Q&A: Patrick Taylor, CEO. Oversight Systems
Because of the downturn in the economy, the number of fraud incidents within organizations has grown. Patrick Taylor, CEO of Oversight Systems, explains steps your organization can take to prevent fraud while ensuring a greater level of compliance assurance.
SSON: What type of fraud are you seeing within organizations?
Patrick Taylor: There are two sides to fraud quite frankly: asset misappropriation, which is basically an employee stealing something and then there's financial reporting fraud. So think of Satayam in India. The economy is really hitting both sides, so there is more pressure on individual employees. For instance employees may pad their expense report or they may try to process a payment to their wife or their brother or something like that through the accounts payable system and then you are also going to have pressure on people to cook the books to reach their earnings numbers or pass the steers test from the US treasury.
SSON: We know it is difficult for a business to avoid being affected by fraud ; what areas in business are suffering the most?
PT: I guess different dimensions of it. There is the physical asset side of it – where maybe an employee takes a pen home or something, but that’s not going to really kill anyone. But you see some things like people ordering an extra printer cartridge and selling it on EBay. Second there is ‘ let me just directly steal money' – that type of fraud and that is happening in disbursement operations like, travel expenses or filling in expense reports. Perhaps the use of corporate purchase cards and as well in accounts payable. So anywhere in disbursement operations, there is a temptation for fraud.
You can also see it on the revenue side of the house where you have someone in sales / commission capacity to book fake revenue or get credit that really should have applied to a different channel of the company. And then you have fraud which occurs in finance – cooking the books, such as someone making adjustments in the general ledger.That is typically happening where someone owns a Profit & Loss statement, therefore responsibility for making earnings, whether that affects their bonus or stock-price. They have the ability and the temptation to cook the books.
SSON: How is fraud taking place – is it employees taking advantage of their position within an organization or are most cases external to an organization?
PT: You are going to see the most fraud loss internally. The incidents of a hacker coming in from the outside are generally rare. You will see that more in banking. It is generally the people in the inside who have a greater degree of trust who have the opportunity and as we said earlier, an increased temptation to commit fraud.
SSON: What essentially are the pain points of clients that you are working with?
PT: We have a spread of clients that have shared service operations that spans industries. So generally they are larger corporations, so somewhere in the Global 2000 type scale , but they have implemented a Shared Service type operation, whether that is for accounts payable or travel expenses or order-to-cash operations. When organizations go into the Shared Service type organizational structure, they begin focusing on process quality and excellence. And as our system is a continuous auditing system, we examine every transaction all day, every day, so you end up finding errors, mis-use and fraud. This helps a person in a Shared Services Center to find errors, thus helping them to improve operations. The sooner you find and fix a problem, the better. And certainly finding the fraud is also helpful from a not wasting the company’s money standpoint as is finding the mis-use. Bottom line, most of our clients have a focus on process excellence and process quality.
SSON: Do you foresee more cases like Satyam and Enron occurring and how can they be avoided?
PT: Yes, I think we will see more cases. I believe two things are happening. One, the current economy, that is going to create more pressure for cooking the books. The other thing is the greater visibility you see across the globe. More and more companies essentially in countries that don’t have the control infrastructure for integrity in financial reporting. They are getting more visibility on a global stage and the background and temptation is there for cooking the books. That said, we will see things happening in the United States and everywhere else as well.
Now what can we do? Because, the greatest risk for financial reporting fraud is management overide of controls. And obviously the weaker your controls are, the easier it is for management to do something, but you are very much talking about people in a position of trust who you have to give the ability to make adjustments in the general ledger, to make adjusting journal entries to the general ledger– this is part of closing the books and the trick is to finding those inappropriate adjustments. So you need to riguralosy monitor and identify things that look like unusual general ledger transactions and then being able to surface those to someone independent, whether it is the internal audit or the board audit committee or an external auditor. Once you are surfacing those suspicisions, so you can have someone double-check and make sure that they are in fact ok - you know find it a whole lot area than they say they did in the Satyam case.
SSON: Does it surprise you that organizations are not monitoring for fraud more? Particularly companies that have ERP platforms and other financial systems.
PT: It is surprising, but it is understandable. Let me elaborate on that. People know that every business process doesn’t work perfectly and whether that is an error or fraud is kind of secondary. You know anytime you have tried to run reports in the past to find a duplicate payment or to find a fraudulent journal entry, you can have a couple of problems. One, it is hard to get the analytics – the queries if you will, precise enough and two it is really painful to wade through the problems or potential problems that you are going to indentify.
And so the two things have changed and people are just beginning to appreciate that; one, with the advent of 64 byte computers with a large amount of memory, I can now begin to construct very sophisticated analytics that can replicate some of the logic of a human would use, so now I can get more precise artificial intelligence style analytic. I can throw the computational horse-power at it. And then the second thing that has changed is integrating in a whole workflow, a user interface that is all around driving the efficiency of handling the exception.
Before, you ran a report and if you ran a report tomorrow, you had to figure out all the things that you had already looked at and you had to go from a report and look up information on this screen and that screen. And now what you see with products like Oversight, that automate that whole exception review process so you end up being incredibly more efficient at resolving exceptions.
Somewhere, there is someone that is worried about the quality of the process- they are finding errors, whether those are mistakes or fraud. Our clients have found they reduce the FTE requirement around error correction by two thirds, even though with our system they are looking for a wider range of issues, but the resolution process is so much more efficient and they are hopefully spending less time than they were in the first place when they were using Oversight. It is getting people to see those two breakthroughs in analytics and exception handling… that is the ‘ah hah’ that we have to communicate.
SSON:Just last Feb, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission announced the release of its guidance on monitoring internal control systems – what does this mean to organizations and how can companies best assess internally?
PT: The first thing is to understand is why COSO came out with this, as monitoring has been apart of the COSO controls framework from the beginning. The answer to that question is the people at COSO felt that the initial implementation, a lot of those were associated with Sarbanes and Oxley. The initial implementation of the COSO framework really underplayed the value that you could get from monitoring it and the was the main driver for the report. This is a very neutral organization, as they are not trying to sell you a product or anything like that – so you have to say that they got our best interests at heart for issuing the report.
When you dig into the report, there are a couple of messages. One they talked about the value monitoring can have in a compliance framework and the fact is, if it is done in a suitably rigorous manner (they define what rigorous means) and by that there are things like, how persuasive is the information you are using . If I am looking at the direct results of the business process, that is the most persuasive information and how much information I can look at, because the more I look at, the better. And the more frequently you look at all the direct information, the more assertive you can be about monitoring the results in any kind of compliance regime.
The other thing COSO highlighted, which we have seen, is to integrate monitoring as a part of your ongoing operations and the monitoring is in essence serving a quality function for the process. So it is identifying errors on a very timely basis - you know it is always cheaper to nip a problem in the bud instead of letting it go on and having more re-work to do once you finally discover it. If I integrate the monitoring into operations, there is a positive effect on operations and I end up getting a compliance benefit for free. And that is what I thought was interesting; a) COSO thought we were underplaying monitoring, thus they commissioned the whole report and b) they explain it in such a way that it becomes a part of operations - has real operational value and at the same time make powerful and assertive claims relative to compliance in different regulatory departments.
SSON: How can companies leverage on the economics of corporate credit cards while ensuring they are nothing mis-used?
PT: That is a very interesting question. The economics around using purchase cards are pretty profound. That is, the cost of going through the standard issue of purchase order, receiving invoices etc. Whatever the transaction cost is, it is measured in dollars – it can be fifty or seventy-five dollars even to go all the way through to writing the cheque for the vendor. And the cost for the transaction on the credit card is often borne by the vendor.So as a company, it is free and perhaps I even get some kind of credit or points, or another type of kick-back in terms of dollars from the credit card company.
The problem has always been you had a lot of control with the purchase orders - the purchase orientated order process. And so the way people have covered that risk with purchase cards is to limit the size of the transaction, and put a credit limit in place, so people are limited from spending too much money. That is a way of containing the risk. So people are applying endless monitoring techniques, so in a sense you are auditing every individual line item on your purchase card. They are actually getting a daily feed from their purchase card – a vendor like Amex, Visa or Dinners Club – whoever. You get the detailed transactions everyday, check all transactions against company policy and other internal systems, so there is a strong control environment around those transactions. This means, eventually limits can be raised and employees are permitted to buy more expensive items. The organization is then running a greater percentage of overall procurement operation through on these purchase cards and so it knocks a significant cost out off the operation. But it takes having this continuous monitoring of credit cards to manage the risk
As CEO of Oversight Systems, Patrick is responsible for understanding customer needs for operational governance and making sure those needs are met in Oversight's product development. Patrick recognized that most IT security and financial system controls focus on user access and role management but don't address the need to understand the integrity of what people do in their authorized roles and activities. After speaking with executives from across the country, Patrick launched Oversight Systems to pioneer the concepts and technology for transaction integrity monitoring.
As a respected information security industry insider who served in various product management and strategic marketing roles with Internet Security Systems and Symantec, Patrick is a frequent speaker at conferences, such as RSA, Networld + Interop, Comdex, NetSec and the Goldman Sachs Information Technology Conference. Patrick also worked in leading roles with ORACLE, Red Brick Systems, GO, Air2Web and Fast-Talk. Patrick has a Bachelor of Mechanical Engineering with honors from the Georgia Institute of Technology and a MBA from the Harvard Graduate School of Business Administration.