Driving financial process improvement: continuous monitoring can catch common transaction errors and control violations that a manual review might miss.
Patrick Taylor
Today’s business environment challenges many finance organizations to simultaneously strengthen their internal controls and sustain compliance with the Sarbanes-Oxley Act of 2002 (SOX). But financial executives must not lose focus of their true goal: Operate efficient financial processes that deliver accurate results.
This drive for “operational excellence” requires financial executives to routinely reevaluate their financial processes to see if there are areas where improvement is needed, such as error-prone subprocesses, manually intensive tasks, and weak controls. Software for real-time monitoring and continuous auditing can provide controllers and financial process managers with an automated way to strengthen their company’s control environment to go beyond complying with SOX and improve the efficiency and effectiveness of financial operations.
Real-time monitoring and continuous auditing can take many forms, such as continuously monitoring the configuration of IT systems and user access and privileges within those systems. But because financial executives are more frequently concerned about the activities and outputs of financial systems, I’m going to focus on their roles and the benefits of analyzing the transactions within financial systems.
While real-time monitoring and continuous auditing software can serve as both detective and preventive controls, it’s easiest to see the benefits of these solutions as automated quality-assurance testing across every transaction in the financial processes. Imagine the benefit of having a “virtual auditor” test every step of each transaction throughout your financial systems. Unlike enterprise resource planning (ERP) deployments or SOX compliance, real-time transaction monitoring doesn’t require a disruptive shift in your existing operations. It runs alongside your daily processes to identify transaction errors as they happen.
ERP SYSTEMS AND PREVENTIVE CONTROLS
Financial executives who want to drive improvements within their operations should recognize that ERP systems never prevented everyday transaction errors, and newly implemented controls for SOX compliance erode many of the efficiency gains of the last decade.
Before SOX, the last major transformation in financial processes occurred a decade ago when companies reengineered their financial processes to work with major software packages such as SAP, PeopleSoft, JD Edwards, and Oracle Financials. The implementation and rollout of these ERP systems led many companies toward adopting “best practices.”
Although implementation was time-consuming and costly for many, ERP systems streamlined several processes, such as the three-way matching of purchase orders, invoices, and receipts in the procure-to-pay process, to allow finance operations to process twice as much revenue without increasing the size of their staffs. Yet these sophisticated, complex financial systems couldn’t eliminate manual data entry, manual review and approvals, or transaction-level errors. Even with advanced ERP systems in place, errors in day-to-day financial transactions consistently resulted in adjustments, reversals, and rework.
For example, a major Midwest energy company followed best practices within its procure-to-pay process, but it still needed a staff of three full-time employees for quality assurance testing. This quality-assurance team ran reports from the company’s PeopleSoft system and manually sorted through transactions greater than $10,000 to identify payment errors. Each payment error required about an hour to investigate and resolve, but the manual identification and prevention saved the company hard dollars.
Sarbanes-Oxley compliance demanded another revision of financial processes to strengthen controls. In most cases, the focus of stronger controls centered on segregation of duties to ensure that a single person couldn’t carry out two ends of a transaction to commit fraud, such as improperly booking sales or approving a payment to a fictitious vendor. To strengthen controls over segregation of duties, companies tightened the user rights and privileges within their financial systems and introduced manual checks where needed.
For example, a remote office of a $3 billion manufacturer didn’t have a big enough staff to stringently enforce segregation of duties within its procure-to-pay process. The staff was too small to designate one person to approve purchase orders, another person to sign off on receipt of goods, and another person to approve payment. Although the dynamic nature of the business often required these employees and managers to perform varying roles in the process, no one person should ever perform more than one step for a single transaction.
To meet the SOX requirements for effective controls for these processes, the company implemented a manual mitigating control. After each step, the person responsible for that step manually signed off on the transaction. To ensure compliance with this manual control, internal auditors would fly to each remote office on a monthly or quarterly basis to review the manual documentation of segregation of duties. Manually documenting and then reviewing each transaction introduced inefficiencies back into the financial process. Many of the ERP system’s benefits had been reversed.
RISE OF CONTINUOUS MONITORING
To meet the demands for accuracy and efficiency, continuous monitoring solutions now offer the potential to automate manual quality-assurance tests across every transaction. This software works by passively collecting information from the financial system’s database, maintaining a history of any changes to each record, and then testing each transaction for errors and control violations. Error alerts are sent to each business process owner, such as the accounts payable manager, and control violations can be sent to internal auditors for review.
The value of any software for real-time transaction inspection comes from the individual transaction tests and a defined process to resolve all identified exceptions. Transaction tests should map directly to each step in the business process, draw upon all known information about the transaction and its related records, and identify the errors regarding nonjudgmental transactions, such as duplicates and unmatched transactions that don’t require an audit partner’s interpretation.
Within the order-to-cash process, transaction tests should inspect for common errors and control violations, such as:
* The granting of credit to invalid customers,
* Unauthorized or unearned discounts given on sales orders,
* Shipments that don’t match customer or order records,
* Return credits that don’t match the original invoice, and
* Cash receipts without the actual application of cash.
These are just a few of the typical tests that a junior auditor would apply to a sample of transactions. Real-time transaction inspection automates these tests across every transaction so that financial managers can act at the first sign of an error or control violation. For example, a sales manager at a $7 billion consumer goods company tried to book a sale for a customer who had maxed out its credit. Because the ERP system wouldn’t allow the order to be booked to the existing customer record, the sales manager created a new customer account with a new line of credit. But real-time monitoring identified this creation of a duplicate customer before the order could be processed.
Within the procure-to-pay process, transaction tests should inspect for common errors and control violations, such as:
* Invalid vendors,
* Duplicate purchase orders,
* Vouchers that don’t match receipts or purchase orders,
* Duplicate payments, and
* Payments that don’t match vouchers.
To test the effectiveness of real-time monitoring, the Midwest energy company ran the monitoring software alongside its three-person quality assurance team in a trial test to monitor only its final payments. Over the course of a month, the company’s procure-to-pay system processed more than 40,000 transactions worth more than $150 million. The real-time monitoring software determined that 99.83% of the payments were compliant with all policies and were defect free. But it also identified a $1 million wire transfer that was a payment error, a $367,000 duplicate payment, and 67 smaller payment errors that totaled $42,000.
The company’s quality-assurance team did identify the $1 million payment error and devoted an entire afternoon to correcting the problem and reversing the transaction. The team also spotted the $367,000 duplicate payment and then contacted the vendor to apply appropriate credit. The controller admitted, however, that the company would have never identified the 67 smaller transactions because they don’t have the resources to manually review transactions under $10,000.
While the company realized $42,000 in direct savings from the 67 smaller transactions, the real business process improvement came in the following month when it used real-time monitoring over all subprocesses and stopped all payment errors at their root cause–invalid vouchers.
Other, more complex tests should be run on purchase-to-pay transactions in holding accounts, such as unvouchered receipts or “goods received but not yet invoiced.” In these accounts for unvouchered receipts, the company records a liability for goods that it has received but for which no invoice has been processed. When the invoice is processed, the liability should be moved to accounts payable from the unvouchered receipts account. But day-to-day transaction errors often lead to double booking of liabilities in both accounts payable and unvouchered receipts accounts.
These improper balances within the unvouchered receipts account are typically handled in the closing process with adjustments and write-offs to the account. Advanced transaction tests within continuous monitoring software can monitor the transactions in the unvouchered receipts account in relation to their related vouchers, invoices, and purchase orders to alert finance managers to specific errors. Therefore, errors in this account can be managed as they happen, eliminating the account adjustments during the closing process.
AUTOMATIC CONTROLS
From invalid customer records to duplicate payments and errors in unvouchered receipts, corporate financial operations are challenged by day-to-day financial transactions that lead to adjustments, reversals, and rework. Software for real-time monitoring and continuous audit can play a role in a finance manager’s drive toward operational excellence. To borrow a concept from the manufacturing quality movement, defect-free financial processes can be a reality.
Patrick Taylor, CEO of Oversight Systems, is a recognized leader in the convergence of controls monitoring, information security, and the implementation of technology to boost corporate governance. He launched Oversight Systems to pioneer the concepts and technology for transaction integrity monitoring. You can reach him at patrick.taylor@oversightsystems.com.
COPYRIGHT 2006 Institute of Management Accountants
COPYRIGHT 2008 Gale, Cengage Learning
