Presented at the 2013 ISACA North American CACS, in Dallas, this talk shares many powerful stories from the experience of the two facilitators, Dan French and Gonzalo Cuatrecasas. These include ERP implementations, audit findings, compliance and process variations across regions.
3. A New Era. A New Edge.
Today’s topics
• Landscape of Risk Assurance
• Managing risk and managing control
• The role of exception analytics
• Approach to exception analytics
• Case study examples
• Risk & business performance
• Pitfalls and critical success factors
• Discussion
4. A New Era. A New Edge.
4
Question for YOU!
What is your primary role related to risk & control?
1. Internal Audit
2. IS/IT
3. Finance
4. Risk/Compliance
5. External Audit
6. Other
5. A New Era. A New Edge.
5
Risk Assurance Landscape
• IIA 2013 Pulse of the Profession - Outlook
Source: The Institute of Internal Auditors
6. A New Era. A New Edge.
6
Risk Assurance Landscape
Source: The Institute of Internal Auditors
10. A New Era. A New Edge.
10
The Standardisation Myth
• We invest heavily in ERP implementation to drive:
– Process standardisation
– Business efficiency
– Economies of scale
• However, only some of the value gets released . . .
– Businesses implement standard systems and achieve
• A standard data input process
NOT
• A standard business process
11. A New Era. A New Edge.
GR is created
against PO
Purchasing
creates
PO for Shipment
Truck drops off
shipment,
but no PO exists
Warehouse calls
up Purchasing to
create a PO
ERP is configured to only allow GR if PO exists, however…
11
ERP standardisation example
‘First time match’ KPI looks good despite process breakdown!
12. A New Era. A New Edge.
12
What are Exceptions?
• An exception is
– A mismatch between expected vs. actual
performance
– Something that generally should not happen but
does
– Something that should happen but doesn’t
– Happening on purpose or by accident
– Occurring in single digit percentage-wise but with
an asymmetric impact on effort and efficiency
– Often influenced by Performance Measures!
13. A New Era. A New Edge.
13
Standardisation & Exceptions
14. A New Era. A New Edge.
14
The Business Case
• Depends
– Organization
– Situation
– Bolting the Stable Door
• The objective is typically
– Assuring reputation
– Reducing cost of audit
– Cost avoidance & Cash recovery
• Identify
– Direct benefits: Cost/Effort - Savings/Avoidance
– Soft benefits: Attitude/Image - Change/Improvement
– Benchmarks: Continuous Improvement
• A scoped pilot can quickly validate value
15. A New Era. A New Edge.
15
The Approach
&
Examples from the Field
16. Methodology
RISK
ANALYTICS
-
TASKS
Scope
Definition
Risk &
Analytics
Definition
Process
Definition
Technology
Support
Set-Up
Execution
Operational
Management
• Define Risks & Analytics Criteria
• Assess org landscape
• Assess and Map Data Sources
• Define Exclusion scenarios
• CM Operational process
(data gathering / analyses / results
distribution)
• Technology management
• Review & Action Enablement
• CM technology set up, integration
and management
• SAAS / CLOUD / IN-HOUSE
• Business As Usual
• Gather data
• Identify exceptions
• Disseminate
• Enable review & action
• Review and refine analytics
criteria
• Oversee and facilitate review and
action progress
• Manage and maintain CM
operating environment
• Agree objectives
• Educate & inform
• Gain commitment
16
17. Complexity
Org Units
• Regions
• Accounting Units / Co Codes
• Sales & Purchasing Groups
• Plants
• Shared Service Centres
Process Variables
• Document Types
• Vendor Types
• Payment Terms & Methods
Data Sources
• Transactions / Master Data / Process Configuration
Data Gathering
• Daily / Weekly / Monthly
• Cumulative vs. Overwrite
Analytics Criteria
• Conditions
• Exclusions
Analytics Results
• Detail & Overview
• Reviewing Communities Enable Review & Action
• Explain / Fix / Refine Criteria
17
18. A New Era. A New Edge.
18
Examples ...
P2P/Accounts Payable
‐ Duplicate Payments
‐ Retrospective POs
‐ Changing payment terms
‐ Duplicate Invoices
O2C
- Price Changes
- Undelivered orders
- Exceptional customer credits
- Payment terms
Fixed Assets
‐ Inappropriate asset
depreciation periods
‐ Misclassified capital
equipment
Travel & Entertainment
- Duplicate claims
- Suspicious claims
- Ineligible items claims
General Ledger:
- JE postings into prior periods
already closed
- Manual payments
19. A New Era. A New Edge.
Vendor ID
Vendor Name
19
What information do we need?
INVOICE
INVOICE LINE
VENDOR
VENDOR ORG UNIT
Invoice Number
Vendor ID
Created By
Created Date
Invoice Amount
Material ID
Quantity
Unit Price
ORG UNIT
Org Unit
Org Unit ID
Org Unit Name
20. A New Era. A New Edge.
20
Examples from the Field
Procurement: Duplicate Invoices
• Rationale:
– Ensure that an Invoice is processed and paid only once
– To avoid inflated purchases
– Reduce/eliminate duplicate payments before they happen
• Criteria:
– Identify based on ... Same supplier, Same material, Same invoice value,
Same period, (same invoice id)
• What we found:
– 10’s of millions in some cases
– Invoices manually entered leading to input errors
– Supplier impatient for payment and resends same invoice
– Some suppliers repeatedly submitting multiple invoices
21. A New Era. A New Edge.
21
Examples from the Field
Fixed Assets: Incorrect Depreciation Periods
• Rationale:
– Assets if depreciated to zero in shorter than required period can be disposed of
to third parties at preferential rate
• Criteria:
– Fixed Asset Records where depreciation periods are not in line with statutory
guidelines for asset class, especially with shorter periods
– Example:
• Company cars with lower than advised depreciation of 4-5 years
• Other examples ... Buildings (40 years), New Machinery & Equipment (15
years), Office Technology (3 years)
• What we found:
– Company cars depreciating in 1 year and then being disposed of ... value in excess
of $1m
– Buildings depreciating in 1 year
22. A New Era. A New Edge.
22
Examples from the Field
Travel & Expense: Fraud Issues
• Rationale:
– Identify & prevent fraudulent and “creative” use of expense.
• Criteria:
– Identify expense records with suspicious characteristics, like
• Duplicate expense items (same item, same amount)
• Multiple claims just under threshold of proof of purchase needed
• Claims for full price air tickets when discounts available
• What we found:
– Same meals & hotels claimed again a month later
– Personal expenses claimed for – taxis / trains / travel agent fees
– “Gifts” a common expense item
23. A New Era. A New Edge.
23
Examples from the Field
Sales: Price Changes
• Rationale:
– Changes to prices may lead to fraudulent / inappropriate pricing of Sales
Orders.
– Price changes after creation can be a tactic to by-pass controls /
approvals / workflows in place for order creation
– “Local agreements” / “Unapproved discounting”
– Prices being increased to finance intermediary
– Impacts cash flow forecasting & margin
• Criteria:
– Identify Sales Orders with prices changed after initial creation
• What we found:
– 16% of orders within 1 month period had price changed
– Plus 1000s more changed from placeholder values (e.g., 0.01) –
circumventing system control & distorting financial numbers
– Many changes – post order creation / discounting / avoiding approvals
24. A New Era. A New Edge.
24
Examples from the Field
Procurement: Non Standard Payment Terms
• Rationale:
– Unnecessary effect on cash outflow and working capital.
– Excessively short payment terms: potentially inappropriate relationships
– Excessively long terms may indicate future period commitments
– Multi-touch POs increases cost of processing
• Criteria:
– Identify any Purchase Orders where the Payment Terms used are not the
standard payment terms agreed with the vendor
• What we found:
– >8% of POs with Payment Terms Non Standard
– Many terms changed after PO creation from standard to non
– Many with reduced payment periods for same discount model
example - 30 days / 2% (standard terms) to 10 days / 2%
25. A New Era. A New Edge.
25
So What?
• 100%
– Of transaction data continuously monitored
– Not sampling
• Facts
– Not opinions
• Exceptions
– Sharp focus; minimal noise
• Technology
– Used effectively to take care of the leg-work
– Freeing high value resources for high value work
• Business Value Driven
– Enabling better business partnering
26. A New Era. A New Edge.
26
Question for YOU!
What is the status of Exception Analytics to monitor risk in
your organisation?
1. Well embedded mature model
2. Emerging scope / programmed roll-out
3. Limited scope / first attempts
4. Planning stage
5. Not under consideration
27. A New Era. A New Edge.
27
The Gearbox of Risk & Performance
28. A New Era. A New Edge.
28
Business Process Performance
29. A New Era. A New Edge.
29
Example 1: Invoice Processing
• Desired process
– Purchase Order to initiate and approve purchase
– Touch-less Invoice/Payment approval on match
• KPIs
– First time match rate
– Invoice processing cost/effort
• What can go wrong (Key Exception Indicator)
– Duplicate Invoices, duplicate vendors, duplicate POs
• Discovery
– 3% duplicate invoices causing re-work and cash loss
• Root Cause
– Duplicate vendor data, Imprecise PO data
30. A New Era. A New Edge.
30
Risk & Performance
• Lagging & Leading Indicators
• Exceptions are Leading Indicators of Performance & Risk
– Performance KPI (Measure)
• DSO
– A/R Risks & Exceptions (Barriers)
• Credit check
• Payment terms
• Delivery quantity & quality
• Unintended Consequences
– Managing by KPI can drive suboptimal business results
32. A New Era. A New Edge.
32
World Class
Continuous
Improvement
33. A New Era. A New Edge.
33
Question for YOU!
In which financial process area do you see the biggest
benefit of monitoring business exceptions?
1. Purchase to pay/accounts payable
2. Record to Report/general ledger
3. Order to Cash/accounts receivable
4. Treasury
5. Other
34. A New Era. A New Edge.
34
Pitfalls
&
Critical Success Factors
36. A New Era. A New Edge.
36
Balanced Skill-set
• Analytical/critical thinking
• Process/risk understanding
• Data structure knowledge
• Data filtering & data analysis skills
• Risk analytic design
• Diagnosis & root cause analysis
• Communication skills
37. A New Era. A New Edge.
37
Critical Success Factors
• Continuous Monitoring, Audit and
Risk Analytics are receiving more
and more attention - take time to
be clear what the objective is
• Focus on genuine business risk
• Use Risk Analytics to enhance the business partnership
• Identifying and managing exceptions should already be a
key focus for management
• Rapid results & quick wins are critical
• Keep track of value delivered
39. A New Era. A New Edge.
39
Question for YOU!
Where is the value in Exception Analytics to monitor risk in
your organisation?
1. Cash recovery / cash saving
2. Effort reduction/Effort avoidance
3. Improved testing depth, scope & quality
4. Improved business relationship
5. Other
40. A New Era. A New Edge.
40
Developing the Case for Action
• Prove Concept – Build Business Case
• Scoped process & risk theme
• One-time extraction and analysis of
relevant system data and transactions
for the period
• Analysis performed on 100% of
transactions against agreed risk
thresholds
• Aggregate & detail exception reporting
• Joint review of exceptions found and
exploration of underlying issues
41. A New Era. A New Edge.
• Landscape of Risk Assurance
• Managing risk and managing control
• The principles of exception analytics
• Risk & business performance
• Approach to exception analytics
• Case study examples
• Challenges and critical success factors
• Discussion
Topic Review
42. A New Era. A New Edge.
42
Exception Analytics - Balancing Risk
& Control & Performance!
Key Takeaways
1. False sense of security
’barrier’ controls alone are not enough
2. Continuous Improvement required
both risk & performance need exceptions in focus
3. Facts must rule
exceptions have a monetary as well as risk value
43. A New Era. A New Edge.
Dan French & Gonzalo Cuatrecasas
dfrench@consider.biz gcuatrecasas@consider.biz
Experiences & Observations . . .
http://consider-ations.blogspot.com/
solutions for world class finance
44. A New Era. A New Edge.
Click here to find out more in ISACA's Knowledge Center
WE NEED YOUR FEEDBACK!
Use the Mobile App to give us your
feedback for each session you attend.
You can also complete these surveys
through Survey Link from any computer.
ISACA’s IT Professional
Networking and Knowledge Center
W h e r e n e t w o r k i n g a n d k n o w l e d g e i n t e r s e c t .
45. A New Era. A New Edge.
Session 124
Exception Analytics - Balancing
Risk & Control
Monday 15th April 2013
1300-1400