The Audit Podcast – Episode 276

The Controls Integration Problem: When IT, Finance, and Risk Don't Talk

Guest: Marc Walrod (Controls Integration Leader, Clearsulting)
Host: Trent Russell
Date: March 3, 2026

Episode Overview

This episode explores the persistent challenges organizations face when integrating controls across IT, finance, and risk functions—especially during major technology transformations like ERP implementations and AI rollouts. Trent Russell and guest Marc Walrod dig into where controls integration breaks down, common myths, the crucial "phase zero" in transformation projects, and actionable strategies for getting controls right from the start. The discussion is candid, practical, and driven by real-world examples, with a focus on preventing costly surprises down the road.

Key Discussion Points & Insights

1. Why Controls Integration Fails in Transformations

• Misplaced Assumptions about Controls in Software

  • Many believe modern ERPs “come with controls baked in.”
  • Marc debunks this: “These large ERPs come with so much optionality...you can configure very well, tightly controlled processes or fairly wide open processes.” (09:17)
  • The true risk comes in how the system is configured, not just installed.

• System Integrator Limitations

  • Controls are often excluded from system integrator proposals unless requested.
  • When included, it’s typically minimalist to keep costs down:

    “Almost all the time…there’s a section in the engagement letter that says...‘we have no responsibility [for internal controls]. That’s a management responsibility.’” (12:17)

2. The Vital Importance of “Phase Zero”

• What is Phase Zero?

  • The period before a transformation project kicks off—often focused on data cleanup, selecting integrators, and prepping processes.
  • Controls mindset needs to be present even if controls aren't the primary focus yet:

    “Just having the controls team having a seat at the table...not the loudest voice in the room, but just having that consciousness so that as decisions are made...you can ask, ‘what are the control implications?’” (21:43)

• Early Integration of Controls Prevents Headaches

  • If controls are considered from the start, they’re simply “built in” as requirements:

    “If you talk about controls early, if you start to set expectations... controls doesn’t have to be a massive drain on resources.” (18:15)

  • Late involvement leads to manual workarounds and missed automation ROI.

3. Communication Breakdown Among IT, Finance, and Risk

• Poor communication is often the root cause of control failures:

  “It’s so frustrating that lack of communication is still one of the major control failures in a lot of scenarios.” (17:05)

• Success requires active coordination and expectation setting between business, IT, risk, and audit.

4. Scoping Controls Integration

• Controls impact assessment is critical:
  • Start by mapping current and future processes and systems to spot what truly changes.
  • Assess which controls need to evolve, what can be automated, and where more rigid configuration is needed.
  • Don’t underestimate data quality, lineage, and migration issues, especially with multiple legacy systems (34:09).
• On custom and key reports:

  “At the beginning...my clients will tell me, ‘we’re doing no custom reports.’ Then you get to go live, and we’re at a 50–70% custom report. There’s a controls impact there!” (27:48)

5. The Role of External Audit in Transformations

• External audit should be involved before go-live, not as an afterthought:

  “Bring external audit in early…If there are key decisions, let them understand what those are...and maybe fix pain points as part of the new deployment.” (21:43)

• Late involvement leads to surprise findings, missed controls, and pain during year-end testing.

6. AI and Controls: Current State and Future Outlook

• AI is primarily helping with research, efficiency, exception identification, and automating parts of controls testing—but always with “human in the loop”:

  “I haven’t seen AI completely eliminate humans from the picture...it’s more about enabling the control performer to be more efficient.” (35:54)

• Next steps: Organizations are taking “baby steps,” and external auditors’ willingness is the bottleneck for broader automation.

Noteworthy Quotes & Memorable Moments

• ERP Controls Myth:

  “I assumed...if you bought some huge ERP, at least some SoD controls were already baked in. And they’re not.”
  —Trent Russell (06:39)

• Marc’s Paint Analogy:

  “We want the paint on the wall, but we don’t really want that paint having dried yet because we still want to be able to influence some of those design decisions.”
  —Marc Walrod (13:56)

• Data Pitfalls:

  “Data is an area where we spend a lot of time...the effort around data is often underestimated, and the controls and compliance around data is often underestimated.”
  —Marc Walrod (27:48)

• Phase Zero Red Flag:

  “The phase zero talk...it’s just like a—not a red flag, but a flag that goes up as a ‘Hey, now’s a good time to consider this.’”
  —Trent Russell (39:11)

Important Timestamps

• 05:19 — Marc's professional use cases for AI
• 09:17 — Why “best in class” ERP does not guarantee good controls
• 12:17 — System integrators rarely own responsibility for internal controls
• 13:56 — The “paint on the wall” analogy for iterative controls design
• 15:39 — The myth of “simple lift and shift” and why it never works (Lift-and-Shift fallacy)
• 18:15 — Why controls must be integrated early and how requirements should be gathered
• 21:43 — What phase zero looks like and getting all parties in the room
• 27:48 — How to scope controls integration, including data and reporting challenges
• 34:09 — Why data issues are the silent killer of transformation, and why phase zero is often data-focused
• 35:54 — AI’s current and near-term future role in controls and audit
• 39:11 — Recap on the phase zero flag and why proactive controls integration matters

Takeaways for Practitioners

• Never assume software comes with the right controls pre-configured; controls decisions must be made actively.
• Bring controls professionals and external auditors into the conversation as early as possible, ideally in phase zero.
• Mapping out the process and technology changes up front helps you avoid being blindsided by downstream impacts—especially with data and reporting.
• “Lift and shift” is a dangerous myth—every transformation introduces control risks.
• AI is incrementally helping controls processes, but “human in the loop” will remain necessary for now.
• Practically, successful controls integration is about expectation setting, cross-functional communication, and iterative involvement—not just checklists or templates.

Want more?
Catch Marc Walrod and the Clearsulting team at Booth 111 at GAM, or connect via LinkedIn/newsletter (see show notes).