It’s still not a good time to have deficient controls

An extract of the original article on LinkedIn by Satori’s Jehan Salib – Data Analyst & Assurance Consultant 

In the not so distant past, we saw a lot of businesses caught out with wage theft or lamenting wage overpayment, you can guarantee it was not thanks to their ongoing internal examination of processes and controls that the issue was discovered. The reason that these cases all showed up, one after the other, is that once one case was reported, all other organisations started frantically checking their data and controls to see if they have fallen into the same trap.

The issue lies with current corporate practices. They invest in one of the Big ERP systems and employ a few highly qualified IT gurus to run these sophisticated systems, and expect everything else will just fall into place, they’ve done their duty and all is working in order. It would be great if it was that simple!!

We have been working on data analysis and continuous control monitoring for the past 20 years, and have assisted all different types, shapes and sizes of organisations. Usually the point of contact for us would be the Risk Management or Internal Auditors teams who are trying to implement proper controls and checks for their organisation. Through the process of implementing those checks, the irony was we found that the fate of the organisation is held in the least liable level of the organisation. It is all in the hands of the business teams running the daily process, all the strings start and are held at that business process level.

If we stick to the Payroll departments only for the sake of the subject at hand of Wage Theft, how much do we really think the CFOs and CEOs know about the setting up of the daily process of payroll rules, rates, allowances, etc? Well the truth is practically very little, if nothing at all. They don’t need to either, that is why they employ payroll specialists who should have this knowledge and experience.

Payroll is one of the most complicated processes of any organisation and the bigger the organisation the more diverse and complex it becomes. Your average payroll specialist is usually highly experienced and they know their role inside out with all its complexity. But, unfortunately, because human error is a part of life which we can’t change, and because technology is moving much faster than employees can be re-trained to catch up with the changes in IT, handling large numbers of transactions, continuous rules and personnel changes can become a cumbersome task and, as a result, errors can happen. Any of these changes not captured in time or missed in the process can easily cause millions of missed payments.

Over the years we’ve spoken to various Payroll business teams, to explain to them why there is a need for data analysis and continuous control monitoring of the daily process and data integrity of their work. The standard response, with no fail, is always:

“We have the best xyz ERP system, all these controls are already in place and we utilise the built in reports to control and catch any errors, why do we need any more testing, it will only duplicate what we are already doing and increase the workload”.

Well! If only we had just $1 for every time we heard this from all types of business teams throughout the years, we would have been on the list of the top 500 richest companies in the world. Our answer now, would simply be:

Why did all these big organisations with top xyz ERP systems short pay their employees millions of dollars over the years and it’s all gone unnoticed?

Satori-CCM-continuous--control-monitoring-audit-analytics-guide-download

In summary, the main four misconceptions noted in the corporate world when it comes to Risk Management are;

  • The Internal Auditors and Risk Managers are looked upon as the enemy of the Business, they are there to pick on the business teams and highlight their errors. Therefore, they are provided with minimal co-operation from those business teams. They are given limited access to systems and data, which totally defeats the purpose of their role. Internal Auditors and Risk Management are there to protect the organisation from the inevitable, in a best-case scenario an unintended error, or in worst cases, fraud and theft. Their role is to apply controls and checks to catch any failing in the process, being a human or system error, and save the organisation millions of dollars in over or under payments (both equally damaging to an organisation) in the long run.
  • The vast majority of internal auditors and risk managers still think they can do it all themselves. There is a general underestimation, or a misconception of the size of information and data gathered during the daily process of the business, especially in big organisations and retailers, which needs to be properly, and regularly, tested and checked, to successfully ensure the needed controls are in place. The standard random check, coloured spreadsheets used month after month with manually manipulated, untraceable formulas, or the old ticking the boxes process don’t work anymore. Presenting executives with nice coloured charts and dashboards and reporting the odd captured error every now and then, doesn’t suffice. It is no longer the objective, “it’s not good enough!”. Controls must mean that the organisation understands and checks, every single transaction being processed. This can only be achieved by correctly interpreting and understanding the data at hand, asking the right questions, and implementing the proper analysis and reports to examine these large numbers of data transactions and identify controls or processes failures and errors.
  • IT system gurus are looked upon as the “Gods” of the organisation, because they know all the technical stuff which we don’t know. Yes, most certainly, can’t do without them for one second. The whole world would collapse. But they are not data nor business process specialists. They have no idea if what the business is entering, or processing in the system is right or wrong. It’s not their role or area of speciality.
  • ERP systems have no intellectual intelligence, as the saying goes; “rubbish in rubbish out”. The system won’t capture an incorrect rate or calculation rule entered into it. They are sophisticated and built with high level general controls and reports, but again, they are not specifically tailored for the needs of every organisation. Standard built in reports are based on a general idea of use. They are usually ridged to customise, they don’t provide all the needed details, and the built-in parameters are not always clear. System controls are also customisable, so they can be switched on or off and can be manipulated. Which poses a high risk that needs to be monitored too.

DATA = MONEY. The value of an organisation’s data is exactly equal in importance to, if not even more valuable than, assets and cash in bank. Proper interpretation of the information and data at hand needs specialised knowledge and skills to enable an organisation to properly manage and set up an effective risk management plan.

Sticking to our subject here of missed or incorrect Payroll Payments, intentionally or unintentionally, the conclusion is that without utilising the proper resources and skills for data interpretation, analysis and continuous monitoring, the risk of one small error in applying a rule, award, rate, period or calculation going unnoticed, can and has cause millions of dollars to slip through the cracks over the years. Such errors won’t be caught in the colourful charts and dashboards at an annual board meeting, at that level of reporting, it will just disappear in the rounding of the bottom line.

Talk to someone with such specialised knowledge and skills at Satori Group now!