Leveraging Business Value from your Compliance Structure
In the current climate – every organization wants to get more bang for their buck and leverage value from existing business structures and technology already implemented into their shared service centers or BPOs. With that in mind, this session explores how organizations can get more ROI for the complicance structures that have already been set up.
* Click here to view other content related to this series>>
Michael P Cangemi CPA, CISA
President & CEO
Cangemi Company LLC
Director Unisys Global Shared Services Europe, India and Asia Pacific
Christopher T. McKittrick
Founder of Perspective Business Advisors LLC
SSON: The topic of this roundtable session which is part of the SSON series on Fraud Prevention in association with Oversight Systems is leveraging business value out of your compliance structure. If I could start with you Michael Cangemi - I would like to ask you what advice you would give to any organization looking to gain a returned investment on new ventures and capital investments in compliance structures.
Michael Cangemi: Well thank you, I have had quite a few experiences in this space of gaining a return on investments, especially in the area of IT, because my background has taken me from IT audit, to IT management. And what I found was that in a lot of cases because IT seems to be mysterious to many management and boards, the typical return on investment process that is used for building a building or plant, or buying equipment, is not always applied to IT investments. One of the principles that I have followed during my career was to always subject that to the same vigorous ROI kinds of formula. And as we have discussed there are other dimensions to IT investments, especially in the area of IT compliance and auditing.
There are ways to tap into other areas of processing, or other elements of the business practice rather, that can produce returns beyond just the compliance aspect. The example that I use often is taking the vision of a Chief Financial Officer in a retail wholesale distribution company, a consumer products company. We had the very onerous problem of having a physical inventory, we basically had to shut down shipping to your customers, we also were very inventory bound since we were a consumer goods company, and we wanted to control our inventories. So we created an inventory controlled system - we greatly improved the locator system, and we added calendars to the warehouse teams to rectify any kinds of discrepancies that a particular product might find, to improve the accuracy that the inventory...ultimately that enabled us to eliminate the inventory which gave us an elimination of down time, we could continue to ship. But the productivity gains in the supply chain, by having an accurate inventory was really where we got the huge return. The systems that we implemented used IT to facilitate the entire process, and looking back here, people always came to our operation, and put that our primary objectives in the inventory control investments was to eliminate the physical inventory or to give us greater inventory accuracy. However the real primary objective was to improve productivity through shipping times in all the related issues. Usually its multidimensional advantages to investments if you think them through...
Patrick Taylor: Michael, would you say that one of the things that happened there was that the compliance effort that got embedded inside of operations, in that in the compliance, and the quality of the processes - the quality as a process meaning the expectations of compliances, of processes meeting your expectations. You’re embedding that into your operations, so you get that two-sided value that you talked about. And in fact that is one of the pearls of wisdom out of COSO’s recent guidance on looking at monitoring; it came out in February I believe. They talked about the most effective monitoring, and they are purely thinking about the compliance point of view, but then the most affective monitoring is part of operations.
Michael: Absolutely, and that is the point I agree with 100%. I think the message for people who are addressing compliances, is that they need to look beyond it - it is almost as simple as that. It is not just about compliance, there are a lot of other elements of the business process that they should be looking at and attempting to enhance.
SSON: Chris Gunning, Chris McKittrick would you like to come in on any of those?
Chris Gunning: Yeah, I think that Michael’s comments in relation to the inventory system, it is very interesting - you know I am coming more from a financial audit background in KPMG than specifically an IT audit background. I guess that once we implemented the ERP, we are probably going back eight or ten years now, very much from an Oracle ERP position, where we have many modules coming in from a prefixed asset, order management and project accounting. I think that one of the benefits that we were able to get from that is the fact that these new ERP systems certainly have a lot embedded controls, actually within the software and the functionality itself. So, I think there were a lot of hidden benefits that might not have initially been obvious when we were doing the return on investment. You know initially we were looking at an operation and specification perspective, but I think there are a lot of hidden benefits in terms of compliance and real added value. And that is something that over the years has helped us attain the Sarbanes-Oxley accreditation and helped us to really take the ERP in the way that we structure operations globally within a controlled environment. I can almost run all of my transactional operations now out of a very low cost centre in Bangalore, India, giving me high productivity, high operational efficiency. But safe in the fact that I and the CFO and the CIO can rest well at night, knowing that it is in the bounds of control, in an internal controlled environment.
Chris McKittrick: To kind of tag along with everything else that has been said do far, recently was I was chatting with a national partner for shared services, a major CPA firm here in the US, and one of the challenges for many organizations is to fully implement all the ERP controls that are available to them. There are so many things that organizations have to turn on the switch so to speak, and configurations to utilize some of these controls. Sounds like Chris has done, and what Michael and Patrick are talking about, even implementing this continuous monitoring, he was amazed and in my experience I have been amazed at how many investments have been made in these information systems and then they are not used fully - they are only halfway implemented. Then they don’t really find the ways to leverage the power that is there for the operational benefits that they could really achieve.
Michael: I just want to pick up on a couple of things that were said, I agree with all of the comments, and in terms of Chris’s comment about hidden benefits, that is another reason for doing the typical assessment of an investment. A post-implementation assessment if you will; where you can come back around and find other benefits, especially if you are looking for them, which is the first point we kicked off with for this discussion. Think beyond the compliance issues to the business issues, and then to what Chris McKittrick just said, you not only have hidden benefits, but if you start thinking about what else do you need to do and don’t just stop after you have met the compliance objective, then you are starting to drive the business process. You know I think the segmentation of the audit world; you know IT auditors and financial auditors and we used to have a term called operational auditors. They all need to come together and not just look at the one end of the group objectives, but to look at the business objectives of the whole process.
SSON: Does anyone want to explore any other innovative measures that your particular organization or an organization that you have worked with in the past has added other multiple levels of benefits for compliance initiatives?
Chris Gunning: Well the one I think that we are going through, you know we have just closed off the second quarter and currently we are trying to give comfort to our external auditors that the numbers are correct, that the balance sheets are reconciled. You know globally across all our companies and across all our countries - we reconcile 13,000 balance sheet accounts. But by being smart and having a database where there is a record of each of those accounts at any point in time in during the close-cycle, you know again, our external auditors, our internal auditors, our CFO, the vice president of shared services can quickly go into the database and look to see where we are with the reconciliations. And I think this is a process that because we have a global shared services platform on a global vanilla ERP system, we have really been able to get ahead and essentially have a world-class accounting function. It doesn’t matter if the reconciliations are being done tens of thousands of miles offshore - there is full visibility at any one time to anyone in the controller’s organization to see the status of that account and to see the status of that reconciliation, which in turn gives the auditors more comfort.
Chris McKittrick: That is so key, that one of my many eclectic experiences with a chemical company that established a European shared service centre and you know that one of the benefits that came from that was an improved relationship with the auditors for getting things done across for all the various countries that we were in. Of course there was a double-edged sword to everything, when there were things that they were doing, maybe focusing on a particular nation or another, while they had to send an auditor to do the shared service centre in Rotterdam to do the work. But I do think it did help with the transparency with the auditors, and saved audit fees and time on both sides, time that the company had to spend dealing with them, and time that they had to spend dealing with us.
Patrick: We have seen some audit, external audit expense savings, and actually internal audit saved at least a reduction in time, which gave internal audit the time to focus on other areas, but it was sort of back to Michael’s idea of when you have this control function embedded operations, a monitoring and finding the problems inventory, the counters that Michael had, we had clients doing this with technology, and the benefits that they saw. In a sense they had operations reconciling the problems that were occurring in the business process, so that had them fixing an error when it was very cheap to fix, as close as possible to the inception, so it is easy to fix the problem. And then the technology was automatically docking all of their activity, a record of the reconciliatory, as was mentioned earlier. What that ended up being, they, in discussion with their external auditors, replace all the time that the auditors had to go in and test transactions for that process, instead they just tested the operation of the monitoring system, and really the same thing was happening to internal audit, and I thought the internal audit the CIE had a very insightful point of view. I want to have more monitoring type technologies in place to cover the routine non judgmental transactions, to take care of all of my risks, because what that is going to do is that it gives me more time to think about new risks that were exposed, to look into sides of the business that aren’t routine, that are in fact judgmental. Not that he spent less time in his job, but he felt like he was spending his time in more valuable areas, so that was a power for the audit guys, the external audit guys at least in that area wiped out several hundred dollars a time. That was all about having all this stuff tightly embedded into operations.
Michael: Just to pile on that, we certainly in the case that I presented, the continuous accounting of inventory, we certainly did reduce external audit fees. I would just like to tie together a couple of things that we have been talking around into the word opportunity. I think that there is a huge opportunity in this space; we have been spending money on compliance, certainly since Sarbanes-Oxley. The cost of compliance has gone up, the cost of internal auditors has gone up, I think that the message about continuous monitoring, and as Patrick referenced; the new COSO monitoring guidance, which I was personally involved in. Giving guidance to companies on how they can increase continuous monitoring, continuous auditing, and the objective stated in the COSO document is to improve the effectiveness, and to actually span coverage, while at the same time improving efficiency, so we are going to address compliance smarter after a number of years.
And then a number of you have referenced the business cost of outsourcing and the shared services, and to me, now you get the opportunity to act, you get the opportunity to use continuous monitoring in a shared service arrangement. You are spreading it across, where you are spreading the investment of continuous monitoring across multiple entities, multiple systems. So, this is a happy day for me to be having these kinds of discussions. Because you have all heard me say that it is way past the due time to change the backwardly looking audit model, and get into a much more continuous mode of utilizing technology.
SSON: In terms of shared services and outsourcing, what other opportunities are available today that may not have been available four or five years ago for companies to achieve tighter compliance structures; thus saving them money in the long run and other benefits from the structures that are in place.
Chris McKittrick: The one thing that is available now that wasn’t available when I set up that European shared service centre, are the continuous control monitoring technologies which are available today and continue to get better. So that is a facet of when that was established, was not available I think that would certainly have some great benefits. I don’t know if they have ever implemented anything like that into it, it would have great benefits if they did.
Chris Gunning: And obviously you know running exceptional regional and global shared service centers here. You know one of the great advantages that I think we have certainly seen here in recent years, and it helps with our quarterly Sarbanes-Oxley representation and sign off, again another process that I have just gone through this week. It really doesn’t matter what our processes, our transactions are from Peru or the Philippines, or Poland. If we have a standard input and output at a centralized location, at the end of the day, the flavor of process and the flavor of control is vanilla, not slightly tainted different colors and shades of vanilla which really helped us as we go through our quarterly Sarbanes-Oxley representation, sign-off processes. You know I have ninety key controls that are embedded in my shared services in Bangalore - but again they are consistent in standards across the countries. So rather than the auditors going out and looking at these in seventy different countries, they can go to a single location and be comfortable that a single control for the processes or the standards, so I think it shows shared services, especially a global shared service organization can certainly help us in that regard.
Patrick: One thing that I would say is newly available that Chris Gunning talked about is a recognition that I need to provide some technology, some facilitation for people that are trying to do these reconciliation jobs, so whether it was to reconcile a balance sheet account and to have a database. They are providing some technology leverage, some infrastructure to a process, and making it more efficient, and also more accountable, they were able to check. You see the same thing in the continuous control monitoring space, recognize, great; I can go out and find issues to investigate, but if I can make that investigation in the adjudication process efficient. Then it is going to go on, I have a framework for these people to use, and it is also efficient and effective for them to use. That has been a real change in the last four or five years, in realizing that part of, using technological infrastructures to drive efficiencies in any of these monitoring type processes has been a net positive change.
Michael: I would agree whole-heartedly. I was a Chief Board Executive in the 1980’s, a long time ago and we didn’t have these tools available, I think these tools for companies like Patrick’s Oversight Systems; investments that they have made enable companies and certainly through business process outsourcing, enable you to get an even bigger return on your investment. So there are certainly tools out there if people think past that first step, study the issue on what kind of return they can get on making a long term investment for systems like this.
SSON: After the Satyam case in India late last year, do any of you believe that a BPO has the ability to maintain a proper, reliable and secure IT infrastructure?
Michael: Well I am ready to say yes to that. I believe that...I guess that one of my areas of sub-specialization is not a fun one, but I have been speaking about governance and criminal frauds my whole life, and we can connect Europe to the United States on this one. Fraud has existed and will continue to exist forever unfortunately, so what many of us have devoted our lives to - is creating governance systems that can protect and detect most frauds, unfortunately some will always slip through. Using systems like the COSO framework for the internal control in the IT space, the companies can put in place in either shared services facilities or their own facility controls that will enable a process to be reliable, and for financial officers and CEO’s to be able to be able to sign off on their control structures. That said things like Enron or Palmer-Lott or other kinds of frauds will always surface eventually.
Patrick: You know Satyam probably represents the biggest single risk to the quality of management reporting which is management cooking the books. I mean that is, two years ago the FCC came out with some guidance that said that is one of the biggest holes we have, which is management overriding control. It is a challenging one to try to cover, you can certainly come up with technical solutions that might highlight someone cooking the books, but the real trick is; can I get that alert if you will in front of someone who is going to care? How far in the Satyam governance structure, perhaps if we had got a warning to an external board member they would have said something. That is always one of the biggest challenges, yes I can come up with a way of finding this, but I have to get it in front of someone who is going to do something about it.
SSON: Just taking you up on that Patrick; how clearly outlined within a BPO contract or within an internal shared service contract, should it be stipulated that compliance is very high on the agenda? And does the client have a lot of leverage in having a say in terms of compliance?
Chris Gunning: Yes I think that any business puts compliance right at the top of their agenda for shared services, whether they are a BPO, whether it’s a core business. Within our own shared service organization worldwide, where we have a 750 plus employees. What we have, what we call our seven C’s mantra, and one of the seven C’s is compliance - right the way from the Vice President of shared services to the new transactional processor who arrived in the door yesterday from India. We are very hot on regular Sarbanes-Oxley training and regular refresher training. So I don’t think that a BPO or shared service centre should be any different from having compliance at the top of the list, however, I think that BPO’s have really got to start showing more transparency. You know, we heard the gentlemen talk earlier about governance, absolutely. It is important to have that own sense of governance and business ethics, I think that as a potential client wanting to outsource to a potential BPO, I would have to be asking the questions. How transparent is their governance structure, and their control structure? That is not necessarily something that a lot of companies would want to share up to now, especially in a BPO type environment, I think that they have got to start building that into their value propositions to going forward.
SSON: Is there any other thoughts on that?
Chris McKittrick: To bring some of this together, another example of a fraud that occurred over here was Helsaff, where even some high-up executives made some decisions to create journal entries that flew under the radar of the auditors, in other words what they did was multiple entries that would probably not get examined, and maybe continuous monitoring would have helped with that and as Chris Gunning just said people that were encouraged to stand up and keep compliance on the tip of their tongue, and be willing to say, wait a minute what’s going on here? I think they thought that they wouldn’t be able to see them because there are so many, we don’t have to worry about that, but a continuous monitoring system might have flagged that and said why are we getting so many entries for this high caliber on these accounts? The revenue accounts in particular, they just don’t make sense. The whole governance has got to be pushed down to the people, to understand that their role in effective governance is to ask questions and not be afraid.
SSON: Thank you Chris - is there a need to transform audit models through new technology tools, and if so how can they be improved to make an impact to an organization’s bottom-line?
Patrick: That’s interesting, I have been watching the discussion on a governance discussion group, and they have had a lot about what is the future of internal audit. And the debate is breaking down into, yes they need to be a little more leadership orientated, more involved with the overall governance, risk of the company, and finding ways to add value. That is contrasted with, ok, you have just described something that has a lot of executive characteristics, but at the same token is hoping, and I need to have the technical skills. The discussion came into, teach a technician to be a leader or a leader to be a technical? And where it has come out is, yeah it is probably the latter, to some degrees it is...leadership and management capabilities can be improved, but there is a heavy degree of being innate in there. And what I would have added to the discussion was that today I can give you a lot of leverage from the technical skills capability, I can put some of the technologies in place that can do some of the harder analytic work. So I don’t need to have someone from internal audit that has a great resume, in terms of being able to write great queries and that kind of stuff, but I’ve got to look for people that are more risk savvy, more business savvy, more process improvement savvy, give them leverage from technology in terms of being able to do these kinds of analytic runs. And that is a model for the future where internal audit is adding to the most value.
One of the clients that we actually work with, views internal audit as a necessary stop along the way to becoming a financial leader or executive within an organization. Very frequently someone comes through internal audit, works for a couple of years, and then they are plucked out for a CFO type position of a particular operating group. It is well known in this country that that is a natural progression, so they end up with that timber of person in internal audit and they just augment their technical capabilities, put their technician side with their technology.
SSON: Does anyone else have thoughts on possibly transforming the audit model?
Michael: Well yeah, taking off from what Patrick said, I do think the need for the skills required for internal audit are shifting away from audit technician - understanding the verification processes to being more of a involved representative of management, that is the expert in controls for now. I think that the tools that are available for continuous auditing methods that require you to think way beyond just the technical skills of an auditor, and to start thinking like a business manager. I love that model of moving someone in and out of audit versus the career auditor; I think a combination of both is what works well.
My time as a Chief Audi Executive, I defined our role as improving controls in the company in an efficient and effective manner, not as in auditing to find deficiencies in controls, so we stepped out on the ledge a lot in recommending methodologies that the company could employ to improve controls while improving efficiency and effectiveness, and that worked very well. In the 1980’s we didn’t have the tools available that were available today, like we said before, so we certainly need visionary audit management leaders, not technical audit management leaders.
* (More of Michael Cangemi’s thoughts on internal audit management can be found in his book "Managing the Audit Function" published by Wiley and available on Amazon.com)
Chris Gunning: One of the advantages that I see with this new technology breaking through is they can do something with the audit for the future to get tools to do some of the donkey- work a lot more quickly and efficiently by leveraging governance compliance tools, such as compliance views of visioning, by looking at rotation in systems, very quickly they push it through the report, but then they can go and dedicate their resources and time to doing exactly what Patrick and Michael, and Chris have been speaking about, and really becoming an added value business partner for the company, for the operations, not only for the standing control, but also the hand off and the touch point in terms of poor business. So you do see I do see this as beneficial of where we need to go in the future.
Chris McKittrick: I think that Michael and I have some of the same experiences back in the 80’s when I headed up a couple of audit functions. One of the ways that we brought value was that we were very operational-focused, and we did try to supplement the work of the external auditors, and did focus on the internal controls. But we were very much focused on looking for the right operational improvements, And then as I watched the audit profession kind of evolved and information systems becoming bigger and more complicated, and the proliferation of rules and standards, I did see auditors both internal and external swing more towards technicians and not business people. And something that I have seen recently is the better mix starting to happen, where accountants are worker harder to become more knowledgeable about what is happening in the business, and that is where a lot of value will come from, and let technology do some of the more mundane things that still need to be done, that are indeed mundane and don’t bring as much value.
SSON: Finally I would just like to turn the conversation on its head - is there ever a risk of over-exploiting compliance structures? And have you ever come across any such incidents?
Chris Gunning: I think that as long as human nature has existed, and as long as it exists, collusion will always be a risk. I think that if you have two or three people colluding, trying to misappropriate the assets, or anything in that area, there is always a risk. No matter how good your compliance systems are, your risk medication systems - it is very essential to drive a strong ethics program through the company and to have people focus on the foreign corrupt practices act, and drive a strong FCTA message through the company. It is also important to continue testing - I don’t think we’ll ever be able to move away from completely testing these controls, but yes I think unfortunately if collusion exists, there is always a risk. I guess as CFO’s, shared services directors and auditors, we have got to try and stay one step ahead of them, and keep all of our eyes and ears open, and drive that sense of ethics through.
Patrick: A simple comment would be that there is no perfect, whether you are talking about hackers coming through a firewall, or someone trying to cook the books, you are never going to be able to set up some infrastructural control that is perfect. If anything, because the more you do that, the more bureaucracy you are introducing into the process. But aside from that there is no perfect, and there is no limit to how inventive people will try to be in order to bypass and circumvent things. Which I think is one of the reasons why COSO came out and talked about this other layer of the cube, this monitoring layer that is totally necessary, because it is not practical to achieve a perfect controlled environment that can prevent everything from going wrong.
Michael: I stated earlier and Chris and Patrick just restated that there will always be the risk of fraud, I think the COSO comment that Patrick ended off on is the real pertinent one for us to end off on, and we are ending an era. The post Sarbanes-Oxley rush to spend a tonne of money on controls has now gone into a rational phase, and we have mentioned that there are ways to reduce expenses, to reduce the costs of technology through the use of shared services or BPO. And now we are introducing the thought in this discussion about having auditors look beyond just compliance to ways to benefit the organization through the broader business issues involved in all of the transactions. So we are going into the rational phase which I think there is a great deal of opportunity, even though we will always live with the overhang of the shadow of possible fraud.
Chris McKittrick: I just finished studying and passing for the certified fraud exam here in the US, it is just interesting to go back to you and from recent experiences to say, no matter what you do, there is always somebody out there that is one step ahead, they have motivations, a lot of it comes from the motivations that they have for whatever reason. If they are in trouble financially, they feel deflated, the motivations are so varied. There is someone sitting here in the County jail here in North Carolina, that they caught here a few years ago and it took a while for here to go through the trial process, I still want to go down the jail sometimes and just say why did you do that? And no matter what control we had in place, there was a degree of trust in that person who went on and did whatever she was going to do but eventually we caught it. Again fly under the radar no matter what technology you have got, you can get away with it for a while. It is key to be vigilant at all times, so whatever is out there.
SSON: Well thank you gentlemen, we have come to the end of our session now, and I really thank you all for joining us.