Building control efficiency: Rationalization, optimization and redesign

Insights on IT riskApril 2011

Building control effi ciencyRationalization, optimization and redesign

1Insights on IT risk | April 2011

The past fi ve years have been challenging for those responsible for internal controls.

It took many corporate executives years to fi nally regain their footing after increased government reporting and compliance requirements, such as the Sarbanes-Oxley Act in the US. Then, in 2008, a global economic recession suddenly challenged them all over again.The increased reporting requirements forced internal controls functions to do more. The all-encompassing global recession then required them to do it with less. While regulators pressed for enhanced accountability, investors and stakeholders pressed for enhanced performance.

The regulators haven’t gone away, and neither has shareholder scrutiny or the market’s pressure for improved returns. However, the global economic landscape is slowly settling, and economic uncertainties have become less acute.

Those responsible for internal controls must now seize this opportunity to make their control frameworks as effi cient and effective as possible. By focusing on controls optimization, rationalization and control redesign, corporate executives can more effi ciently leverage technology to meet the expectations of their demanding stakeholders.

Among the benefi ts of an optimized controls environment:

• Lower costs due to a reduction in the number of controls, enhanced standardization, reduction of effort related to (internal) compliance and enhanced coordination and alignment between functions

• More appropriate risk coverage with a keen focus on the risks that really matter

• Improvement of the risk assessment process through a risk-based approach

• Better return on IT investments due to use of application controls rather than manual controls

By reviewing controls — and rationalizing, optimizing and potentially redesigning them to deliver an improved environment — companies will meet present challenges and prepare their organization to effectively address future control demands.

2

Chasing the elusive optimal control environment

Early efforts to respond to increased reporting requirements were mostly focused on compliance, with a secondary focus on risk. Those efforts weren’t designed to establish an effi cient foundational framework as much as they were implemented to simply meet obligatory compliance needs. Since then, companies have begun to understand the value of building control and reporting systems focused on addressing compliance and risk rather than complying just to comply. The mindset is shifting to a more proactive rather than reactive approach.

But companies still struggle to create optimal control environments that balance cost with risk. This suboptimal performance hampers effi ciency and jeopardizes clarity, transparency and confi dence.


Missed opportunities aboundMost companies fail to take advantage of the potential to create an effective and cost-effi cient risk and control environment, even when the potential cost savings would clearly eclipse the cost of control. There are many reasons companies fail to suffi ciently optimize their control environments, including lack of focus, human nature, lack of time, lack of knowledge and a failure to understand how to make things better. Here are three major explanations of why companies have endured ineffi cient control environments:

1. Duplication of risk and control activity. Because reporting and compliance are a core part of doing business, signifi cant effort and cost are expended to build controls that address potential risk. But often, the correlation, intersection and duplication of controls across different groups are not clearly visibly or easily understood because of multiple, overlapping and sometimes confl icting lines of reporting and responsibility. (See graphic below.)

2. Too much of some, not enough of others. Most organizations have too many controls to address some areas while not having enough controls to address others. One of the reasons for this disparity is that control activities tend to be added over time and not taken away or reduced when the need has been extinguished. Furthermore, in order to comply with regulators’ requirements, a lot of effort goes into controls around the daily transaction processing without properly addressing the higher-risk areas.

3. Failure to suffi ciently leverage technology. Although a company may have invested signifi cantly in enterprise resource planning (ERP) systems, there still may be a systematic lack of automation in controls implemented, leaving a signifi cant portion of the ERP investment unrealized and missing an opportunity to increase effi ciencies.

Finding a better way toward effi ciencyRecently, companies have pushed for control effi ciency by improving their approach and their corresponding frameworks. The objective of this improvement effort has been to remove redundant controls, identify and deploy controls that address multiple risks and replace multiple manual controls with more effi cient application controls. In particular, the increased focus on application-based controls — those that are largely computer-driven and automated — has been propelled forward not only by internal control and risk executives, but also by regulators who encourage those companies to leverage a more risk-based approach in their control frameworks.

The previously outlined ineffi ciencies waste organizational resources and create opportunity costs. But through the rationalization, optimization and redesign of the company’s control environment, companies are better able to increase effi ciency and effectiveness of their controls and potentially reduce overall compliance costs. It is a forward-leaning method of doing more to address today’s concerns to be better positioned to conquer tomorrow’s.

Board/Senior management oversight

Audit Risk Other committee committee committees

Internal audit Riskmanagement Compliance Internal

controlInformationtechnology

Legal andregulatory External audit

Audit committee

Risk committee

Other committees

Other committees

Duplication of risk and control activity

4 Insights on IT risk | April 2011

In attempting to deliver competitive advantage, those responsible for the control environment historically have been hampered by entrenched perceptions that the time and costs associated with control improvement program implementation are prohibitive and ultimately not justifi able. But such erroneous perceptions can mask the potential benefi ts generated when control improvement efforts are focused on three key elements:

1. The risks that really matter to the business, particularly those that align with key business and overall corporate strategies

2. Improvements that provide both risk coverage and improved business processes

3. A cost-effective approach that provides the business with tangible benefi ts from the investment in control and optimal use of automation

It is not necessary for control environment improvements to require major investments in time and resources — and therefore, higher risk and potentially lower ROI — in order to generate positive impact. It is important to understand that, like most things, there is a high correlation between complexity and diffi culty in control environment improvements and their resulting rewards (cost savings, improved effi ciencies, etc.). Even at the lower end of the cost/investment scale, companies can still generate signifi cant improvements in operational and compliance process effi ciencies, as well as a variety of cost savings. Control environment improvements are practical for today and designed to add ongoing benefi t.

Benefi ts of enhanced control effi ciencyThe rewards of making investments into improving the control environment can be substantial. The potential benefi ts arising from a control rationalization, optimization and improvement program include:

• Fewer controls; lower costs

• Better aligned risk coverage, including the identifi cation of stronger, more pervasive controls

• The identifi cation and standardization of effi cient and effective controls

• More effective and effi cient risk-based assessment process

• Better use of technology through the use of applications controls rather than manual controls

• A reduction in the internal compliance effort

• A more sustainable compliance process

• Improved alignment between the IT, business and internal audit functions

• Coordinated IT risk management activities

Value and competitive advantage through internal controls

Leading companies are now expected to improve their internal control systems and have those improvements drive competitive advantage. Like all other signifi cant corporate functions, internal control must do its part to build its value proposition by delivering competitive value through greater effi ciency and/or by generating large cost savings.


Different roads, same destinationWhether companies decide to massively overhaul their control environments or recalibrate or modify what they already have will largely depend on:

• The company’s current state

• The company’s desired state

• Resources available to implement effective change

• Institutional capacity to see all of it to fruition

The three main approaches toward increased control effi ciency are rationalization, optimization and redesign:

1. Rationalization involves the removal of unnecessary, insignifi cant or redundant controls or processes. This option requires the least amount of resources and overall effort.

2. Optimization involves the potential replacement of certain controls in exchange for others that are more effi cient. Replacing a manual control with automation is an ideal optimization. Another example would be standardizing controls across business units and geographies.

3. Redesign involves modifying, redesigning or re-engineering a process and its underlying control structure to drive operational effi ciency. This is the option that requires the most resources and effort because it usually requires redefi ning organizational design such as tasks, roles and responsibilities. While this option requires the greatest investment, it also provides the greatest potential for impact and return.

Understanding the differences: rationalization, optimization and redesignRationalization:

• Create formal criteria for assessing whether controls should be considered critical

• Challenge existing key controls for design effectiveness (i.e., whether an IT platform should be leveraged to improve the effi ciency and reliability of a control)

• Benchmark key controls with peer companies or standard control templates to identify potential effi ciencies

• Identify and leverage “power controls,” which are key controls that may mitigate multiple risks

Optimization:

• Review process documentation with process owners and IT staff to understand control structure within applications supporting specifi c processes and other potential controls that may be available

• Standardize business and IT processes

• Challenge existing manual key controls to determine if alternative application or automated controls exist

• Challenge the number of controls identifi ed that address the same risk

Redesign:

• Review of industry-leading practices and available options including new, proven approaches such as continuous monitoring

• Process design sessions with process owners and other stakeholders

• Cost/benefi t analysis and assessment of residual risks

• Implementation and change management


Controls rationalizationCorrectly identifying controls that are central to enterprise business processes is critical in creating increased benefi t. For the right testing impact, companies need to target the right controls. Many companies rationalize all of their controls using a “bottom-up” approach and may fi nd signifi cant opportunity to reduce their total population. Companies that were diligent in their focus on internal control over fi nancial reporting and used a “top-down” approach to compliance may fi nd fewer opportunities to reduce their control population.

The following steps should be considered during the rationalization process:

1. Identify and potentially reduce risks that are not relevant to internal control over fi nancial reporting

2. Review fi nancial assertions for each signifi cant account to determine relevance

3. Review key application end-user information security controls, particularly as they relate to user authentication, access and auditing

4. Review signifi cant accounts and related components to determine if insignifi cant components are included in scope

5. Review population to identify redundant or insignifi cant controls

6. Identify opportunities to centralize activities that are currently done at multiple locations

7. Review adjusted control population with external auditors

Controls optimizationControls optimization is the process of standardizing and centralizing controls and selecting controls that are more effi cient to test than others that potentially reduce the same risk. To do so, it is important to have an understanding of the different classes of controls:

Manual controls — These controls depend on a person to perform without reliance on IT tools or the company’s overall IT environment.

IT-dependent manual controls — These controls have both manual and automated aspects (e.g., a review of a computer-produced open orders report to determine that all sales have been invoiced).

Application controls — These automated controls are processed by the entity’s IT applications without input from a person and are focused on procedures used in the critical path of transactions or other fi nancial data. Application controls help ensure that transactions are authorized and accurately recorded and processed. When operating properly, IT application controls typically provide more effective risk reduction and are more effi cient to test (sample size and leverage). The ability to leverage such controls can signifi cantly reduce costs but depends on effective security controls around the application and the infrastructure on which it operates.

All controls documented at a single entity

Controls over inconsequential

general ledger codes

Controls overinsignificant business

processes/transactions

Scoping and sub-process ti li ti

Controls addressingt f bj ti

general ledger codes processes/transactions rationalization

Risk

Complimentary controls

out-of-scope objectives Risk rationalization

Redundant controls

Compensatory controls

controls

Selection of key controls

Rationalized t l

controls

controls

Rationalization approach


Application controls can typically be classifi ed as:

• Edit checks — These controls are used to limit the risk of inappropriate input, processing or output of data due to fi eld format (e.g., dollar amounts must be in the numeric format).

• Validations — These controls are used to limit the risk of inappropriate input, processing or output of data due to the confi rmation of a test. Examples include tolerances, duplicate checks and matching (e.g., an automated three-way match, where a check to a supplier will not be generated without a matched purchase order, receipt of goods and invoice).

• Calculations — These controls are used to ensure that a computation is occurring accurately (e.g., the system automatically extends and foots an invoice).

• Interfaces — These controls are used to limit the risk of inappropriate input, processing or output of data being exchanged from one application to another (e.g., the system confi rms through a record count that all records were uploaded from the sales sub-ledger to the general ledger or confi rms that totals from a header record reconcile to the detail that was posted).

• Authorizations — These controls are used to limit the risk of inappropriate input, processing or output of key fi nancial data due to unauthorized access to key fi nancial functions or data and include segregation of incompatible duties, authorization checks, limits and hierarchies (e.g., roles are defi ned within the system, so only the purchasing manager has the ability to add vendors to the vendor master).

The use of application controls rather than manual controls allows for more sensitivity and reliability in the processing of transactions and activities. Also, greater leveraging of application controls better aligns an organization with the signifi cant investments that it is making in IT systems to support and transform its businesses.

Are there entity-level controls thatRationalized

Are there entity-level controls that

Are there entity level controls thatoperate at the transaction level?

NoYes

Rationalized controls

Optimized controls

Are there entity-level controls thatoperate at the transaction level?

operate at the transaction level?No

Yes

Y controls


operate at the transaction level?No

Yes

Yes


NoYes

YesNo

Rationalized controls

Controls redesignOnce key controls have been optimized, management should consider re-evaluating the overall control structure by looking at how those controls operate, where they are performed and who owns and performs them. Leading companies are redesigning their control structure to create a compliance process that is more sustainable and cost-effi cient. Examples of what some companies have done in the name of controls redesign include:

• Implementation or expansion of shared services organization

• Migration to standard general ledger or ERP platforms

• Standardized policies and procedures across all business units or subsidiaries

• Integration of acquisitions or business units that are similar in form or function

• Process simplifi cation around fi nancial reporting and disclosure processes

• Implementation of continuous process monitoring

• Implementation of global standard access control and user identify management processes and supporting technology

Optimization approach


Controls improvement and information security

A fundamental part of a company’s business control framework is the controls that support major IT systems and application security. The increased use of application and embedded controls increases the need for effective information security controls. However, information security controls usually make up a large percentage of the controls contained within a company’s overall control framework. Information security in general — and user access management in particular — are increasingly seen as critical areas and are good candidates for potential controls rationalization, optimization and possibly redesign.

As with all controls enhancement efforts, the foundation for such decisions must be based upon management’s overall approach toward risk. Controls improvement must consider security across the people, process and technology landscapes, as well as across the key IT areas of infrastructure, operating system and applications. Many companies are now looking to fully review their information security policies, procedures and standards through a revised controls lens that ensures risk is managed appropriately and in a timely manner while allowing overall security controls to be optimized.

Companies that effectively manage the security aspects of their control framework have:

• Undertaken the implementation of standardized security procedures

• Adopted procedures that support the creation of a balanced set of security controls, including measures that prevent and detect

• Eased the burden caused by required testing

Key security areas where organizations must ensure they apply the rationalization, optimization and redesign tenets include:

• User access provision (including leavers, joiners and movers)

• Emergency access management

• Privileged user access, especially at the infrastructure, database and application levels

• Annual reauthorization of access

• Segregation of duties (SoD) defi nition and implementation

• Authentication and access self service

• User access monitoring

• Application usage monitoring

• Incident management and escalation

Seizing opportunitiesThe ideal circumstances and situations to review and improve control effi ciency and effectiveness are when the company is:

• Undergoing a new ERP implementation or upgrade, or undergoing some business transformation (merger and aquisition, divestitures, restructuring, cost reduction initiative, etc.)

• Moving to a smaller set of standard business or IT management processes

• Addressing concerns the management team has with the success of system integration or the ability of the development team to properly assess risk or implement appropriate controls

• Facing new regulatory factors that may drive new risk or force improvements in the control environment

• Discovering material weaknesses and misstatements related to fi nancial reporting, which may have resulted from an inadequate ERP control environment

• Implementing a major information security improvement program

• Led by a risk function individual who is dynamic, thought-provoking and not afraid to make bold moves


Case study: harmonization and standardizationOperating different controls monitoring business processes in 10 different countries, this global technology company decided to standardize the processes in each country, but without modifying the process itself. The business processes were supported by one single instance of SAP that was centrally hosted at one of the operating companies. Working with Ernst & Young, the company’s objectives included:

• Achieving greater effi ciency across the compliance and reporting program

• Focusing on fewer key controls with less proportion of manual controls

• Using IT application controls more consistently and improving quality of testing strategies

• Standardizing information controls and reducing “surplus” controls

• Potentially reducing defi ciencies

The starting point of this business process harmonization effort was the risk and control framework at each operating company. Although the risks were harmonized, the controls were not, leading to different control sets in each company. Frameworks could contain controls that were purely manual at one end or could contain a substantial amount of IT application controls. That IT application controls varied so widely was also a complication.

Management reviewed and approved multiple aspects of the standardization process, including risk and control mapping, control design, preliminary reliance strategy by control and test steps. Management also developed and shared standardized testing templates to encourage greater consistency and documentation quality.

After testing and reviewing, the use of controls frameworks within two of the operating companies — each with the highest extent of IT application controls — served as a leading practice for the team and was replicated in other operating companies. A small number of exceptions to this approach were allowed by management, but only in cases where local business process fl ow deviations could not be changed. Eventually, through harmonization, the IT application control framework consisted of a standard set of 23 SAP IT application controls across key fi nancial processes. Overall, the project successfully generated greater effi ciency while improving risk coverage, prompting the client to expand its optimization project to include other areas and functions.


The road map between current and future states

After understanding the potential benefi ts of an improved control environment and outlining the differences between each approach, companies interested in control enhancement need to:

• Focus on risks that align with key corporate strategies

• Examine improvements that provide risk coverage and improve processes

• Commit to ensuring that any improvement generates measureable return on investment

By leveraging a robust fi ve-step framework, companies are able to move forward, confi dent of the value they will achieve from control environment improvement activities. The process focuses on steps that will identify, diagnose, design, deploy and sustain a company’s control environment improvements.

Fundamental to the success of this fi ve-step improvement process is a current-state assessment, risk-based scoping and a top-down, risk-based approach.

Assessing current state

Having a clear view of the current number of processes, risks and controls will enable effi ciencies. Additionally, it is important to understand the composition of controls (manual vs. automated) and the nature of the IT applications supporting those controls. Finally, it is important to gather information related to the level of effort around performing, documenting and testing current controls. This will help identify high-impact areas (effort, cost and potential benefi ts) for prospective pilots.

Scoping

Scoping determines and defi nes the focus of the improvements. Scoping prior to the project begins reduces unnecessary and wasted effort. An example of such wasted effort is the attempt to optimize locations and processes not relevant to the organization’s overall risk management requirements.

A top-down, risk-based approach

A risk-based approach involves identifying and assessing material fi nancial reporting risks and allocating resources and efforts based on the severity and likelihood of those risks. This approach begins with management’s judgment of what is material to the consolidated fi nancial statements, followed by a thorough risk assessment. That assessment would consider the likely sources of potential misstatement within signifi cant enterprisewide processes.

Identify Diagnose

s

• Identify efficiency and effectiveness opportunities from process performance

• Measure and assess the process to determine current performance issues

• Deveoptioand iproce

Obj

ecti

ves process performance

and/or internal control reviews

performance issues and inefficiencies

• Analyze data and determine root causes for performance issues

proceenvir

s

• List and confirm value opportunities

performance issues and inefficiencies

• Detailed process map

• Collect leading

• Validwith

ies

and

resu

lts value opportunities

• Develop high-level business case with goals and benefits

• Collect leading practices and benchmark data

• Gap analysis

• Confirmation of root

with

Act

ivit

i

cause with stakeholders

• Define improvement objectives

Design Deploy Sustain

elop and validate ons to enhance improve the ess and control

• Implement action plans at selected process levels

• Monitor and support

• Implementation of adequate and sustainable monitoringess and control

ronment• Monitor and support

implementation at affected management levels

monitoring environment

• Transfer responsibility to process owners

dated options stakeholders

• Plot high-impact options

• Design, validate androll out monitoringstakeholders options

• Roll out after validation of pilot results

• Create policies and d

roll out monitoring and control system

• Develop transfer plan and hand off toprocess owner

procedures

• Prepare and execute training plan

Framework for control environment improvement


Case study: automation and globalizationA global pharmaceutical company decided to align and redefi ne the risk and controls in connection with a global SAP implementation and enlisted Ernst & Young to assist. This effort included the optimization of controls, with the desired future state of enhanced automation and globalization. In building the business case, a single business process — Requisition to Payment (RTP) — was selected for a pilot review. This process covered the capital expenditures, goods receipt/invoice receipt, inventory and receiving sub-processes. The RTP risk and control framework was compared against leading practices, combining the knowledge of the company’s environment with third-party resources with extensive knowledge and experience with SAP control functionality. Through this process, the company identifi ed several opportunities, including:

• Potential reduction in the number of risk points associated with the business process

• Potential replacement of manual controls by application controls

• Reduction of the overall testing effort by management and internal and external auditors, freeing up resources for other activities and potentially reducing the external cost of compliance

The pilot review successfully demonstrated that the company could be more effi cient while improving risk coverage. Benefi ts the company realized included the reduction of controls from 25 to 19, a 24% reduction in the number of tests, and the increased leveraging of SoD, user access and user change management controls around SAP. The company is now expanding its optimization project to include other processes supported by SAP.

Once the risks have been prioritized, management needs to associate the nature, timing and extent of testing of the corresponding control that can most effi ciently monitor it. The benefi t of a top-down, risk based approach is illustrated in the graphic below. Allocating control attention and effort where risks are highest is a more effi cient and effective use of available control environment resources.

Before After

Entry5% of effort E t

Division-levelit i

level 5% of effort

10% of effort Division-level

Entrylevel 15% of effort

20% of effort

Ris

ks

Non-routine,

monitoringcontrols

10% of effort

20% of effort

Ris

ks

Non-routine,

monitoringcontrols

20% of effort

complex transactionsBusiness unit monitoring

20% of effort complex transactionsBusiness unit monitoring

40% of effort

Routine transaction, process and application-level controls

65% of effort Routine transaction, process and application-level controls

25% of effort

Typical results before and after a top-down, risk-based approach


Questions to consider:• Have you prioritized risks identifi ed from internal audit, internal control and risk assessment fi ndings?

• Have you identifi ed process and control performance gaps or defi ciencies?

• Do you have documented current-state processes including key tasks, performance metrics, handoffs and controls?

• Do you have a full and detailed understanding of the cost associated with your current processes?

• Have you engaged your security personnel to understand the potential benefi t of improvements and the hazards of standing still?

• Have you benchmarked your current processes against leading practices to assess performance and identify improvement opportunities?

• Have you determined whether supporting technology meets business requirements?

• Have you involved those integral to the controls process in helping to identify and design improvements?

• What role can your internal audit function have in business improvement?

• Are process improvement efforts built into your audit plan?

• Does your internal audit department have strong skills in data analytics, problem solving, benchmarking, etc.?

• Does internal audit have appropriate business process skills?

• Do you have a program to monitor process and control changes for the sustainability of recent improvements?

• Is your organization prepared to make the necessary investment in building these competencies and changing the culture?

Building value through control effi ciency

The roads to increased effi ciency, better returns, heightened transparency and more confi dent stakeholders can all intersect at control environment improvement.Whether a company seeks to rationalize, optimize or redesign will depend upon available time, resources and resolve. However, it is clear that by properly examining the entire control environment and better understanding what paths are available — and the potential benefi ts of each route — companies can generate a competitive advantage. Companies continue to try to fi nd ways to move ahead of their competitors. The harder those companies look, the more clear it becomes that meaningful benefi ts can be found in enhanced and more effi cient controls. Now is the time to optimize the controls environment and help companies meet present challenges and future demands.


Contacts

Global Norman Lonergan (Advisory Services Leader, London)

+44 20 7980 0596 [email protected]

Paul van Kessel (IT Risk and Assurance Services Leader, Amsterdam)


Advisory ServicesRobert Patton (Americas Leader, Atlanta)


Andrew Embury(Europe, Middle East, India and Africa Leader, London)


Doug Simpson (Asia-Pacifi c Leader, Sydney)


Naoki Matsumura(Japan Leader, Tokyo)


IT Risk and Assurance ServicesBernie Wedge (Americas Leader, Atlanta)


Paul van Kessel (Europe, Middle East, India and Africa Leader, Amsterdam)


Troy Kelly (Asia-Pacifi c Leader, Hong Kong)


Giovanni Stagno (Japan Leader, Chiyoda-ku)


Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com

About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 20,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specifi c issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.

© 2011 EYGM Limited. All Rights Reserved.

EYG no. AU0824

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

www.ey.com

Technology

Building control efficiency: Rationalization, optimization and redesign