In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. For Part III, we consider three examples of how a framework of a risk management process could be used. The examples are (1) Invoice before PO; (2) Travel and Entertainment (T&E) spending at $49; and (3) Hotline metrics for compliance and culture analysis.
Invoices and no POs
The first one actually comes from Cisco Systems, Inc. (Cisco) where they develop all their technology in house and while the technology they are using is not important, it is interesting to think through the theory of what they are trying to accomplish. Cisco wanted to determine how many times they get an invoice hitting the accounting department to be paid before a Purchase Order (PO) has been received by the accounting department. What Cisco was trying to do was track every instance where an invoice arrived before the PO. The company created a visualization tool so there would be a little red dot for each instance and studied how often this happened across several quarters.
Through this visualization tool Cisco was able to classify every expense by such criteria as: When did we get the purchase order? When did we get the invoice? What department is this for? From this point, the company could begin to detect and analyze. Equally important, with the use of the visualization tool, literally anyone in the company could see and use the data. By defining the practice as it violated internal company policy, quantifying it and then putting it into a visual format, this led to a reduction in the number of times this situation occurred because employees were more attentive to their spending.
T&E Spend at $49
The second example came from a public utility company in the Midwest. The company had a policy where any employee with a T&E expense for more than $50 had to submit a receipt. For any expense at $49 or less, the employee could submit an expense without the receipt and it would be processed and paid. This process was an anti-fraud measure to see if any employee(s) were trying to slip something by at the $49 level where they were not required to supply documentation.
Interestingly, the company did not find any instances of egregious fraud. However, they were able to communicate to all employees it could monitor such reimbursement requests and could impose strong fraud controls in the situation where there was no requirement for the employee to supply documentation. This innovation gave them the opportunity to monitor when the $49 threshold was “just a little bit too often or a little bit too frequently where it seemed shifty”. Kelly emphasized that this is the clear analytics which improve the company’s bottom line and risk management because (1) you are improving your ability to find instances of fraud in the transaction and (2) it communicates to the employees the strength of the control environment. This can be an important signal to send from a control environment perspective.
Hotline metrics for compliance and culture analysis
The third example was one of hotline metrics and analysis. Many Chief Compliance Officers (CCOs) and compliance professionals focus on metrics from hotlines such as are you having a lot of calls or having no calls? Is that good or bad? Is your program working or is it not? What does it say about the culture tracking hotline calls themselves? However, following such metrics does not tell a CCO anything really about the culture. Kelly believes the better way to do this is to configure your intake system to get as many characteristics about the call as possible, specifically around retaliation complaints.
Kelly said such analysis would include looking at questions, such as how many retaliation complaints relative to: all complaints; a type of manager; a specific time of year; in specific markets; at specific levels of the company or even against specific people if you can track it all the way down? What you are trying to do is identify where the problem areas are and where people seem to be retaliating more than usual. If you track those metrics over time, not only does it tell you about your culture but it gives insight into why we have this retaliation problem in the first place. It can lead to an analysis around your ethics training if it is working because if complaints about retaliation continue to increase, that tells you that maybe the ethics and anti-retaliation training you are providing to your managers is not working.
Kelly concluded by noting that these three examples on invoices before PO orders, a T&E reimbursement expense request without documentation and examining retaliation complaints to get a better sense of your corporate culture can provide very practical steps you can take today which you might not have been able to accomplish 10 years ago because the tech was not available. However, with the evolution in the IA function and capabilities, you should be able to do going forward.
In Part IV we will consider new working relationships based upon the evolution of IA.
In this episode of a special 5-part series on the Future of Internal Audit, Matt Kelly and I consider 3 examples of this new framework in the risk management process.Click to tweet