Manage risk in hospitality with CTA


Automating controls increases efficiency and accuracy, decreases risk


Running the internal controls of businesses in the lodging, restaurant and gaming sectors is a formidable task that, if automated, can help manage risk exposure. Companies in these sectors must manage large and varied datasets across their business processes and financial reporting, including inventory, payroll, employee data, operating supplies and equipment, services and property information. Multiplying these tasks by the number of locations creates a daunting task of data analysis and synthesis. Potential negative consequences include regulatory non-compliance, financial statement inaccuracies, unnecessary or excessive costs, poor guest experiences and even legal trouble.


Advances in technology have introduced new capabilities for control test automation (CTA) that are creating added value for internal and external auditors as well as for management, wherever controls are embedded in an organization’s business processes or its financial reporting.

Take a deeper dive into CTA

Get a detailed analysis of the use of CTA related to internal control over financial reporting — and an illustrative example of CTA over a user-access provisioning control. This publication co-produced and published by Grant Thornton and the AICPA sheds light on CTA relevant to organizations and their internal and external auditors.


When technology is used to test the operating effectiveness of controls:

  • The full population of data can be tested, rather than just a sample.
  • Automated testing that once was manual can relieve personnel from labor-intensive, often repetitive work.
  • Controls can be performed and tested in a more time-sensitive manner.
  • Potential issues can be identified and addressed before they become real problems.

Many of today’s advanced automation technologies were in their infancy in 2013 when the revised Internal Control — Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described how technology can support ongoing evaluations of controls.


The COSO framework described how continuous monitoring techniques can provide a high standard of objectivity and enable efficient review of large volumes of data at a low cost. The framework indicated that, combined with robust review and analysis of results by knowledgeable personnel, automated monitoring can provide for efficient, effective ongoing testing.


While modern control technologies enable us to identify issues and deviations, the question is: How do you identify what represents an exception, deficiency, or failure and needs human intervention? This issue is discussed in more detail later in this article.




CTA in action for gaming


In one such example, Grant Thornton recently reviewed data for a gaming client with a significant presence in Nevada to determine how that business’s internal client database was performing at the control task of monitoring and barring from gaming activities self-identified high-risk individuals. We discovered the organization’s database was not being regularly auto-updated to match the state’s Responsible Gaming Database (RGD) list of individuals, with some discrepancies that were more than a year old.


Further, the casino databases weren’t being properly replicated and shared among the company’s various gaming properties and offerings. A guest who was banned from sportsbooks, for instance, could still play roulette or slots at the same venue. Also, common names were a problem because, without proper identification, it is difficult to discern whether a “John Smith” in the casino is the same “John Smith” in the Nevada database.


The client’s data systems were there and operating, but the internal audit control capabilities were not efficient or effective.  Our Grant Thornton team, utilizing a CTA routine to test the replication and sharing of the RGD, identified the initial issues. CTA was then implemented to enhance customer identification routines across company databases and to provide continuous monitoring of the RGD and company databases across all properties and gaming products, rapidly alerting management of any discrepancies for immediate resolution. Similar CTA continuous monitoring routines were also implemented within the company to monitor other sensitive functions, allowing testing of full populations of large datasets in a rapid and cost-effective manner that allowed management to address potential issues before they became real problems.


CTA in practice


Today’s most tech-savvy companies and internal and external auditors are delivering on COSO’s vision. CTA activities are being designed and implemented in organizations’ continuous monitoring activities, providing management with valuable feedback and even customized alerts when deviations exceed acceptable thresholds.


CTAs also are being designed and implemented as supervisory control activities, such as authorizations and approvals or reconciliations. When implemented skillfully and reviewed and monitored by competent personnel, CTAs can provide benefits that include:

  • More frequent or continuous testing of controls.
  • More timely information for decision-making.
  • Identification of errors or issues that may be missed due to human error or the limitations of a sample-based approach.

Regardless of the industry, CTA can be a powerful tool for internal and external auditors who are testing operating effectiveness of controls to support or gather evidence about the effectiveness of internal control over financial reporting (ICFR). Manual tests of these controls often are labor-intensive and rely upon sampling, while automated tools and techniques have the potential to reduce the need for repetitive human labor while extending testing to the entire population.


Within ICFR, uses of CTA may vary widely based upon industry. Take revenue recognition, for example. A company in an industry or sector with a subscription-based business model that recognizes revenue over time may have different CTA opportunities than a company with a point-in-time revenue model based on discrete individual sales.


Outside of ICFR, CTA can be implemented for controls over operations, reporting or compliance objectives. These CTA opportunities also may vary widely based on the industry.




CTA comparison routine reveals discrepancies


Being a very location-driven industry, hospitality companies often delegate a considerable number of decisions to on-site managers. Choices about supplies and services made at the location level, rather than at the corporate level, can be more responsive because on-site employees likely will have a much better grasp of what’s needed when.


But this situation also means that there can be significant discrepancies in individual costs of the same types of items — food, cleaning services, room supplies, tableware, furniture, towels — that are the results of suboptimal individual choices. The variability, for instance, of rates of food spoilage or costs of cleaning service use is often surprising when discovered, especially when the circumstances should generate similar results.

Alex Rhodes

“High transaction volumes are an ideal target for automation, both to increase effectiveness and drive efficiencies.”

Alex Rhodes

Grant Thornton Hospitality & Restaurants National Managing Partner


Alex Rhodes, Grant Thornton National Managing Partner, Hospitality & Restaurants, said these sorts of discrepancies commonly turn up, where a year or years have passed since the decisions leading to them were made. Early awareness of these discrepancies in internal audits would help, but hospitality businesses have such high volumes of transactions that it’s often a difficult undertaking.


“Hospitality companies, whether in lodging, restaurants or gaming, deal in high volumes — from guest revenue transactions, procurement with purchasing, receiving and storage, or with large workforces often characterized by high turnover with constant team member onboarding and exits,” Rhodes said. “High transaction volumes are an ideal target for automation, both to increase effectiveness and drive efficiencies.”   


Shawn Stewart, Grant Thornton Business Advisory Partner, said a hospitality company typically would use an internal reconciliation process to locate cost and purchase discrepancies with documentation when discrepancies are over a certain amount, say $20,000.


“With control test automation. you could re-perform that same reconciliation and you could compare that to the control that's being performed,” Stewart said. “You can determine whether you are finding the same reconciling items, or if there’s a problem in the feed. Subsequently, you could use that information to determine whether the reconciliation action was followed correctly on the reconciling items.”


Related resources


The best candidates for CTA


All controls are not created equal with respect to CTA, as automated testing can be easier to implement for some controls than for others, such as those that are objective rather than subjective. It would be more straightforward to set up an automation that compares all vendor billings and reimbursements and sends an alert if the amount of a check sent to a vendor does not equal the amount billed on the invoice. It’s more difficult to create an automated test to tell you whether the amount on the invoice is reasonable considering the services the vendor provided. The best candidates for CTA often are controls with attributes that can be clearly defined, such as tolerances, distinct values or pass-fail conditions. These may include:

  • Authorizations, approvals, verifications and controls over standing data.
  • Segregation of duties.
  • Certain general IT controls, such as authorization, provisioning, deprovisioning, privileged access and security configuration controls.

“As compared to robotic process automation (RPA), where it may be economically feasible to automate approximately 10 to 15% of an organization's internal controls, CTA typically relies upon more cost-efficient technologies that can automate between 60% and 80% of an organization’s internal controls in a cost-effective manner,” Stewart said.


In the hospitality sector, one constant factor is the size and high amount of workforce turnover and the opportunity to use CTA in the payroll function. Accounting for who is working and who isn’t working at a company would seem to be a simple matter, but Rhodes said the volume of employees coming and going is such that keeping an accurate track of current employees is critical.

Headshot of Shawn Stewart

“There are plenty of things hospitality organizations can do with control test automation’s data comparison routines, such as look for fictitious employees or terminated employees that are still being paid.”

Shawn Stewart

Grant Thornton Partner, Business Advisory Services


But it’s not just money that’s a concern. Rhodes said he has seen a hospitality business where terminated did not have their logins removed in a timely manner, potentially putting sensitive company data at risk. Companies also can have an overabundance of people who have access to payroll master files, where bank routing numbers and even Social Security numbers can be changed. Because payroll matters are governed by distinct numeric values and “on/off” conditions, they are attractive places to begin use of CTA processes.


“There are plenty of things hospitality organizations can do with control test automation’s data comparison routines, such as look for fictitious employees or terminated employees that are still being paid,” Stewart said. CTA can compare terminated employee lists from human resources to payroll lists to detect discrepancies.


Data quality, governance and human involvement


As with most automation efforts, a CTA is only as good as the information it relies on. Whole population testing is ineffective if the population is not complete or the input data is not accurate. When the information used is complete and accurate, a CTA can be run on large volumes of transactions or activities, quickly and with more precision.


Whole data population testing is one of the biggest benefits of CTA programs. If an organization sends tens of thousands of checks to vendors every year, CTA may be used to test that all of the checks match the amounts on the respective invoices and were approved based on the organization’s policies or procedures in a tiny fraction of the time it would take a human to test only a sample of such transactions. CTA is generally designed to extract information directly from existing systems or applications, further reducing human effort.


Nonetheless, human involvement in the form of strong governance is essential for developing and maintaining a CTA program and related IT environment that accomplishes the desired objectives. Responsibilities and accountabilities need to be established for designing, implementing and maintaining effective governance over the IT environment — including general IT controls — that will support a CTA program.


When CTA is being implemented, validation often requires test runs, with manual testing compared to CTA results to verify accuracy and consistency. Controls may need to be modified and CTAs recalibrated several times before the automation is ready to be implemented.


Another critical role for humans in CTA implementation resides in the appropriate treatment of deviations and control failure rates. Leaders need to carefully determine an acceptable failure rate for a control or control objective to appropriately evaluate the results and to conclude on operating effectiveness. In some cases — for example, a security access approval — that acceptable failure rate may be zero.


Many times, though, an acceptable failure rate may be greater than zero. Consider, for example, a control that requires a manager to approve an employee’s expense reimbursement forms. If the acceptable failure rate is zero for this control attribute, what happens when a manager takes a two-week vacation? The acceptable failure rate for such a control could be set at something higher than zero, with the provision that a separate control or control attribute is implemented, such as deviations being investigated by finance to identify whether an appropriate delegate designated by the manager approved expense reimbursements when the manager was unable to do so.


Great care needs to be taken in developing and implementing CTA programs; the considerations become more complicated as the controls and automated testing becomes more complex. Nonetheless, precision in the development and implementation phase often is worthwhile because of the additional, timely insights that CTA can provide later with a reduction of manual labor that can offset the costs associated with automation.


An effective CTA program — whether it’s used as a monitoring activity, supervisory control, or both — can lead to better risk management by enabling detailed analysis; pattern and deviation identification; and more timely decisions. These are benefits for lodging, restaurant and gaming organizations that can provide an important edge in an environment where effective controls are essential.



Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.


CTA insights from other industries




More hospitality and restaurants insights