Controlling the Cost of Management Controls

Man fingers setting cost button on minimum position. Concept image for illustration of cost management.

In 1904 Vilfredo Pareto, a noted Italian economist, studied the concentration of wealth in Italy and other European countries and found that 80 percent of wealth was held by 20 percent of the population.  That same distribution was later applied to operations management by management author Joseph Juran in the 1940s.  This has now become known as the “Pareto Principle” or the “80/20 Rule”.  In many instances the populations of many a company’s business transactions takes on the same 80/20 distribution; i.e., 20 percent make up 80 percent of the dollars.  Applying the 80/20 Rule focuses management’s efforts on better controlling high-dollar transactions that have the greatest business risk while allowing for a streamlined process for the rest.  I’ve been recommending and implementing the 80/20 Rule on process improvement projects for my clients for quite some time.  This has resulted in strengthened controls while reducing management time and costs.  This is especially important in the current environment where companies are facing increasing risk management and regulatory compliance costs.

To demonstrate this concept, consider management controls surrounding, say, Purchasing transactions.  A fairly simple analysis of the population of Purchasing transactions will bear out what Pareto taught us years ago; i.e., that 20 percent of the population of Purchasing transactions (POs) will represent 80 percent of the dollars spent by a company.  Hence you can enhance management controls where you spend your money while reducing management time and costs where you do not.

I once observed a CFO who signed all of his company’s POs regardless of their amount.  That CFO had turned himself into a glorified admin who was, in effect, rubber stamping all POs in front of him each day because he simply could not review the volume of POs on his desk.  It would have been far better if he reviewed only the top 20 percent of the POs using an 80/20 analysis.  Then, he could have actually spent the time to understand those high-dollar POs.  All he was really doing was bottle-necking and driving up the transaction processing costs of the entire Purchasing operation while rendering himself useless as a CFO.

Here’s how to apply the Pareto Principle.  Continuing with Purchasing transactions, list out all POs written over a sample period of time by downloading a listing of PO amounts to Excel.  If taking a sample of only several months, you may want to adjust out or compensate for seasonality or business cycle differences.  You should also exclude those types of purchases that are not necessarily pertinent to this type of analysis; e.g., electric utility bills.  Then, add cumulative totaling and cumulative percentages to each row.  It will soon become apparent where the 80/20 break point is located.

Companies often set ridiculously low approval authority thresholds for senior executives and are often surprised at how high the thresholds would if they used an 80/20 analysis.  Often there needs to be an adjustment in the dollar threshold downward to allow for management’s comfort level.  Nevertheless, it is far better to better control those transactions where money is being spent than to waste senior management’s time controlling transactions where it is not.

The Pareto Principle or the 80/20 rule can be applied to a wide variety of other types of transactions as well; e.g., check signing or cash disbursements and many other transaction control points.  It can be used to better control risk management and compliance costs.  In addition, it can be applied to focus customer service and business development to the 20 percent of the customers that represent 80 percent of the revenue.  Hence, better management controls at reduced costs.  All thanks to Vilfredo Pareto!

© 2016, The Fast Track Group, LLC

Our Top Ten Steps To Establishing Risk Management Procedures

The Wall Street Journal recently reported that Senator Charles Schumer (D, NY) is introducing a bill on Corporate Governance.  “One provision would require the boards of public companies to appoint special committees to oversee risk management, according to a draft of the proposed legislation reviewed by The Wall Street Journal.  The Securities and Exchange Commission is considering a rule that would require boards to disclose their role in managing risk.”[i]

While you might think that will not apply to private companies, think again.  Just like with Sarbanes-Oxley, private companies that have public company investors or lenders, as well as investment advisors and fiduciaries may well have to demonstrate their risk management procedures and show their documentation to auditors and their financial stakeholders.  In addition, risk management does not apply only to financial institutions.  While much has happened in the financial markets in this past year to evidence that many financial institutions ignored risk management, it applies equally to Real Estate companies, Manufacturing companies, Consumer Products companies, etc.
We have had significant and recent experience assisting clients to design, implement and document risk management processes. Here are our top-ten steps to establishing risk management.
1.      Ensure Senior-Level Commitment to Risk Management.  With all that has happened in this current economy, it should be obvious that many companies now on the ropes simply did not have their eye on risk management.  Many Board members increasingly concerned with director liability issues will be pushing hard for strengthening their risk management processes.  Ensuring senior-level commitment for risk management should be a given; however, it is a fundamental necessity for anyone involved in establishing or maintaining risk management procedures.
2.      Determine the Board’s “Strategic Appetite” For Risk.  Consider the Lehman Brothers or AIG Boards of, say, several years ago.  Their strategies were to get into derivative instruments, taking on huge amounts of risk with what they thought were reasonable rewards.  At the end of the day, it seems that they were not paid for the risks they took on given the ultimate consequences.  Fast forward and ask yourself, if you were a member of either of those Boards today, would you have the same appetite for the risks they took given the same rewards?  Probably not.  That is a simple example of what we mean by determining the Board’s strategic appetite for risk.  It’s OK to take on risk, as long as you know what the risks are and are fairly compensated.  Boards in the past did not. Boards in the future will need to be more mindful of their strategic appetite for risk.
3.      Identify the Risks To Be Managed.  There are several methods for identifying risk, including: interviewing key involved department heads; sending out questionnaires; etc.  The method we have found most efficient and complete is to get a cross-functional group of key executives all in a room at the same time and focus on one aspect of the overall business in a facilitated brainstorming workshop environment.  Then repeat that workshop for another overall aspect of the business until all processes have been completed.  We find that the interchange of discussion among the key players provides a more fertile process for identifying risk that sitting with one key person one-on-one in their office.
One important aspect to facilitating a risk identification meeting is that everyone’s ideas are important no matter how “out there”, especially when identifying potential risks.  I once attended a risk management seminar and one of the speakers was going on about the importance of planning for pandemic risks such as what we are witnessing with the Swine Flu.  Many people I know would probably have considered discussing such a risk to be a waste of time.  No longer.  The lesson to be learned from that is to be receptive to identifying a wide range new ideas concerning potential risks, not just the obvious ones.
4.      Prioritize the Risks Identified.  Once the risks for an area have been identified, and in the same meeting, prioritize those risks into categories of High, Medium and Low with respect to Probability of Occurrence.  In addition, create categories of financial impacts should the risk actually occur.  In that way, the higher and more costly risks can be prioritized for process redesign and presented in a color-coded format similar to the table that follows.
Risks Identified
Probability of Occurring
Impact if it Occurs
Weighted Priority
Various risks identified
High
High
High
High
Medium
Medium
High
Low
Low
Medium
High
High
Medium
Medium
Medium
Medium
Low
Low
Low
High
High
Low
Medium
Medium
Low
Low
Low
5.      Design the Baseline Risk Management Processes.  Once the risks are identified and prioritized, baseline business processes can be designed to mitigate those risks.  By “baseline” processes, we mean the processes for the core or largest components of the business with an emphasis at “normalizing” or standardizing the processes across as many of the core business units as possible.  This is especially important in a business that has grown through acquisition or where there are many offices or business units all “doing their own thing”.  In contrast, sound risk management processes require as high a level of procedural standardization as possible.
6.      Adjust the Baseline Processes For Business-Unit Operating Differences.  Once the baseline risk management processes are designed, they may need to be adjusted for legitimate business-unit operating differences.  By that we mean differences resulting from, say, operating in different countries with different laws and business practices or unavoidable differences between dissimilar business units that preclude strict standardization.  We call those “hard differences” because they are hard to overcome through standardization as compared with “soft differences” which are simply internal differences such as nomenclature or internal processes that vary from country to country or office to office that could more easily be standardized.
7.      Document All Risk Management Processes.  Process documentation will be necessary for training, to ensure ongoing compliance and to demonstrate to outside auditors and possibly even investors the procedural framework for the risk management processes that have been implemented.  We have developed our own very efficient approach for documenting risk management processes.  For more information on that, please visit our web site page, “Process Documentation” at FTG Approach to Process Documentation.  There you can follow a link to our white paper, “The Fast Track Approach to Process Documentation”.
8.      Implement IT Toolsets To Support Risk Management Processes.  If risk management processes are to be durable and efficient, they need to automated and supported by IT toolsets that make their compliance routine and mandatory.  For example, in a transactional compliance monitoring area, one would expect to see automated e-mail ticklers and automated reporting to highlight procedural compliance issues prior to actually funding a new transaction.  Any procedural non-compliance would automatically prevent funding.
9.      Conduct Training.  I have seen more issues of non-compliance excused because of a lack of proper training.  Moreover, I have heard something similar to the following many times over, “We didn’t train our people in these new procedures so it’s not really their fault that they are not in compliance.”  If there is going to be a serious effort at implementing risk management procedures, there needs to be an equally serious effort at training.  That should include some measure of testing to ensure that people demonstrate that they know what is expected of them and that the training was successful in communicating compliance expectations.
10. Monitor Compliance.  Compliance monitoring starts early-on after implementation with a walk through to ensure that the risk management procedures are functioning as they were documented and as expected.  That should be performed by someone or a group independent from the business unit being reviewed and by someone or a group competent at doing walkthroughs and transactional testing and preparing written deficiency reports.  Typically an internal audit group that has done internal controls or Sarbanes-Oxley walkthroughs would have the skills to perform such risk management walkthroughs and to write-up deficiencies.  Those deficiency write-ups should be reported to the Board – and that step alone really gets everyone’s attention and gets them on the compliance bandwagon.
If the current economic environment has taught us any lessons, one should be that risk management is not a luxury to be practiced only by high-minded Best-In-Class companies.  It also appears likely that risk management standards may soon become a government-mandated set of regulations codified similar to Sarbanes-Oxley – only broader in scope beyond just financial reporting risk.
© 2016. The Fast Track Group, LLC. All Rights Reserved.

 


[i]Dvorak, Phred and Scannell, Kara. “Investors, Take Note:  New Bill to Target Boards, ‘Say on Pay'”.  The Wall Street Journal. 25 April 2009.

last edited on May 13th, 2009 at 4:22 PM

Our Top-Ten Steps to Fraud Prevention

A recent article in The Wall Street Journal* on employee fraud caught my attention.  The premise of the article is that more employee frauds are being committed in these difficult economic times.  Some business owners assume their business decline is due to the economy rather than a back office fraud.  Or, they may make the connection after cash is depleted and the business is failing.  How sad is that given that fraud is preventable.

The terms fraud prevention or fraud risk management are to me synonymous with the term “Internal Accounting Controls”.  I will frame this discussion using that terminology.  My recollection of the definition of Internal Accounting Controls (going back to graduate school and the CPA exam) goes something like this:

Internal Accounting Controls are those processes that provide reasonable, but not absolute, assurance that the misuse or misappropriation of assets is prevented or detected in the normal course of an accounting period and that financial statements are prepared on a timely basis and present fairly the results of operations and financial position of the entity.  Internal Accounting Controls are documented and all transactions are authorized and correct as to account, amount and timing.

Many business owners or senior mangers often place greater importance on trust than on implementing fundamental Internal Accounting Controls.  I once conducted a fraud investigation for a major non-for-profit medical foundation.  Our investigation found that a long-time, trusted and popular employee had defrauded the foundation out of a significant sum of money.  He had been there 17 years, never took vacation, volunteered for special projects and everyone liked him and his lovely wife.  In fact, that profile is often typical of someone who commits a fraud; a long-term employee who never takes vacations, volunteers for special projects and is well liked.  Think about it.  They have been around long enough to earn trust, figure out what management will and will not look at, never take vacations and volunteer for special projects to ensure no one pokes around in what they are doing.

One take away from that experience is that the foundation’s executive director had some level of responsibility for his employee’s demise.  The director presented an attitude of disdain for back office minutia.  He had placed employee trust ahead of fundamental Internal Accounting Controls thereby creating an opportunistic environment.  At that instance in time, the employee had a family member with mounting medical expenses.  When the opportunity presented itself, the employee stole.  As the economy continues on its present course, seemingly trustworthy people with increasingly desperate financial difficulties will do the same thing too.

Here are our top-ten steps for improving Internal Accounting Controls.  This is certainly not a complete list and, as you can imagine, it is hard to keep it to ten.  Nevertheless, it is a good start for any business owner or senior managers of any company.

  1. Control Cash Coming In the Door.  There are essentially two means for doing this.  (1) Log all checks received at a company’s offices into a bound journal book before forwarding to Accounting.  Compare that day’s journal entries to the day’s deposit slips brought back from the bank.  The person who sorts and opens customer payment envelopes, outside of Accounting, maintains this log and keeps the daily deposit slips.  Periodically, the business owner or a senior manager compares the journal to the deposit slips and to the deposits (debits) in the Cash Account in the General Ledger, investigating any differences.  (2) Utilize the services of a bank lock box so that checks are automatically deposited.  This is an especially good solution in small offices that do not have good segregation of duties.  These two solutions will help control the cash inflow side of the equation.
 
  1. Control Cash Going Out the Door.  An analysis of each population of Purchasing, Accounts Payable and Cash Disbursement transactions will reveal that 20 percent of those transactions will represent 80 percent of the dollars.  So, enhance the controls over the 20 percent of the transactions that represent 80 percent of the dollars by ensuring that those transactions are fully reviewed and approved by the business owner or a senior manager.  For guidance on implementing the 80/20 rule, please visit our Our Thought Leadership web site page and peruse the article entitled “Controlling the Cost of Management Controls”.  This will help control the cash outflow side of the equation.
  1. Inspect Checks and Bank Statements. The business owner or a senior manager should be receiving all bank statement envelopes unopened each month.  That person should review the statements for any unusual transactions and should inspect the front and back of each check returned by the bank for unusual payees or endorsements that don’t match the payee name.
  1. Control Master File Records. By “Master File Records” we mean the Vendor addressing particulars in the Accounts Payable system and Employee addressing and pay rate particulars in the Payroll system.  Initially, the business owner or a senior manager should inspect all Vendor records to look for unusual or unknown vendors.  Likewise, this should be done for the Employee Master File Records in the Payroll system, looking for unknown or terminated employees, matching addresses or unusual pay rates.  Once that is done, access to modify those records should be restricted to ensure that phony vendors or employees are not introduced or that addresses, direct deposit information or pay rates are not changed without authorization.  Then on a monthly basis, these Master File Records should be re-reviewed.  All Vendor payment envelopes or 1099s returned undeliverable by the Post Office should be routed directly to the business owner or a senior manager for investigation.  Likewise, returned envelopes for Payroll checks, direct deposit remittance advices or W-2s should receive similar scrutiny.
  1. Conduct Surprise Payroll Payouts.  In addition to locking up the Payroll Master File (item 4 above) Business Owners or senior managers should periodically perform an Audit procedure known as a Surprise Payroll Payout.  In this procedure, each employee must obtain their Payroll check or Payroll remittance advice (for direct deposit people) in person from someone outside the Payroll department and must verify who they are by showing an ID card.  Any unclaimed checks or deposit slips are investigated as that could represent a fictitious employee.
  1. Review All Company Credit Card Statements.  I was speaking to an early-stage client recently and learned that the CFO/Controller, whom I had only met on several occasions, had perpetrated a credit card fraud amounting to over $100,000. He looked like a trustworthy fellow. He had been charging personal items to the company credit card, having the items delivered to his home.  A growing trend is to pay vendors via a company credit card.  This is not a bad thing since it provides for Accounts Payable process efficiencies and member reward points or airline miles. However, all too often the company credit card statements go to someone in Accounting and receive no greater scrutiny than a clerk expediting payment to avoid an embarrassment at a restaurant. All credit card statements should be reviewed by the Business Owner or a senior manager before being forwarded to Accounting for payment.
  1. Segregate Key Duties.  The essence of this is that you want to segregate duties between people who have access to assets from those who account for the assets.  You would also want to segregate duties between people who authorize transactions from those who account for transactions.  This is not an easy thing to accomplish in a small office environment, but it is not impossible.  It takes some thought to figure it out and it all depends on the organization of each specific office environment.
  1. Take a Look In the General Ledger.  I was once a turnaround CFO/Controller for significant region of a publicly-held company.  I was brought in as a “clean up batter” after the company had discovered significant Accounting fraud.  Early into this situation I was working late one night preparing the upcoming year’s budget.  I had asked an accountant to budget the office telephone and electric expenses by inflating the past year’s expenses by the forecasted CPI for the upcoming year.  She came back with a budgeted expense amount that was some $350,000 more than I had expected.  I asked her why and she said it was “because of the credits.”  At first I didn’t get it but then it came to me.  In an effort to hide losses, the prior CFO/Controller had credited these utility expenses with offsetting debits going to obscure accrual accounts that we had not yet analyzed.  The lesson is that if someone is hiding something, one of the fastest ways of finding it is to look through the General Ledger for unusual transactions.  Not many Business Owners or senior managers will know how to do that.  It is time to learn how!
  1. Tighten Up Budgets and Insist On Timely Variance Reporting.  Even with the best Internal Accounting Controls, it is still possible for a fraud to occur.  You try to minimize the opportunities through “preventive controls” but it is not possible to eliminate them all.  Then you have to fall back on “detective controls”.  One of the best detective controls is to establish tight budgets and insist on timely monthly financial reports; i.e., variance reports.  Investigate any variances from the expected for indications of a possible fraud.
  1. Document Accounting Processes and Procedures.  A fundamental attribute of any system of Internal Accounting Controls is written process documentation to ensure training and ongoing compliance.  I cannot tell you how many issues of non-compliance go undisciplined because of the excuse that processes were not written, hence you cannot expect compliance.  Furthermore, in today’s regulatory environment, auditors and regulators are more often insisting on reviewing written procedural documentation at the start of any audit.  If that documentation does not exist, is inadequate or out of date that becomes a major finding.  For guidance on process documentation, please visit our Our Thought Leadership web site page and peruse the article entitled “The Process of Process Documentation”.
Our “Top-Ten Steps to Fraud Prevention” can be implemented by owner-managers of small businesses as well as by senior managers of larger companies.  In fact, I implemented these same steps in a $350 million publicly-held company with 7,000 employees during my tenure there as an interim Regional CFO/Controller.
_____________________________________
Covel, Simona.  “Small Businesses Face More Fraud in Downturn: Employees Engage
in Check Forgery, Petty-Cash Theft; Managers Sometimes Mistakenly Blame
Lower Sales Instead of Foul Play.”   The Wall Street Journal.  19 Feb.2009: B5.

 

© 2009.  The Fast Track Group, LLC.  All Rights Reserved.

last edited on February 25th, 2009 at 2:25 PM

The Process of Process Documentation

Written process documentation is a key attribute of any system of internal controls.  And, the trend today in auditing, compliance and risk management is towards requiring more written documentation of a wider range of a company’s policies and procedures.  This is not just true for public companies but also for private companies and not-for-profits as well.

Many companies lack process documentation.  This is because the writing process is more involved than just setting pen to paper.  It involves thinking about how you currently do something and questioning whether or not there’s a better way to do it.  And, that gives rise to “change” which is a difficult enough process to manage.  We believe there is no better way to improve processes than to set about to write them down.  It is that exercise that identifies and forces decisions about change.
Too often process documentation projects are assigned to internal teams and fail for a variety of reasons, including:
  • The project is assigned to people that already have “day jobs” with higher priorities;
  • The internal team, though great in their current roles, lack the writing and flowcharting skills, experience or process investigation disciplines required for a process documentation project;
  • The internal team lacks project management methodologies such as documentation formats and templates gained and developed over a large number of similar projects; and
  • Many internal team members will lack the meeting facilitation skills needed to champion meaningful change that may be opposed by colleagues.
Managing change and documenting processes is something we’re heavily experienced at.  We have completed numerous Process Improvement projects (which are all about change management) and the by product of that is always written process documentation.  To prepare that project deliverable in an efficient and timely manner, we have developed a structured approach to process documentation which always consists of two phases of work.  In Phase I we determine the scope of the documentation project and establish the project work plans.  In Phase II we undertake Process Improvement and process documentation.  Here is a highly summarized presentation of our approach.
PHASE I
Develop the Table of Contents
We always start by developing the Table of Contents.  To do this we facilitate a client meeting using white boards and flip charts listing all the processes in a “cradle to grave” order.  This is called “process decomposition” meeting.  The Table of Contents defines the scope of the project and serves as a project road map.
While developing the Table of Contents, we always keep to the rule, “Process titles start with a verb”.  By structuring the Table of Contents so that each line starts with a verb, we are essentially describing in that first word what is being done by that process.  Then, one only needs to scan the Table of Contents to get a good insight to the overall processes.
It is important to develop the Table of Contents at the right level of detail.  Otherwise either the manual is too high level and is useless or too detailed and never gets read.  We usually go down two to three levels of detail only: (1) Mega processes; (2) Main processes; and (3) Sub processes.  Sometimes we combine sections other times we break them apart until we get the right level of detail.  We don’t try to write at the “desk top procedures” level as that is way too detailed.
 
Finalize the Project Plan
Once the Table of Contents has been finalized we now know the scope of the manual to be written by the number of processes listed in the Table of Contents.  We then develop a detailed project plan using the Microsoft Project tool and we also develop a matrix that lists each section of the manual and the various steps to be performed on each section.  We then track our progress against both the project plan and the matrix to identify any section that warrants attention.
PHASE II
Conduct Process Interviews
Only after Phase I has been completed is it time to begin process interviews.  When drafting any new section of a process manual, we begin by interviewing the “Process Owner” or Go to Person; that’s the person that knows the most about how that process is being performed.  That is how we learn how the process is performed within the context of a client’s unique operating environment.  That person might also be a good source of Process Improvement ideas.
Identify Improvements to the “As Is” Processes
Once we have conducted the process interview with the Go to Person, we consider how the process is currently functioning as compared with our experience with how it should be functioning.  We then begin determining how the process should work in a new “will be” environment, not in the “as is”.  After all, we are consultants not scribes and our clients usually don’t bring us in to document what they do, but what they should be doing.
Document the “Will Be” Processes
We have found that the most efficient process documentation format is a combination of flowcharts and narratives.  Think of a two column document with flowcharts down the left and narrative down the right.  We use Microsoft Visio to develop the flowcharts, and copy and past them into Microsoft Word.  The Word document we use is a template with the two vertical columns and with headers and footers already established.  Naturally, there are many timesaving tricks we use in this process and the templates make it goes surprisingly quickly.
Build Team Consensus for Change
We take a highly collaborative approach on each documentation project in order to create buy in for the change we are recommending.  Accordingly, we meet with the client’s project team weekly to review the documentation sections we’ve completed and to build consensus on the process changes we are proposing in order to take the client from the “as is” to the “will be”.
Process documentation is a key attribute of any system of internal controls and auditors, compliance officers and risk managers are more often insisting on proper and up-to-date process documentation.  Process documentation projects are undoubtedly big efforts – usually not well suited to internally organized ad hoc teams.  However, a properly structured and executed process documentation project will lead to the bigger goal of process efficiency and efficacy as a result of the process improvements that are identified during the writing process.
This is a highly summarized version of our more detailed of our process documentation white paper. To view that, please download our white paper in PDF format by following this link to: FTG Approach to Process Documentation.
© 2009, The Fast Track Group, LLC. All Rights Reserved.

last edited on February 2nd, 2009 at 8:00 AM