In this webcast our experts share the key risk exposures, best practice approaches, SoD case studies, and the case for action for finally addressing SoD risks in a comprehensive, sustainable and cost-effective manner.
The Keys are Hidden Here…
Why have locks on all the doors but leave the keys on the doorstep? You may get away with it for a day, or a week or even a month, but does this mean it is a sensible approach to securing your assets? When your house is eventually burgled, where is the burden of responsibility and will the insurer actually cover your losses?
Fraud, waste and error are not going away. In many respects, they are getting worse due to the growing awareness of the weaknesses and lack of oversight of corporate business processes, the anonymity provided by systems and technology and creativity of a malfeasant minority. Fraud, waste and error are legitimate concerns within every organization, as our controls struggle to keep up with the pace of change in our organisations, processes and systems, not to mention new threats such as the ‘CEO email fraud/”Business Email Compromise” or ‘Fraude au President’ as it is known in France. Reports of accounts payable fraud have seen a 270% increase in the past year alone and has reached epidemic proportion of $2.3 billion in losses in three years.
But this is just the tip of the iceberg. Companies all suffer from fraud, waste and error, not always at massive scale, but the ACFE estimates the average company loses the equivalent of 5% of its revenues to fraud, waste and error. And there is no evidence of this reducing any time soon.
The most diligent manual reviews and reconciliations simply cannot completely eliminate fraud, and significant exposures can occur at any company, regardless of size. With major enterprise resource planning (ERP) systems increasing functionality and complexity, companies must pay more attention to the design and monitoring of automated controls.
The most effective, but basic, anti fraud, waste and error control is managing the risks related to segregation of duties (SOD). This ‘four eyes’ principle applies to all critical combinations of activities that are required to request and authorise financial transactions, purchases, credits and payments, access and maintain records for cash, valuable equipment or inventory, or reconcile accounting records.
SoD vulnerabilities often occur due to over-confidence in three areas; in the trustworthiness of employees and contract staff, in the hope that job role segregation will suffice and in the effectiveness of automated accounting and ERP systems and controls, such as system access rights. Lack of awareness of complexity is a cause for concern and can result in a strategy that largely depends on hope!
Many organisations have been deterred from addressing SoD in a systematic way due to a concern over costs and benefits of such approaches. The single biggest catalyst for addressing the issue is typically a fraud event or an external audit finding of insufficient and ineffective control. But by the time these events occur, the damage has been done. And even if you believe your organisation is secure from fraud, remember that the ACFE’s 5% loss figure includes waste and error, and which of us can guarantee against that in our organisations?
Many organisations have addressed systematic, automated continuous controls monitoring (CCM), but only for their largest ERP systems, from SAP or Oracle, leaving the gap of smaller operations supported by satellite accounting systems. The new integrated niche applications of e-invoicing and e-procurement undermine the integrity of the whole approach and the effectiveness of the investments made. Despite the fact that 71% of organisations claimed in a recent survey to have implemented a ‘formal tracking process and/or system for all major process areas”, this does not tell the full story. System access rights are not static, rather a ‘body in constant motion’ with joiners, movers, leavers, holidays, parental leave, delegation of authority all affecting user permission and access on a daily and weekly basis. At whose discretion do these changes occur, who is validating that conflicts of interest will not occur as a result and who is managing the residual risks?
Now more than ever, a strong organisational, process and system governance approach is key for managing SoD risk and automation enables continuous assurance. The opportunity for better governance and control now exists for every organisation, large and small, regardless if you are working with the leading ERP-suites from SAP, Oracle, Infor, Microsoft or Sage, or if you have smaller industry specific ERPs such as Workday, Workforce Software, Cornerstone, NetSuite and Unit4, M3 (MOVEX), S3, LX (BPCS), LN (BAAN), SmartSuite, Navision, Axapta, Agresso, purpose built applications or a combination of the above. The tools and techniques described in the webcast are applicable to all flavours of accounting and ERP Systems.
It is time that ‘I hope so’ is no longer the response to the management question ‘are our SoD risks effectively managed?’
This webcast is aimed at financial, process, audit and IT management responsible for risk, control and good governance.
Our expert presenters include Dan French, Founder and CEO at Consider Solutions, Robin Ashby, formerly PwC and now Principal, Consider Solutions and Hans van Nes, COO at Consider Solutions.
Our agenda addressed;
- The changing nature of risk – fraud, error and waste
- Business process and system contexts
- Case Studies and debacles involving Segregation of Duties issues
- Implementing an effective SoD process and governance framework
- A lightweight approach to automating continuous SoD monitoring
- Best Practices