Control Freak

Those of you left wanting more after our recent rundown of the state of financial controls in corporate America are in luck – just for you, just in time for the holidays, we present Part II of our findings on Financial Controls. (For those of you who managed to miss the first installment, this is the latest in a series of surveys of 200 or so big-time industry influencers on what makes them and their businesses tick).

The good news from our findings is that the post-Enron, post-SOX message about the importance of internal controls really seems to have sunken in, with 78% of companies reporting concern about what companies can do with access to financial systems. This is no small thing, since preventing errors and fraud is both cheaper and less legally complicated than trying to fix it after the fact. As for the 22% focusing efforts on what employees have already done – well, it’s better than nothing . . . but that’s not saying much. Especially considering the results of our previous survey on fraud, wherein we learned that half of respondents worked in an organization that had experienced fraud in the previous year.

We also learned in that survey that there’s a pretty large gap between awareness of the risks of fraud and the measures taken to prevent it and monitor for it. To that end, we asked in this survey for some examples of situations in respondents’ organizations that were crying out for a Control Freak or two, and the replies we got made for very interesting reading. Some of our favorite examples are below.

o “We transitioned to a new accounting system and only had 1 person assigned to the reporting system.”

o “The Director of Employee Housing was using company funds to remodel personal properties for rental purposes. When we were researching the theft of assets, we literally caught him with a U-Haul loaded with TVs, furniture and expensive fixtures. Segregation of Duties was an unknown concept to the department at that time and that function is now outsourced.”

o “ When I was first starting out, I was assigned the reconciliation of our refund account. I noticed the same names appearing on the check register and brought it to my boss’s attention. She came back and told me the Refund Clerk had documentation to support the checks and I should move on. I did, until the next month when the same names appeared multiple times in the manual refund checks for the month. That time I went to the A/R supervisor and asked to look at the account that the refund was being issued from. When there was no account, I asked that we search again. Same results. I then pulled a copy of the cancelled checks and looked at the endorsement on the back. The refund clerk had a unique handwriting and sure enough, she was cutting refund checks to a fictitious person and cashing them herself. Come to find out, my boss had eliminated the control that verified the refund check totals against the A/R totals for refunds requested prior to me starting employment. The Refund Clerk knew this was no longer being performed and seized the opportunity to begin writing herself checks. Over the course of six months, she wrote $28,000 in checks and cashed them using a fake id. I sure wish my boss had listened to me the first time I asked the question because it would have stopped it two months earlier.”

o “Procurement manager with signing authority and no oversight resulting in collusion with a vendor to receive payment for goods and services never performed/received.”

We couldn’t have said it better ourselves. We talk a lot about the power of good old-fashioned Control Freaks, well deployed, in supporting an organization’s approach to preventing fraud and strengthening financial controls, and these real-life examples demonstrate that beautifully. (Or painfully, depending on how you look at it). Many thanks to all who took the time to respond. And happy holidays!

Read more

Big news, people. The results have come in from our recent survey on financial controls, and the results are pretty interesting, if we do say so ourselves. As you may recall, this is part of a larger survey series wherein we solicit the opinions of industry big wigs, hot shots and muckety-mucks, all to get a better idea of just how businesses are confronting various challenges (and where a Control Freak or two might come in handy).

This time, we heard from 200 big Kahunas of the top financial professionals from some of the world’s top businesses, government organizations and education institutions.

As we said, the results were pretty illuminating, especially in shedding a light on who is managing what financial controls, and when and how they’re doing it.

First, who’s managing controls? At a crushing majority of organizations responding, it’s somebody in the C-suite who is responsible for ensuring that financial controls are in place. At most organizations – a healthy 68% – that person is the CFO. Elsewhere there’s a little variety, with somebody else with a C-title – CEO, Chief Compliance Officer, Chief Risk Officer or Controller who steps up. A lowly 8% listed someone else.
And what are they managing? Well, 43% of organizations heard from in our survey have got a formal Enterprise Risk Management (ERM) initiative in place, and those folks get high praise from us Control Freaks. Nearly as many, though, have no ERM program in place – though if you got credit for considering a program, half of those would get a T for Thinking About It. The scariest stat for us was the 17% who don’t have any ERM initiative in place – or any plans to get one.

How often are controls managed? This one’s kind of a doozy – although, given the results of our recent fraud survey, they’re more dismaying than surprising. Nearly 75% of those surveyed are relying on manual means of checking financial controls as issues arise. Just over 25% get the Control Freak seal of approval on this one, with real-time automatic controls monitoring. And an interesting note about the folks whose monitoring is automated. So far, traditionalists are leading the way on this one, with more than 85% preferring on-premise controls monitoring to the on-demand, SaaS model. (Give us time . . . )

So what to make of all of this? Just as our fraud survey left us feeling like there’s a real gap between the perception of risk and actual policies in place that address it – here there seems to be a similar dynamic – more like a LA LA LA I CAN’T HEAR YOU THAT’S A PROBLEM FOR THE C-SUITE approach. Sure, it makes sense to see financial controls as the ultimate domain of somebody like a CFO. But risk management across functions, across fiefdoms, across the tiniest of transactions, even – can’t just be a top-down process.

Automated monitoring and holistic approaches to risk aren’t just buzzwords – they’re really effective means of ensuring that an organization is accounting for and monitoring risk everywhere it poses a threat. And that’s something that everybody – not just the C-Suite – should be thinking about.

Read more

We are happy to share the latest in our ongoing video series, Should’ve Had a Control Freak, wherein we highlight situations crying out for more control. The latest, which you can see here, breaks down a pretty embarrassing situation from our own government, wherein some $18 million in stimulus funds (yes, EIGHTEEN MILLION DOLLARS) accidentally got sent to people ineligible to . . . well, to cash the checks. Since they were deceased.

The good news, which restores a little faith in humanity – is that nearly half of that money was returned. But the other nine million appears to be gone for good. (Wish we could say that for the egg on the faces of the fed folks who should’ve known better). Check out the video to see the simple steps they could have taken – and should be taking from now on – to prevent this sort of thing from happening.

Read more

Compliance Week has an interesting piece this week on the burden facing members of corporate boards, and how increased demands that they monitor corporate behavior may be costing a lot in terms of time left to spend on strategy.

The kicker, according to the piece, isn’t just that monitoring is taking up a lot of time, but that the rewards coming from that monitoring aren’t able to outweigh the losses in strategic thinking.

It makes sense, when you think about it a little bit. Board members are generally hired (we hope) for their business expertise, unique relationships and perspectives and the ability to see a big corporate picture. That may or may not overlap with an ability to pore through varied reports from audit, IT and finance about transactions that might be a little hinky.

It all reminds us of a great guest post we had a good ways back (in our Audit Trail days) with Julie Garland McLelland, who is a corporate governance expert based in Australia. As she wrote, Continuous Controls Monitoring (CCM) offers truly ground-breaking possibilities for use the real-time information required for governance reasons to inform corporate strategy.

Here’s an example from Julie’s post of how that could work –

“Consider . . . a retailer whose most recent sales summary shows an increase in sales in an Indian market, prompting board decisions to invest additional resources in building a factory there. Implementing such a plan can take a year’s worth of work, from construction to hiring. Now consider that, two months into planning, sales in that market stagnate. In order to plan effectively and avoid wasting resources – perhaps put the project on hold for a bit – the board must have regular access to the real-time operational visibility available to company employees. If boards were able to tap into this intelligence, they could make decisions incorporating rules to allow for changes in circumstances. So, for example, they could plan to build a factory in India provided that sales stay within certain defined parameters – with sales below those figures to be flagged as exceptions and reviewed by the board.”

It’s an interesting idea, that CCM info generated for governance and compliance reasons could play such an important role in strategy. What do you think? That’s what the comments are for . . .

Read more

Control Freaks that you are, you probably remember how closely we’ve been following the issue of emerging Dodd-Frank provisions rewarding corporate whistle blowers for going straight to the SEC with their concerns, rather than internal channels. And by rewards, we aren’t talking about a pat on the back or a friendly photo-op at a press conference. We’re talking cold hard cash – up to up to 30% of recoveries of more than $1 million.

As many have pointed out, a big-time incentive to avoid bringing concerns internally might not be the best development ever for companies looking to ensure robust and healthily transparent internal operations and a culture of compliance. And it turns out, the SEC seems to be getting that. From Compliance Week, we hear that the SEC is asking:

“for recommendations on the structures, processes, and incentives it should consider “in order to strike the right balance between the Commission’s need for a strong and effective whistleblower awards program, and the importance of preserving robust corporate structures for self-policing and self-reporting.”

As the piece points out, Comments are due by Dec. 17. Final rules must be issued by April 17, 2011.

So here’s your chance to be heard, everybody. Weigh in with your thoughts on how the SEC should balance its desire for reporting and its desire to foster corporate cultures where folks can be comfortable bringing concerns to management. You could be a part of history. For serious.

Read more