Exception analytics - Balancing Risk & Control


Published on

Presented at the 2013 ISACA North American CACS, in Dallas, this talk shares many powerful stories from the experience of the two facilitators, Dan French and Gonzalo Cuatrecasas. These include ERP implementations, audit findings, compliance and process variations across regions.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Exception analytics - Balancing Risk & Control

  1. 1. A New Era. A New Edge.Session 124Exception Analytics - BalancingRisk & ControlDan French & Gonzalo CuatrecasasMonday 15th April 20131300-1400
  2. 2. Welcome2Dan FrenchCEOConsider SolutionsGonzalo CuatrecasasFormer Head IT Audit –Colgate Palmolive
  3. 3. A New Era. A New Edge.Today’s topics• Landscape of Risk Assurance• Managing risk and managing control• The role of exception analytics• Approach to exception analytics• Case study examples• Risk & business performance• Pitfalls and critical success factors• Discussion
  4. 4. A New Era. A New Edge.4Question for YOU!What is your primary role related to risk & control?1. Internal Audit2. IS/IT3. Finance4. Risk/Compliance5. External Audit6. Other
  5. 5. A New Era. A New Edge.5Risk Assurance Landscape• IIA 2013 Pulse of the Profession - OutlookSource: The Institute of Internal Auditors
  6. 6. A New Era. A New Edge.6Risk Assurance LandscapeSource: The Institute of Internal Auditors
  7. 7. Risk Assurance LandscapeSource: The Institute of Internal Auditors7
  8. 8. A New Era. A New Edge.8Relevance of Risk Analytics• Stakeholder expectations are rising• Complexity• Interconnection• Reputation• Data
  9. 9. Managing Risk vs. Managing Control9
  10. 10. A New Era. A New Edge.10The Standardisation Myth• We invest heavily in ERP implementation to drive:– Process standardisation– Business efficiency– Economies of scale• However, only some of the value gets released . . .– Businesses implement standard systems and achieve• A standard data input processNOT• A standard business process
  11. 11. A New Era. A New Edge.GR is createdagainst POPurchasingcreatesPO for ShipmentTruck drops offshipment,but no PO existsWarehouse callsup Purchasing tocreate a POERP is configured to only allow GR if PO exists, however…11ERP standardisation example‘First time match’ KPI looks good despite process breakdown!
  12. 12. A New Era. A New Edge.12What are Exceptions?• An exception is– A mismatch between expected vs. actualperformance– Something that generally should not happen butdoes– Something that should happen but doesn’t– Happening on purpose or by accident– Occurring in single digit percentage-wise but withan asymmetric impact on effort and efficiency– Often influenced by Performance Measures!
  13. 13. A New Era. A New Edge.13Standardisation & Exceptions
  14. 14. A New Era. A New Edge.14The Business Case• Depends– Organization– Situation– Bolting the Stable Door• The objective is typically– Assuring reputation– Reducing cost of audit– Cost avoidance & Cash recovery• Identify– Direct benefits: Cost/Effort - Savings/Avoidance– Soft benefits: Attitude/Image - Change/Improvement– Benchmarks: Continuous Improvement• A scoped pilot can quickly validate value
  15. 15. A New Era. A New Edge.15The Approach&Examples from the Field
  16. 16. MethodologyRISKANALYTICS-TASKSScopeDefinitionRisk &AnalyticsDefinitionProcessDefinitionTechnologySupportSet-UpExecutionOperationalManagement• Define Risks & Analytics Criteria• Assess org landscape• Assess and Map Data Sources• Define Exclusion scenarios• CM Operational process(data gathering / analyses / resultsdistribution)• Technology management• Review & Action Enablement• CM technology set up, integrationand management• SAAS / CLOUD / IN-HOUSE• Business As Usual• Gather data• Identify exceptions• Disseminate• Enable review & action• Review and refine analyticscriteria• Oversee and facilitate review andaction progress• Manage and maintain CMoperating environment• Agree objectives• Educate & inform• Gain commitment16
  17. 17. ComplexityOrg Units• Regions• Accounting Units / Co Codes• Sales & Purchasing Groups• Plants• Shared Service CentresProcess Variables• Document Types• Vendor Types• Payment Terms & MethodsData Sources• Transactions / Master Data / Process ConfigurationData Gathering• Daily / Weekly / Monthly• Cumulative vs. OverwriteAnalytics Criteria• Conditions• ExclusionsAnalytics Results• Detail & Overview• Reviewing Communities Enable Review & Action• Explain / Fix / Refine Criteria17
  18. 18. A New Era. A New Edge.18Examples ...P2P/Accounts Payable‐ Duplicate Payments‐ Retrospective POs‐ Changing payment terms‐ Duplicate InvoicesO2C- Price Changes- Undelivered orders- Exceptional customer credits- Payment termsFixed Assets‐ Inappropriate assetdepreciation periods‐ Misclassified capitalequipmentTravel & Entertainment- Duplicate claims- Suspicious claims- Ineligible items claimsGeneral Ledger:- JE postings into prior periodsalready closed- Manual payments
  19. 19. A New Era. A New Edge.Vendor IDVendor Name19What information do we need?INVOICEINVOICE LINEVENDORVENDOR ORG UNITInvoice NumberVendor IDCreated ByCreated DateInvoice AmountMaterial IDQuantityUnit PriceORG UNITOrg UnitOrg Unit IDOrg Unit Name
  20. 20. A New Era. A New Edge.20Examples from the FieldProcurement: Duplicate Invoices• Rationale:– Ensure that an Invoice is processed and paid only once– To avoid inflated purchases– Reduce/eliminate duplicate payments before they happen• Criteria:– Identify based on ... Same supplier, Same material, Same invoice value,Same period, (same invoice id)• What we found:– 10’s of millions in some cases– Invoices manually entered leading to input errors– Supplier impatient for payment and resends same invoice– Some suppliers repeatedly submitting multiple invoices
  21. 21. A New Era. A New Edge.21Examples from the FieldFixed Assets: Incorrect Depreciation Periods• Rationale:– Assets if depreciated to zero in shorter than required period can be disposed ofto third parties at preferential rate• Criteria:– Fixed Asset Records where depreciation periods are not in line with statutoryguidelines for asset class, especially with shorter periods– Example:• Company cars with lower than advised depreciation of 4-5 years• Other examples ... Buildings (40 years), New Machinery & Equipment (15years), Office Technology (3 years)• What we found:– Company cars depreciating in 1 year and then being disposed of ... value in excessof $1m– Buildings depreciating in 1 year
  22. 22. A New Era. A New Edge.22Examples from the FieldTravel & Expense: Fraud Issues• Rationale:– Identify & prevent fraudulent and “creative” use of expense.• Criteria:– Identify expense records with suspicious characteristics, like• Duplicate expense items (same item, same amount)• Multiple claims just under threshold of proof of purchase needed• Claims for full price air tickets when discounts available• What we found:– Same meals & hotels claimed again a month later– Personal expenses claimed for – taxis / trains / travel agent fees– “Gifts” a common expense item
  23. 23. A New Era. A New Edge.23Examples from the FieldSales: Price Changes• Rationale:– Changes to prices may lead to fraudulent / inappropriate pricing of SalesOrders.– Price changes after creation can be a tactic to by-pass controls /approvals / workflows in place for order creation– “Local agreements” / “Unapproved discounting”– Prices being increased to finance intermediary– Impacts cash flow forecasting & margin• Criteria:– Identify Sales Orders with prices changed after initial creation• What we found:– 16% of orders within 1 month period had price changed– Plus 1000s more changed from placeholder values (e.g., 0.01) –circumventing system control & distorting financial numbers– Many changes – post order creation / discounting / avoiding approvals
  24. 24. A New Era. A New Edge.24Examples from the FieldProcurement: Non Standard Payment Terms• Rationale:– Unnecessary effect on cash outflow and working capital.– Excessively short payment terms: potentially inappropriate relationships– Excessively long terms may indicate future period commitments– Multi-touch POs increases cost of processing• Criteria:– Identify any Purchase Orders where the Payment Terms used are not thestandard payment terms agreed with the vendor• What we found:– >8% of POs with Payment Terms Non Standard– Many terms changed after PO creation from standard to non– Many with reduced payment periods for same discount modelexample - 30 days / 2% (standard terms) to 10 days / 2%
  25. 25. A New Era. A New Edge.25So What?• 100%– Of transaction data continuously monitored– Not sampling• Facts– Not opinions• Exceptions– Sharp focus; minimal noise• Technology– Used effectively to take care of the leg-work– Freeing high value resources for high value work• Business Value Driven– Enabling better business partnering
  26. 26. A New Era. A New Edge.26Question for YOU!What is the status of Exception Analytics to monitor risk inyour organisation?1. Well embedded mature model2. Emerging scope / programmed roll-out3. Limited scope / first attempts4. Planning stage5. Not under consideration
  27. 27. A New Era. A New Edge.27The Gearbox of Risk & Performance
  28. 28. A New Era. A New Edge.28Business Process Performance
  29. 29. A New Era. A New Edge.29Example 1: Invoice Processing• Desired process– Purchase Order to initiate and approve purchase– Touch-less Invoice/Payment approval on match• KPIs– First time match rate– Invoice processing cost/effort• What can go wrong (Key Exception Indicator)– Duplicate Invoices, duplicate vendors, duplicate POs• Discovery– 3% duplicate invoices causing re-work and cash loss• Root Cause– Duplicate vendor data, Imprecise PO data
  30. 30. A New Era. A New Edge.30Risk & Performance• Lagging & Leading Indicators• Exceptions are Leading Indicators of Performance & Risk– Performance KPI (Measure)• DSO– A/R Risks & Exceptions (Barriers)• Credit check• Payment terms• Delivery quantity & quality• Unintended Consequences– Managing by KPI can drive suboptimal business results
  31. 31. The Myth of Measures© 2013 Consider Solutions All rights reserved31
  32. 32. A New Era. A New Edge.32World ClassContinuousImprovement
  33. 33. A New Era. A New Edge.33Question for YOU!In which financial process area do you see the biggestbenefit of monitoring business exceptions?1. Purchase to pay/accounts payable2. Record to Report/general ledger3. Order to Cash/accounts receivable4. Treasury5. Other
  34. 34. A New Era. A New Edge.34Pitfalls&Critical Success Factors
  35. 35. What could go wrong?35
  36. 36. A New Era. A New Edge.36Balanced Skill-set• Analytical/critical thinking• Process/risk understanding• Data structure knowledge• Data filtering & data analysis skills• Risk analytic design• Diagnosis & root cause analysis• Communication skills
  37. 37. A New Era. A New Edge.37Critical Success Factors• Continuous Monitoring, Audit andRisk Analytics are receiving moreand more attention - take time tobe clear what the objective is• Focus on genuine business risk• Use Risk Analytics to enhance the business partnership• Identifying and managing exceptions should already be akey focus for management• Rapid results & quick wins are critical• Keep track of value delivered
  38. 38. The Red Ferrari Test . . .38
  39. 39. A New Era. A New Edge.39Question for YOU!Where is the value in Exception Analytics to monitor risk inyour organisation?1. Cash recovery / cash saving2. Effort reduction/Effort avoidance3. Improved testing depth, scope & quality4. Improved business relationship5. Other
  40. 40. A New Era. A New Edge.40Developing the Case for Action• Prove Concept – Build Business Case• Scoped process & risk theme• One-time extraction and analysis ofrelevant system data and transactionsfor the period• Analysis performed on 100% oftransactions against agreed riskthresholds• Aggregate & detail exception reporting• Joint review of exceptions found andexploration of underlying issues
  41. 41. A New Era. A New Edge.• Landscape of Risk Assurance• Managing risk and managing control• The principles of exception analytics• Risk & business performance• Approach to exception analytics• Case study examples• Challenges and critical success factors• DiscussionTopic Review
  42. 42. A New Era. A New Edge.42Exception Analytics - Balancing Risk& Control & Performance!Key Takeaways1. False sense of security’barrier’ controls alone are not enough2. Continuous Improvement requiredboth risk & performance need exceptions in focus3. Facts must ruleexceptions have a monetary as well as risk value
  43. 43. A New Era. A New Edge.Dan French & Gonzalo Cuatrecasasdfrench@consider.biz gcuatrecasas@consider.bizExperiences & Observations . . .http://consider-ations.blogspot.com/solutions for world class finance
  44. 44. A New Era. A New Edge.Click here to find out more in ISACAs Knowledge CenterWE NEED YOUR FEEDBACK!Use the Mobile App to give us yourfeedback for each session you attend.You can also complete these surveysthrough Survey Link from any computer.ISACA’s IT ProfessionalNetworking and Knowledge CenterW h e r e n e t w o r k i n g a n d k n o w l e d g e i n t e r s e c t .
  45. 45. A New Era. A New Edge.Session 124Exception Analytics - BalancingRisk & ControlMonday 15th April 20131300-1400