Why the Internal Audit team at UQ describe Continuous Control Monitoring (CCM) as a key driver of organisational change
“Organisations will have their own burning platform and that’s where you start your business case.” Tracy Laurence- Internal Audit Manager
The University of Queensland has had SatoriCCM implemented for going on 5 years and across a growing number of the organisation’s departments. For a prestigious educational institution, reputational risk must be closely managed.
In our latest webinar with Tracy Laurence Internal Audit Manager and Georgina Larkings Principal Investigator we spent time to discuss their journey and success in implementing SatoriCCM.
More specifically, they shone a light on their experience implementing and adopting Conflict of Interest monitoring and how it has successfully driven a program of work around organisational change across the University as well as removing the #1 risk facing the business.
UQ is a prestigious University, ranking consistently in the Top 50 Universities globally with $2.2Bn AUD in revenue, over 55,000 students, and close to 7,000 staff spread across 3 campuses.
UQ has an extensive Research department, with funding coming from both private and public funding and grants. Any respectable University’ Research program needs to operate with the utmost integrity, transparency and be free from conflicts of interest, prejudice, or interference. So, in the early 2010s when the UQ Boards Audit & Risk Committee (ARC) flagged Research Conflict of Interest as a key risk to the University, the UQ Integrity & Investigations department took the lead in implementing a Conflict-of-Interest Policy to begin addressing the identified risk.
Given the diverse and disparate nature of the UQ business, the adoption and effectiveness of the manual self-reporting forms was slow. In the words of Tracy, “it was a slow burn until a significant conflict in the Research was the burning platform for change”. With this risk identified, the #1 risk for the ARC was the reputational risk associated with conflict of interest in the Research Department, and a new approach was needed.
Working across various stakeholders across the business, the Integrity & Investigations Unit, together with the Internal Audit and HR teams collaborated on implementing sweeping changes – including the implementation of Continuous Control Monitoring (CCM) solution, SatoriCCM, for continually monitoring Vendor and Employee master files, as well as cross-referencing external data sources such as the Australian Business Registry (ABR) Database. One of the immediate benefits was that CCM highlighted the extensiveness and awareness of Conflict-of-Interest across the business.
Beyond the internal ARC and senior stakeholders identifying Conflict-of-Interest as an area of concern, there were expectations from the external anti-corruption watchdog that UQ continually monitor their Conflict-of-Interest risk as well.
Holistically, UQ implemented a number of sweeping changes with the insights garnered from CCM, including tightening of the Conflict-of-Interest Policies, as well as broad-reaching education programs on the topic as well as a now annual self-declaration of Conflict of Interest. Through this awareness-raising, they have now ensured that everyone across the University is responsible for the risk stemming from Conflicts-of-Interest – particularly around disclosure and self-declaration.
As Georgina highlighted in the webinar, “every organisation and person at one time or another will be exposed to Conflict-of-Interest in their professional careers. It is not about preventing business activities from occurring, but it’s about being transparent and, if necessary, ensuring additional controls and monitoring but put in place to reduce the conflict-of-interest from being misused or abused”.
Lessons learned from implementing CCM for Conflict-of-Interest include ensuring the following is in place;
- A C-Level Executive to champion CCM – initially for UQ it was the CFO but has since shifted to the COO to ensure operational excellence
- Increased staff turnover through COVID has led to “reselling” the benefits of CCM to new hires
- Ensure CCM is part of the Assurance & Governance framework within the business a lot earlier
- It’s really about the people – put thought into the exceptions to run through a CCM process to drive behavioral change in the business
- Continuously engage with C-Level stakeholders to build out the CCM program to ensure continued relevancy
- The cost of CCM is not in the implementation, it is in the resourcing of the business units for the exception follow-ups. Middle management needs to be engaged to ensure they allocate resources to address alerts
- No point in having CCM unless you will do something with it
Feedback from the ARC has been extremely positive “having CCM in place we are seen as a leader in the Higher-Education space”. Further, the CFO stated, “I love this stuff and I want more of it”. Additionally, best-practice sharing with external oversight bodies have been impressed with the tools put in place to continually monitor the Conflict-of-Interest risk within the University.
UQ’s CCM journey started in 2015 with Accounts Payable (AP), where to date, $3.5m AUD worth of duplicate payments have been identified proactively. Whilst some of these would have been potentially identified through other processes and checks, CCM was able to identify them early and recovery/mitigation processes means that the majority of these payments were intercepted early leading to a significant reduction in losses to the University. In the words of Tracey, “The CFO was the initial sponsor, and the money talks”.
In addition to AP, UQ has since rolled out Vendor Master file CCM modules as well as Travel & Expense and Corporate Credit Cards. Following the current HR system implementation, CCM will also be adopted to cover Employee Master Files and Student Master File analysis is also in the roadmap as well.
Tracey and Georgina’s advice to getting started with CCM is to “break down the elephant” – take one bite at a time and build out the program to the point where now the business comes to the audit team seeking CCM to be applied to various business applications. As Tracey highlighted, “it has been a good level for change, if we get a lot of alerts then it leads to questions being asked as to why”.
Lastly, Georgina concluded that “as you are going into a CCM program, really take the time to understand the highest risks to the business that you are trying to address – and start there”.
There were many questions in the Q&A from our audience, who consisted of public and private finance, shared services, internal audit and compliance, and risk professionals, we welcome you to watch the webinar for this section and new insights.