isaca sustainable compliance and operating efficiency dan french
DESCRIPTION
Presentation given at ISACA EuroCACS conference in Frankfurt in May 2009, discussing the approach and experiences in implementing GRC and CCM tools to drive sustainable compliance as well as business operating efficiency through eliminating waste, inefficiency and fraudTRANSCRIPT
Business Controls:Sustainable Compliance AND
Operating Efficiency?Dan French
CEOConsider Solutions
Session 314 - Business ControlsWednesday, 18 March 2009 9.00 - 10.30
Frankfurt
Structure
• The Business Controls Context• Controls Monitoring for Compliance, Risk
Management and Process Efficiency• ERP & the CFO• Releasing the value of ERP• Real World Experiences• Lessons Learned and Best Practices
3
ReduceRisk & Fraud
3
Business Controls ContextControls Transformation Agenda
Automate Compliance
Optimize Operational
Controls
44
But the key agenda item for the CFO with Controls Transformation must be to . .
Drive business process efficienciesDrive business process efficienciesthat save money and optimise cash flow . . that save money and optimise cash flow . .
The critical business value is not just ‘compliance’
in my opinion !
5
GRC programmes must address ‘controls’ AND business efficiency
66
GRC CCM Projects must address3 types of control
• Automate SOX or other required Compliance Controls– All exceptions are risks, e.g.
• SoD conflicts, Invoice tolerance limits not set in configuration
• Support SOX or other required Compliance Controls– Provides filtered results for business review, e.g.
• Changes to sensitive fields on Vendor Master• Exceptions for compensating controls
• Drive Business Efficiencies– Identify wastage, error, fraud in the business process, e.g.
• Multiple POs to avoid signoff limits, Duplicate payments– Drive business process improvement and standardisation, e.g.
• inappropriate use of POs, PO ‘avoidance’• Improve cash flow in Order to Cash• Reduce time, effort & risk in Financial Close
7
ERP & the CFO• You have invested tens of millions in ERP
implementation to drive;– Process standardisation– Business efficiency– Economies of scale
• However, only some of the value has been released . . .– Most businesses have implemented ERP and
achieved;• A standard data input processNOT• A standard business process
8
Example: Standard ‘Efficient’ Business Process
4. GR is created against PO
3. Purchasing creates PO for Shipment
1. Truck drops off shipment, but no PO exists
2. Warehouse worker calls up purchasing to create a PO
ERP is configured to only allow GR if PO exists, however…
9
Business Efficiency - Releasing the Value• Value Creation Cycle with Effective GRC
Control Rules test for
Exceptionshighlight
Symptomsindicate
Root Causesrepresent
Operating Impactvalued at
Money at Riskrecovered by
Action Planssustained by
Continuous Monitoring
10
Business Efficiency - Releasing the Value• Example . . .
Control Rules test for
POs created on or after GR highlight
PO process not workingindicate
Procurement not involvedrepresents
Timing and Pricing riskvalued at
Average lost discountrecovered by
Procurement focussustained by
Continuous Monitoring
11
Business Efficiency - POs created same day as GR
1 - Potential Root Causes– Goods are being informally ordered by consumers within the
business possibly due to unplanned demand– Business Consumers have no time or desire to follow formal
procurement procedures– Business Consumers are avoiding required approval cycles– Business Consumers have a desire to use a vendor of their
choice– Business Process breakdown
12
Business Efficiency - POs created same day as GR
• 2 - Potential Business Impact– Non-approved orders are placed– Vendors can define their own terms / no procurement
negotiation to obtain best price / reduced ability to aggregate orders
– Non-approved vendors are used• Vendors who do not meet quality criteria• Vendors with undesirable pricing• Vendors with inappropriate relationships with business consumers
13
Business Efficiency - POs created same day as GR
• 3 - Potential Value of Addressing– Monthly value of POs created same day as GR = 300m Euros – 50% of this is excluded on further refinement giving reduced
number of 150m– 33% is non-negotiable, 33% is already a good deal, and the
balance where further negotiation is possible - 50m.– Procurement KPI is to negotiate 10% discount on all orders
and can achieve a minimum 7% discount on 50% of orders– Resultant value & cash leakage of 1.75m per month– Annual saving 21m Euros– One automated control test, 100% transaction coverage
Business Efficiency - Further Examples• Changes to sensitive Vendor Master Data – Bank Details, Credit• Discrepancies between IR and PO for amount and quantity• GR quantity / value is less than IR quantity / value• Purchase Requisitions with nominal or nil prices• Excessive deviations in exchange rates• Payment tolerances for customers and vendors• Duplicate Payments• Changes to standard payment terms • Late payments • Excessive discounting• Free of charge orders• Inventory ageing alerts• Duplicate or concurrently active POs• Missing or incomplete data in customer master records• Sales orders where pricing has been changed manually• Customers exceeded their credit limits• Suppliers with credit balances
15
Business Efficiency – Other Key Areas
• Expense Cycle - Purchase to Pay– Vendors, POs, Materials, Goods Receipts, Invoices, Payments
• Revenue Cycle - Order to Cash– Customers, Orders, Deliveries, Billing, Receivables, Cash
• Financial Close & Reporting Cycle– Transactions - accounting entries and changes, Accruals,
Period end close, Reconciliation, Reporting, Depreciation, FixedAssets, General Ledger
• Shared Service Operations– Finance ‘factory’ processes
• Working Capital Optimisation– Cash in, Cash out, Inventory, Treasury
16
Expense Cycle Optimisation in Telco• Purchase Orders ‘Avoidance’
– Identify Purchase Orders that were created on or after the date the Invoice was received
• Vendor Master Data– Detect duplicate vendors
• GR IR mismatches– Identify cases where the Goods Receipt quantity does not
match the Invoice Receipt quantity• GR IR Timings
– GR awaiting an Invoice for longer than a given period (e.g., 18 months or more ) or vice versa
• Duplicate invoices and payments – Cashflow and process issues
• PO’s with high gross value line items – Requested as an additional control
• Duplicate PO’s for same vendor and materials– Identified purchasing inefficiency and ‘signoff limit’ avoidance
• PR’s open greater than 3 months– Identify spend efficiencies
17
The Benefits - Telco• Attained compliance – ‘clean sheet’
– Clean bill of health in SOX– Eliminated need for 1.2 million Euro one-off manual SoD cleanup – Drove deeper business ownership of ERP– Enabled business functions to better understand the business
process
• Sustained and Automated for continuous effectiveness– Eliminated risk of new SoD violations with preventive controls– Reduced IT Security effort for user access provisioning
• Optimise business processes– Identified real savings and process improvement opportunities– 36 million Euro annual savings in just one area of expense cycle
18
Lessons Learned - Telco• Top management debate and buy-in • GRC automation becomes a catalyst to transfer
ownership and control to the right people• Have a clear plan that is visible to all stakeholders• Business ownership of SoD exposes organisational
and process issues, sometimes for the first time• Visibility of business process efficiency opportunities
encourages buy-in• Automation of SOX controls creates time for more
value-added control ‘insights’• Management become enthusiastic about actionable
operational ‘intelligence’ gained from efficiency controls
GRC - Continuous Controls MonitoringLessons Learned
• Effective GRC automation can target up to 60-70% of key controls and KPIs
• But, these are more complex controls than SoD/user access– Many Moving Parts, including . . .
• Complex Technology• Potentially broad controls and data scope• Multiple target systems• Geography, Lines of Business, Organisations & Plants• Diverse Stakeholders & Expectations• Large Data Volumes• Reporting and actioning exceptions• IT integration & operability • Impact of formalising/automating Controls
– Invariably involves some business change19
Best Practices (1)• Start simple, narrow risk focussed scope with quantifiable
value for cost of compliance and process improvement• Prioritise based on business relevance and suitability for
automation ... HIGH / HIGHs are the sweet spot• Develop a plan for iterative refinement of entire process.
Deploy ... use ... learn ... review ... refine ... extend. Increase breadth in controlled stages.
• Review current beliefs and practices in light of each iteration. Is there a better way to test this control/KPI or manage this risk?
• Deeply engage the business / control owners as part of the assessment / development / testing processes
20
Best Practices (2)• Implement a robust rule development methodology
involving required communities ... tool specialist, business content owner, ERP analyst. Structured, iterative approach works best.
• Define a robust rule testing strategy which closely involves the business / control owners.
• Define and agree business deployment strategy before rolling out. e.g. practical report distribution mechanism and alerting strategy that works for stakeholders. Establish how stakeholders will use the information, confirm priorities and agree remedial actions needed.
• Reporting: Ensure all information is filtered appropriately for the target community for maximum relevance. Ensure exception information is appropriate for the stakeholders
21
Methodology - Project Workstreams
Controls Definition & Optimization
IT Planning & Operability
Information Dissemination & Exception Action Planning
Pilot “Business As Usual”on Narrow Path Scope
Planning & Management
First Time Through for a Given Process / Business Type / Org Unit – Configuration
Identify Controls Required
Assess Controls & Map to System Specifics
Design / Build / Fine Tune Controls Schema
Build Rules
Assess Org Landscape. Define Org Filters & Parameters
Inte
rnal
Aud
it
Test
Bus
ines
s
Finalise & Deploy-Extract & Analysis
Schedules- Report Subs-Management Dashboards
Week 1 Week 2 Week 3 Week 4
Assumes 5 – 10 Controls
ERP
Anal
yst
Con
trols
Ana
lyst
Con
trols
E
ngin
eer
-- Resources --
Define Extraction & Analysis Filters &
Schedules
IT
Define & Configure
Report Subs & Schedules
First Time Through for a Given Process / Business Type / Org Unit – Business Enablement
Introduction for Business
Management -Establish Buy-In
Confirm Roles &
Responsibilities
Confirm Processes•Exception Review / Risk Assessment
Cycle• Risk Management Strategies
• Action Tracking & Review Mechanisms
• Controls Feedback Loop•Inter Org Unit knowledge sharing
Inte
rnal
Aud
it Bus
ines
s O
wne
rs
Launch Business As Usual
Week 1 Week 2 Week 3 Week 4
Busi
ness
Coo
rdin
ator
s
-- Resources --
Introduction to Nominated Business
Coordinators
Feedback &
Review
Rollout Strategy - Grouping By “Business Type”
• From a Controls perspective “Business Types” are used to group different Organisational Units together in terms of the controls that can be applied to the Org Unit.
• An Org Unit is of the same Type when the same set of controls can be applied• i.e., the same processes are used in the Org Unit, the same systems are used and the systems are configured in the same way
Getting Started 1 - “Low Hanging Fruit”, P2P Examples
– Duplicate payments and things that cause duplicate payments • BUSINESS VALUE, recovered cash and cashflow improvement• Duplicate payments / Duplicate Supplier Invoices / Duplicate Pos / Duplicate Vendors
– Multiple Pos for same vendor and materials in same period • BUSINESS VALUE, improved purchasing efficiency, better discounts
– Supplier discounts not applied to Pos/Invoices • BUSINESS VALUE, improved purchasing efficiency, cost saving, cashflow improvement
– PO same day as (or after) IR or PO same day as GR • BUSINESS VALUE, improved purchasing efficiency, eliminating non PO purchases, better
discounts
– GR/IR mismatches – Goods receipt is less than IR • BUSINESS VALUE, improved vendor quality management, reduced cost, cashflow
improvement
– POs Open for greater than 90 days • BUSINESS VALUE, improved vendor monitoring – ‘do we still need the goods’?, reduced
cost
Getting Started 2 - “Low Hanging Fruit”, P2P Examples
– Payment terms on Vendors less than 60 (or policy) days • BUSINESS VALUE, cashflow improvement
– Payments terms on POs less than 60 (or policy) days • BUSINESS VALUE, cashflow improvement
– Purchase Orders with Value Changed • BUSINESS VALUE, fraud/error risk
– PO and GR raised by the same person • BUSINESS VALUE, fraud/SoD risk
– Detect Price Differences between PO and Invoice • BUSINESS VALUE, cost saving, cashflow improvement
– Vendor Tolerances • BUSINESS VALUE, cost saving, cashflow improvement
2828
Example Control Exception Summaries
Example Control Exception AlertsCustomers Exceeding Credit Limit and Still Placing Orders
Vendor Chargeback - Third party returns for customers credited to the customer account should have a matching credit memo for vendor.
HENNICH
BRISTOW CPTS
Example Controls Dashboard for Management
Value of Returned Goods by Location
Example Controls Dashboard for Management
Open Sales Orders Not Shipped
The Business Case• The vision and rationale
– Enable a comprehensive controls environment for optimised risk coverage and process improvement for key processes and systems
• Hard savings in scope of controls transformation program– Cost savings OR Cost avoidance
• SOX /ControlsTesting Effort • Audit Effort• Finance Effort• IT Effort• External effort
• Improved risk profile – 100% control testing• Targetted cost savings in business processes in focus• Drive process standardisation and economies of scale
Lessons LearnedNarrow Path Pilot delivers Business Case Inputs
• Vision & objectives setting and stakeholder buy-in• Narrow Path Pilot to develop and test full cycle controls
monitoring from control identification to business action and remediation
• Planning and Management• Controls Definition & Optimisation• IT Planning & Operability• Information Dissemination & Exception Actioning• Assess and confirm business value achieved• Implementation Planning & Costing
• Business Case • Extend to next LOB, geography, control set• Iterate
33
34
In Conclusion,when you drive sustainable compliance AND Business Efficiency . . .
Everything will be peace and calm . . . . Everything will be peace and calm . . . .
Thank you!