and have processes to manage unexpected changes or non-conformances.

Managing Privacy & Information Security

Information Security Management provides a structured approach for organizations to build a secure IT infrastructure. This requires identifying risks to information systems and applying adequate controls to mitigate said risks.

This will enable organizations to ensure protection, confidentiality, availability, and integrity of IT assets. It also assesses security risk impacts and potential mitigations that can either prevent or minimize the effect of the identified/potential risk. Information Security Management also increases organizational resiliency and permits an effective response to evolving security threats by ensuring data and information is only accessed by and available to authorized individuals, preserved, consistent, accurate, and up to date.

Privacy Management ensures the protection of personal data, including protecting the rights of those whose data is being processed.

Together, these functions ensure that organizations operate securely, protect their information assets, including personal data, and demonstrate their commitment to privacy and information security to stakeholders. Information Security and Privacy Management also ensure compliance with applicable laws and regulations, which reduces the risk of regulatory fines and penalties.

Good Governance Through Case Management

Governance Case Management is a system that will allow PAOs to establish a method to pinpoint the cause, facilitate implementation of remedial actions and, identify actions to prevent a recurrence of any undesirable results.

It ensures quality management and continuous improvement. Firstly, by validating and verifying the remedial action activities of the undesirable results to the individuals responsible for implementation and secondly, by providing information to management on possible risks during the implementation of a corrective action while tracking progress.

This reduces defects and discrepancies in processes, products, and services by directing organizations to conduct a root cause analysis. Identifying the source of the problem can then be followed by a systematic investigation of identified gaps, discrepancies, and unwanted results.

Governance Case Management will require a PAO to identify potential discrepancies before they occur and implement controls to prevent them from happening. It will also act as an audit and monitoring tool to ensure the actions against a defect or undesirable result are tracked to completion, which can then be used for future reference.

Assessing Solutions with Independent Technical Assurance

Technical Assurance is the prevention of errors and mistakes in delivering information technology (IT) services. This is an ongoing process of monitoring the quality of IT services, managing issues, and improving matters to assesses and assure that industry-standard security best practices are followed in any solution.

Independent Technical Assurance allows PAOs to assess their solutions and the technology used against industry-standard patterns and practices by providing the necessary tooling, processes, and procedures to manage technology choices and their vetting. That means any technology chosen by an implementation partner is assessed by an independent third-party service for a well-rounded outlook on various aspects of the solution. The assurance aims to benchmark the resilience of the solution and its security measures against a wide variety of criteria and ensure that the solution is secure, robust, and can withstand the challenges of today’s web.

By employing a range of tests and tools to conduct penetration testing, vulnerability scanning, performance benchmarking, and technology review, this activity assures that the solution and the underlying technology will be safe against known and unknown attacks and will continue to serve the PAO at the required and acceptable service levels in the event of attempted attacks.

It safeguards members’ data via threat detection, prevention, and aversion technology while assuring stakeholders that their data is being protected from various types of attacks with industry-leading security. It also ensures that a PAO remains compliant with the required data protection and safeguarding legislation applicable in their jurisdiction.

Member Organization Audit Orchestration

An organization’s audit is a multi-tiered process and requires careful planning to support the agreed upon auditable areas and objectives. An audit assesses the sufficiency, effectiveness and impact of internal policies, controls, operating procedures, and governance mechanisms in place at the organization through an independent, evidence-based demonstration of said compliance. The scope of the audit covers the established quality and continuous improvement objectives of the organization.

Tools to support the formal audit allow easy storage and retrieval of the required evidence for the aspects being audited. This allows the designated auditing authority as appointed to conduct a structured audit of the organizational aspects.

Audits provide an actionable measure of compliance, allowing organizations to plan corrective actions if found inadequate or continuity if found sufficient. It also facilitates querying and listing the required evidence to respond to the audit queries: standard processes can be documented and followed for similar internal audits in preparation of external audits, saving time and money in the future.

Engage with More People Through Practice Regulation Management

Practice Regulation Management allows PAOs to support practices or organizations intending to engage with them. Practices and organizations may interact with a PAO to manage corporate-level or organization-led memberships for their employees or register the practice itself as an organizational (often firm) member.

This aspect of the pillar covers the required tooling to enable registering practice members and serving them as registered members. It further enables the practice member organizations to effectively manage their employees' membership with the PAO directly, allowing them to make bulk registrations, consolidated renewal payments, and unified invoices.

The benefits of including this in a digital transformation include:

Establishing a clear membership type for practices/firms.
Supporting end-to-end process related to practice registrations and service.
Allowing consolidated payments for practice-affiliated members, paid for by their practices.
Providing clear reporting and book of accounts to the practice-affiliated members.

Complete Your Assessment!

Locate the email sent on behalf of IFAC Membership, with the subject line, "IFAC PAO Digital Readiness Assessment Tool Launch." Your organization's unique access link will be located within.

If you have any issues with registration, please contact support@baselined.app for assistance.
If you cannot locate the email, please contact membership@ifac.org.

Check out IFAC’s PAO Digital Transformation Series webpage which houses helpful resources, articles and videos on Digital Transformation and is regularly updated!

cloudThing, based in the UK, is a technology company that help organizations such as the British Red Cross, The South African Institute of Accountants, and the Institute of Chartered Accountants (England & Wales) to name but a few, digitally transform by taking advantage of the automation technology available to them on the cloud.