Business Controls:Sustainable Compliance AND

Operating Efficiency?Dan French

CEOConsider Solutions

Session 314 - Business ControlsWednesday, 18 March 2009 9.00 - 10.30

Frankfurt

Structure

• The Business Controls Context• Controls Monitoring for Compliance, Risk

Management and Process Efficiency• ERP & the CFO• Releasing the value of ERP• Real World Experiences• Lessons Learned and Best Practices

3

ReduceRisk & Fraud

3

Business Controls ContextControls Transformation Agenda

Automate Compliance

Optimize Operational

Controls

44

But the key agenda item for the CFO with Controls Transformation must be to . .

Drive business process efficienciesDrive business process efficienciesthat save money and optimise cash flow . . that save money and optimise cash flow . .

The critical business value is not just ‘compliance’

in my opinion !

5

GRC programmes must address ‘controls’ AND business efficiency

66

GRC CCM Projects must address3 types of control

• Automate SOX or other required Compliance Controls– All exceptions are risks, e.g.

• SoD conflicts, Invoice tolerance limits not set in configuration

• Support SOX or other required Compliance Controls– Provides filtered results for business review, e.g.

• Changes to sensitive fields on Vendor Master• Exceptions for compensating controls

• Drive Business Efficiencies– Identify wastage, error, fraud in the business process, e.g.

• Multiple POs to avoid signoff limits, Duplicate payments– Drive business process improvement and standardisation, e.g.

• inappropriate use of POs, PO ‘avoidance’• Improve cash flow in Order to Cash• Reduce time, effort & risk in Financial Close

7

ERP & the CFO• You have invested tens of millions in ERP

implementation to drive;– Process standardisation– Business efficiency– Economies of scale

• However, only some of the value has been released . . .– Most businesses have implemented ERP and

achieved;• A standard data input processNOT• A standard business process

8

Example: Standard ‘Efficient’ Business Process

4. GR is created against PO

3. Purchasing creates PO for Shipment

1. Truck drops off shipment, but no PO exists

2. Warehouse worker calls up purchasing to create a PO

ERP is configured to only allow GR if PO exists, however…

9

Business Efficiency - Releasing the Value• Value Creation Cycle with Effective GRC

Control Rules test for

Exceptionshighlight

Symptomsindicate

Root Causesrepresent

Operating Impactvalued at

Money at Riskrecovered by

Action Planssustained by

Continuous Monitoring

10

Business Efficiency - Releasing the Value• Example . . .

Control Rules test for

POs created on or after GR highlight

PO process not workingindicate

Procurement not involvedrepresents

Timing and Pricing riskvalued at

Average lost discountrecovered by

Procurement focussustained by

Continuous Monitoring

11

Business Efficiency - POs created same day as GR

1 - Potential Root Causes– Goods are being informally ordered by consumers within the

business possibly due to unplanned demand– Business Consumers have no time or desire to follow formal

procurement procedures– Business Consumers are avoiding required approval cycles– Business Consumers have a desire to use a vendor of their

choice– Business Process breakdown

12

Business Efficiency - POs created same day as GR

• 2 - Potential Business Impact– Non-approved orders are placed– Vendors can define their own terms / no procurement

negotiation to obtain best price / reduced ability to aggregate orders

– Non-approved vendors are used• Vendors who do not meet quality criteria• Vendors with undesirable pricing• Vendors with inappropriate relationships with business consumers

13

Business Efficiency - POs created same day as GR

• 3 - Potential Value of Addressing– Monthly value of POs created same day as GR = 300m Euros – 50% of this is excluded on further refinement giving reduced

number of 150m– 33% is non-negotiable, 33% is already a good deal, and the

balance where further negotiation is possible - 50m.– Procurement KPI is to negotiate 10% discount on all orders

and can achieve a minimum 7% discount on 50% of orders– Resultant value & cash leakage of 1.75m per month– Annual saving 21m Euros– One automated control test, 100% transaction coverage

Business Efficiency - Further Examples• Changes to sensitive Vendor Master Data – Bank Details, Credit• Discrepancies between IR and PO for amount and quantity• GR quantity / value is less than IR quantity / value• Purchase Requisitions with nominal or nil prices• Excessive deviations in exchange rates• Payment tolerances for customers and vendors• Duplicate Payments• Changes to standard payment terms • Late payments • Excessive discounting• Free of charge orders• Inventory ageing alerts• Duplicate or concurrently active POs• Missing or incomplete data in customer master records• Sales orders where pricing has been changed manually• Customers exceeded their credit limits• Suppliers with credit balances

15

Business Efficiency – Other Key Areas

• Expense Cycle - Purchase to Pay– Vendors, POs, Materials, Goods Receipts, Invoices, Payments

• Revenue Cycle - Order to Cash– Customers, Orders, Deliveries, Billing, Receivables, Cash

• Financial Close & Reporting Cycle– Transactions - accounting entries and changes, Accruals,

Period end close, Reconciliation, Reporting, Depreciation, FixedAssets, General Ledger

• Shared Service Operations– Finance ‘factory’ processes

• Working Capital Optimisation– Cash in, Cash out, Inventory, Treasury

16

Expense Cycle Optimisation in Telco• Purchase Orders ‘Avoidance’

– Identify Purchase Orders that were created on or after the date the Invoice was received

• Vendor Master Data– Detect duplicate vendors

• GR IR mismatches– Identify cases where the Goods Receipt quantity does not

match the Invoice Receipt quantity• GR IR Timings

– GR awaiting an Invoice for longer than a given period (e.g., 18 months or more ) or vice versa

• Duplicate invoices and payments – Cashflow and process issues

• PO’s with high gross value line items – Requested as an additional control

• Duplicate PO’s for same vendor and materials– Identified purchasing inefficiency and ‘signoff limit’ avoidance

• PR’s open greater than 3 months– Identify spend efficiencies

17

The Benefits - Telco• Attained compliance – ‘clean sheet’

– Clean bill of health in SOX– Eliminated need for 1.2 million Euro one-off manual SoD cleanup – Drove deeper business ownership of ERP– Enabled business functions to better understand the business

process

• Sustained and Automated for continuous effectiveness– Eliminated risk of new SoD violations with preventive controls– Reduced IT Security effort for user access provisioning

• Optimise business processes– Identified real savings and process improvement opportunities– 36 million Euro annual savings in just one area of expense cycle

18

Lessons Learned - Telco• Top management debate and buy-in • GRC automation becomes a catalyst to transfer

ownership and control to the right people• Have a clear plan that is visible to all stakeholders• Business ownership of SoD exposes organisational

and process issues, sometimes for the first time• Visibility of business process efficiency opportunities

encourages buy-in• Automation of SOX controls creates time for more

value-added control ‘insights’• Management become enthusiastic about actionable

operational ‘intelligence’ gained from efficiency controls

GRC - Continuous Controls MonitoringLessons Learned

• Effective GRC automation can target up to 60-70% of key controls and KPIs

• But, these are more complex controls than SoD/user access– Many Moving Parts, including . . .

• Complex Technology• Potentially broad controls and data scope• Multiple target systems• Geography, Lines of Business, Organisations & Plants• Diverse Stakeholders & Expectations• Large Data Volumes• Reporting and actioning exceptions• IT integration & operability • Impact of formalising/automating Controls

– Invariably involves some business change19

Best Practices (1)• Start simple, narrow risk focussed scope with quantifiable

value for cost of compliance and process improvement• Prioritise based on business relevance and suitability for

automation ... HIGH / HIGHs are the sweet spot• Develop a plan for iterative refinement of entire process.

Deploy ... use ... learn ... review ... refine ... extend. Increase breadth in controlled stages.

• Review current beliefs and practices in light of each iteration. Is there a better way to test this control/KPI or manage this risk?

• Deeply engage the business / control owners as part of the assessment / development / testing processes

20

Best Practices (2)• Implement a robust rule development methodology

involving required communities ... tool specialist, business content owner, ERP analyst. Structured, iterative approach works best.

• Define a robust rule testing strategy which closely involves the business / control owners.

• Define and agree business deployment strategy before rolling out. e.g. practical report distribution mechanism and alerting strategy that works for stakeholders. Establish how stakeholders will use the information, confirm priorities and agree remedial actions needed.

• Reporting: Ensure all information is filtered appropriately for the target community for maximum relevance. Ensure exception information is appropriate for the stakeholders

21

Methodology - Project Workstreams

Controls Definition & Optimization

IT Planning & Operability

Information Dissemination & Exception Action Planning

Pilot “Business As Usual”on Narrow Path Scope

Planning & Management

First Time Through for a Given Process / Business Type / Org Unit – Configuration

Identify Controls Required

Assess Controls & Map to System Specifics

Design / Build / Fine Tune Controls Schema

Build Rules

Assess Org Landscape. Define Org Filters & Parameters

Inte

rnal

Aud

it

Test

Bus

ines

s

Finalise & Deploy-Extract & Analysis

Schedules- Report Subs-Management Dashboards

Week 1 Week 2 Week 3 Week 4

Assumes 5 – 10 Controls

ERP

Anal

yst

Con

trols

Ana

lyst

Con

trols

E

ngin

eer

-- Resources --

Define Extraction & Analysis Filters &

Schedules

IT

Define & Configure

Report Subs & Schedules

First Time Through for a Given Process / Business Type / Org Unit – Business Enablement

Introduction for Business

Management -Establish Buy-In

Confirm Roles &

Responsibilities

Confirm Processes•Exception Review / Risk Assessment

Cycle• Risk Management Strategies

• Action Tracking & Review Mechanisms

• Controls Feedback Loop•Inter Org Unit knowledge sharing

Inte

rnal

Aud

it Bus

ines

s O

wne

rs

Launch Business As Usual

Week 1 Week 2 Week 3 Week 4

Busi

ness

Coo

rdin

ator

s

-- Resources --

Introduction to Nominated Business

Coordinators

Feedback &

Review

Rollout Strategy - Grouping By “Business Type”

• From a Controls perspective “Business Types” are used to group different Organisational Units together in terms of the controls that can be applied to the Org Unit.

• An Org Unit is of the same Type when the same set of controls can be applied• i.e., the same processes are used in the Org Unit, the same systems are used and the systems are configured in the same way

Getting Started 1 - “Low Hanging Fruit”, P2P Examples

– Duplicate payments and things that cause duplicate payments • BUSINESS VALUE, recovered cash and cashflow improvement• Duplicate payments / Duplicate Supplier Invoices / Duplicate Pos / Duplicate Vendors

– Multiple Pos for same vendor and materials in same period • BUSINESS VALUE, improved purchasing efficiency, better discounts

– Supplier discounts not applied to Pos/Invoices • BUSINESS VALUE, improved purchasing efficiency, cost saving, cashflow improvement

– PO same day as (or after) IR or PO same day as GR • BUSINESS VALUE, improved purchasing efficiency, eliminating non PO purchases, better

discounts

– GR/IR mismatches – Goods receipt is less than IR • BUSINESS VALUE, improved vendor quality management, reduced cost, cashflow

improvement

– POs Open for greater than 90 days • BUSINESS VALUE, improved vendor monitoring – ‘do we still need the goods’?, reduced

cost

Getting Started 2 - “Low Hanging Fruit”, P2P Examples

– Payment terms on Vendors less than 60 (or policy) days • BUSINESS VALUE, cashflow improvement

– Payments terms on POs less than 60 (or policy) days • BUSINESS VALUE, cashflow improvement

– Purchase Orders with Value Changed • BUSINESS VALUE, fraud/error risk

– PO and GR raised by the same person • BUSINESS VALUE, fraud/SoD risk

– Detect Price Differences between PO and Invoice • BUSINESS VALUE, cost saving, cashflow improvement

– Vendor Tolerances • BUSINESS VALUE, cost saving, cashflow improvement

2828

Example Control Exception Summaries

Example Control Exception AlertsCustomers Exceeding Credit Limit and Still Placing Orders

Vendor Chargeback - Third party returns for customers credited to the customer account should have a matching credit memo for vendor.

HENNICH

BRISTOW CPTS

Example Controls Dashboard for Management

Value of Returned Goods by Location

Example Controls Dashboard for Management

Open Sales Orders Not Shipped

The Business Case• The vision and rationale

– Enable a comprehensive controls environment for optimised risk coverage and process improvement for key processes and systems

• Hard savings in scope of controls transformation program– Cost savings OR Cost avoidance

• SOX /ControlsTesting Effort • Audit Effort• Finance Effort• IT Effort• External effort

• Improved risk profile – 100% control testing• Targetted cost savings in business processes in focus• Drive process standardisation and economies of scale

Lessons LearnedNarrow Path Pilot delivers Business Case Inputs

• Vision & objectives setting and stakeholder buy-in• Narrow Path Pilot to develop and test full cycle controls

monitoring from control identification to business action and remediation

• Planning and Management• Controls Definition & Optimisation• IT Planning & Operability• Information Dissemination & Exception Actioning• Assess and confirm business value achieved• Implementation Planning & Costing

• Business Case • Extend to next LOB, geography, control set• Iterate

33

34

In Conclusion,when you drive sustainable compliance AND Business Efficiency . . .

Everything will be peace and calm . . . . Everything will be peace and calm . . . .

For More Information:

Dan FrenchCEO

Consider Solutions

dfrench@consider.biz

www.consider.biz

Thank you!