Directors and management depend on strong controls to guide their businesses and provide them with assurance. These controls range from statements of high-level guidance (policies, attestations) to procedures embedded in and across processes. Controls are often manual, semi-automated and ideally fully automated. Importantly, the impact and value of controls can vary enormously depending on company culture.
Some companies enforce a zero tolerance approach towards control breaches, while others can vary in their responses depending on culture or circumstance (eg: whether a breach involves a key employee, customer or value of the breach). Controls can breakdown due to range of reasons including poor design, inefficiency, staff turnover or the pressure of getting work done. Often the control purpose is not understood and deemed to be a waste of time or “control for the sake of control” and serves no value. Gaining comfort that controls are operating consistently, effectively and achieving their objectives (particularly in high transaction volume businesses) can be very challenging.
Control breakdowns often occur around the discretionary use of company assets. Simple control examples might be prohibiting employees from using company credit cards for personal use, using fuel cards to fill personal vehicles and use of company cards while on leave. Manually monitoring transactions for breaches is largely impractical in high volume environments. Often this checking is manual and not automated. These challenges become greater when detection depends on the cross matching of data from different systems.
Breaches of controls around purchasing can lead to significant losses. Controls may require that purchase orders must be raised and approved before any purchases are made. Other controls may specifically prohibit invoices splitting to avoid the authorisation limits. Again, breaches of these controls (and their effects) are difficult to monitor and detect in high volumes environments.
Many frauds and abuse are triggered by control lapses. As an example, a branch employee makes a sale and overlooks depositing the money. The unbanked sale amount is sitting in a general ledger clearing account waiting for an entry arising from the deposit to clear it. Nothing happens. The accounting team doesn’t action it. The failure of the control encourages the employee to try something more adventurous. Again, nothing happens and the behaviour is repeated and escalates. Most large frauds commence with employees testing control boundaries and learning where the gaps can be found.
Another example is the monitoring of small amounts processed through credit cards. It is clearly not acceptable for staff to pay for iTunes or Amazon Kindle downloads on company credit cards, even if the downloads may cost as little as $0.99. A failure to detect and punish such behaviour – apart from any losses – can be highly detrimental to a company’s overall compliance culture. A culture of disregarding controls can be pervasive and spread across the organisation. Clear and public enforcement of controls – setting the tone – can have a significant cultural impact: actions always speak louder than words. Shining a spotlight on transactions in these high-risk areas can prevent culture of “anything goes” from developing.
Management often relies on the fact that controls are automated. Sometimes this confidence is misplaced. The control may have been effective when it was first rolled-out, but it may no longer be doing the job expected of it. Most controls are configurable and they are often changed as upgrades occur or business processes are altered. Breakdowns in IT’s program change controls themselves can cascade down to unauthorised or incorrect changes to application controls. As an example, many warehouse and accounts payable systems rely on system mandated “three-way matching”: order, receipt and invoice. One effect of three way matching is to eliminate the possibility of duplicate invoice processing. If the control lapses due to incorrect configuration changes, then undetected duplicate invoicing processing may occur.
A key question is how do we get comfort that a control (a policy or a procedures) is doing the job that it was put in place to do? The reality is that the truth is in the transaction and not the control. Transaction volumes often limit review to sample testing and that, in our view, is not sufficient. With automation and the right technology it is possible, and cost effective, to fully test very large volumes of transaction data on a daily and continuous basis.
Academics have written about the potential of continuous monitoring (CM) of transactions for a very long time. It is only relatively recently that advances in computing technology have made it a practical option. A typical example is the regular testing of invoice transactional files for potential duplicate processing. As mentioned above, breakdowns in controls such as three-way matching may lead to large double payments. The prevention of duplicate payments has an obvious monetary value, but exceptions may also point to upstream control breakdowns that are not apparent to management.
Another powerful example is the flagging of changes in vendor master files and the cross matching the changes to employee records. Any matches on key fields – such as addresses or telephone numbers – may be a “red flag” that requires review. As with the previous example, a red flag may also indicate an upstream control breakdown. In this case, the segregation between vendor file maintenance and invoice processing may have broken down.
A key issue is that effective CM of transactions can only be achieved through “automation”. These CM applications should collect and test data without intervention and report the exceptions to management on a daily, weekly or monthly basis. A litmus test for effective CM is the strength of the exception management processes. CM exceptions should be captured in a secure workflow environment that ensures that they are reviewed and resolved on a timely basis. Loading the exceptions into (say) Excel spreadsheets will often lead to their potential value being lost. Importantly, management should capture data around the causes and resolution of exceptions to identify patterns and look for “upstream” control or process weaknesses or breakdowns.
Management’s visible follow-up of exceptions helps set the cultural tone. A call from (say) Security or Finance querying a $0.99c spend on ITunes on a company credit card sends a very powerful message that controls and transactions are being monitored and enforced. Actions speak louder than words.
The New York police department implemented a Zero Tolerance policy in the 1990s. They found that an obvious police focus on low level (misdemeanour) crime – such as graffiti or breaking windows – lead to large falls in the serious (felony) crime rate. The downside with this strategy was cost: zero tolerance requires more police on the beat. In contrast, CM once implemented has a zero marginal cost. It operates automatically and unseen apart from the generation of exceptions. The lesson out of New York was that an obvious determination to enforce the rules at all levels had a powerful cultural effect. It deterred potential criminals from graduating from small (unpunished) crimes to serious law breaking.
Undetected corporate misbehaviour will also escalate if employees perceive that management is not serious about enforcing controls. The challenge for management is to turn the occasional identification of bad behaviour into a continuously operating spotlight. A CM solution must be flexible so that it can respond to changing business conditions, and adapt as some staff creatively search for means to circumvent controls and processes.
A real world example may be useful. A large Australian company operates over 2000 corporate credit cards. Expenses were increasing in some areas, and there was strong anecdotal evidence of abuse. The board was concerned both with the potential for fraud and increasing costs, as well as potential reputational damage. The board considered cancelling all credit cards. However, the point of issuing credit cards was to alleviate the pressure on Accounts Payable and to streamline purchases under $2000. The cancellation of the cards, or a reduction in the spend limits, would potentially impact the sales and business teams in meeting their targets.
A better solution was to implement CM of card usage and to challenge any detected deviations from card use policy. Security challenged unusual transactions regardless of their value. A typical intervention was to require employees to justify purchases made while on leave – again regardless of value. If an improper card use was detected, then disciplinary procedures were brought into play.
The outcome was a 45% drop in spend on corporate cards. Some of the drop in spend was redirected through Account Payable, where the controls where stronger; however, card abuse and overspending reduced dramatically. Savings in excess of $2million per month were achieved. Continuous Monitoring of the data and cross matching data from different sources – in this case card data and annual leave records – was a major factor in this success story. The combination of data and technology gave the Board and the Executive the tools to reset the cultural tone. Once established with an appropriate toolset, CM is a spotlight that management can focus on many areas.
Illuminating a problem is often the first step to solving it. What is very important, once behavioural problem is “solved”, is not to “switch off” the spotlight as this will inevitably see the misbehaviour resurface. Misbehaviour flourishes best in the shadows. Automated monitoring of controls and transactions must be an ongoing exercise.
A final and key point is that a CM initiative can have political overtones. Not all managers welcome the continuous review of processes under their control. A successful CM development requires strong support at the board and executive level. Middle management led initiatives will not be consistently successful and, even if successful, they will take much longer to develop and realise the benefits.
Gavin Steinberg is the Managing Director of Satori Group and industry expert in Data Analytics, Budgeting, Forecasting and Financial Consolidation, and Continuous Control Monitoring. Gavin’s passion is helping companies to see the value that can be achieved through automation, understanding their data and bringing this to life through visual communication and assurance.