Businesses, especially those that are publicly traded, have spent a lot of time and money on systems for internal control over financial reporting. And, in response to the 2004 update of the U.S. Federal Sentencing Guidelines, many companies of all types and sizes have invested to modernize their compliance and ethics programs. A good question for all of us, then, is: Can this time and money be leveraged to realize benefits beyond mere compliance?
Think about it another way: As we drive toward objectives, we must stay within boundaries. One boundary is the mandated boundary that includes laws, rules, and regulations. Much of our work has been focused here. Another boundary is the voluntary boundary that includes our brand, internal policies, procedures, and contractual obligations — things that we choose to do and aspire to be. Can we use one set of processes and technology to guide conduct so that we operate between both the mandated and voluntary boundaries?
Leading companies are finding that the answer to these questions is an emphatic, “Yes.”
Breaking Down Silos
Much ink (including my ink) has been spilled on the topic of breaking down compliance silos. Most practitioners understand that we can gain efficiencies and effectiveness by addressing compliance silos with a common approach. Whether it is financial compliance, employment compliance, data protection, government dealings, fraud and corruption, international dealings, and so forth, we can use a similar process model and technology infrastructure to support them all.
Less ink has been devoted to how we can use the principles of governance, risk, and compliance to improve all business processes; how we can use the investment in people, processes, and technology to do more than just control compliance processes; and how we can use the investment to do more than just stay within mandated boundaries.
Take a Step Back
If you take a step back from the progress made in ICFR and compliance and ethics, much of it is really just the application of process improvement and quality management techniques to areas that were either de-emphasized or, in some cases, ignored by the quality revolution. What is interesting is that, because of the stakes involved in getting ICFR and compliance and ethics “right,” many organizations now have invested a great deal of resources to apply quality management techniques to these previously ignored areas.
But there still remains an opportunity to bring all of this work together (quality management, ICFR, and compliance and ethics) to deliver breakthrough performance.
Operational Controls
As we talk about controlling risk in operations, I'll use the term “operational controls.” Effective operational controls add value by ensuring that the people, processes, and technology that drive the organization's core functions remain aligned. As with other controls, operational controls can be either automated or manual. In addition to flagging potential risks as they occur, operational controls can identify misalignments that arise from inefficient business processes, poor training, improperly configured IT systems, and fraud.
You can think about operational controls in three categories: transactional, configurable, and master data controls. To illustrate these concepts, consider how these ideas can be applied to the procure-to-pay process.
Master Data Controls
Master data is the core information about an organization's customers, vendors, employees, raw materials, and chart of accounts; this data is fundamental to the execution of mission-critical business processes. Master data controls ensure the integrity of this data so that mistakes not compounded as transactions reference the data when business processes are executed. Master data enforces rules around the core data regardless of what transactions are modifying the data. Some examples:
Ensure that vendor and employee addresses do not match;
Ensure that vendor and employee bank information do not match;
Ensure that duplicate vendors are identified and merged.
The key is that these rules are enforced consistently, regardless of which transactions affect the data.
Transaction-Level Controls
As individuals perform day-to-day business processes, key steps and milestones are recorded as transactions and can take the form of entries in systems, e-mails, or even conversations. Transaction-level controls serve to prevent, identify, or detect inappropriate, inaccurate, or unauthorized transactions in these systems wherever they are. Some examples:
Ensure purchase orders are created before goods are received;
Ensure purchase orders are created before an invoice is received;
Ensure goods are purchased from preferred vendors.
Transaction-level controls are typically embedded in enterprise resource planning software or other core systems and are performed as transactions occur.
Configurable Controls
Business processes and corporate policies are comprised of a prescribed sequence of tasks, events, and transactions. Configurable controls ensure that processes are executed as intended. Some examples:
Ensure that minimum and maximum inventory levels are defined and that inventory levels stay within these boundaries;
Ensure rules around invoice and purchase orders are configured and that neither invoices nor purchase orders stay open beyond these tolerances.
Configurable controls are typically embedded in system parameters and settings.
Common Ground
What's interesting about these examples is how similar these business rules and controls are to the controls we put in place to support ICFR and other compliance areas. What is common?
Define existing processes and risks where the process can go awry;
Design rules and controls to prevent mistakes and misconduct;
Design controls to reduce the negative consequences of mistakes and misconduct;
Design rules and controls to detect mistakes and misconduct;
Design procedures to respond to mistakes and misconduct;
Evaluate the process to ensure that it continues to be designed appropriately and operates as designed;
Improve the process as necessary.
Sound familiar?
Benefits for All
Once again, as we consider the procure-to-pay process, think about the benefits beyond ICFR and compliance and ethics. For finance, there is a reduction in duplicate payments to vendors and a reduction in the time to track down mistakes that are not typically visible until the books are closed. For line management, there is a reduction of fraud and a reduction in time to respond to over- or under-delivery of inventory. For human resources, repeated control violations at the same points in the process or by the same individual(s) indicate opportunities for process improvements and increased training.
Action Plan
All organizations can realize additional benefits to the investment in systems for ICFR and compliance and ethics. Here are some simple steps to take:
Don't boil the ocean. Identify a single process, for example the procure-to-pay process, and look at extending the existing controls approach to encompass more than ICFR and compliance issues.
Work with the business. Work with process owners and line managers to identify areas in the process where mistakes are commonly made. Again, focus on those mistakes that result in the most duplication of effort or the most significant investment to fix.
Shift your thinking. Take off your legal and accounting hat and put on your process improvement hat. While a mistake may not be material to overall financial statements, a mistake can be quite costly to a department and your brand if it results in angry customers.
Design preventive controls. Reduce the likelihood of mistakes occurring in the first place.
Design detective controls. Ensure that operational controls either trigger real-time alerts or create an audit trail or transaction log that can be periodically assessed and audited for issues. Also, think about
consolidating this information into a central data store so that you can reduce ongoing process monitoring.
Monitor the process. Putting all of these structures in place will be for naught if the triggers and audit trails are not monitored. Start this only if you can actually follow up on the information that it will generate.
Evaluate and improve the process. Periodically evaluate whether the process is adequately designed to deliver the level of performance that you desire and make appropriate improvements.
Again, sound familiar? It should.
No comments yet