Patrick Taylor CEO Oversight Systems

Alfred P. Sloan

Alfred Sloan, the legendary former CEO of General Motors, popularized financial controls for corporate governance, but financial controls have never before received as much widespread attention as they do today. Thanks to the Sarbanes-Oxley Act of 2002, enterprises must devote significant resources to applying Sloan's basic principles in today's e-business world.

As businesses seek to implement, document, monitor, and report on the effectiveness of their financial controls for Sarbanes-Oxley compliance, they are also readdressing issues that first rose with Sloan's model for financial controls — how should businesses balance the tradeoffs between stringent controls, operational efficiency, and acceptable business risk?

The reasoning behind financial controls is no different today than it was during Sloan's 23-year reign at General Motors from 1923 to 1956. Companies that are based on strong corporate governance produce superior long-term growth and shareholder returns. However, the application of those very same controls is much different in today's business world because automated business systems eliminate the need to manually process most transactions. On the positive side, this development leads to increased productivity. On the negative side, it also creates an environment where every application-facing insider presents a risk to violate policy, commit fraud, and inflict measurable financial losses.

In applying Sloan's principles of financial controls to enterprises today, some businesses are redefining their controls processes to move away from restrictive controls and toward real-time, passive monitoring of business transactions to identify policy violations, payment errors, system misuse, and fraud. Rather than limiting what functions employees can carry out as part of their jobs, transaction incident monitoring allows enterprises to boost productivity while mitigating the business risks.

The Role of Internal Controls in the Modern Enterprise
As early 20th century industrialism transformed into the age of the modern enterprise, leaders at the du Pont Company created financial controls to govern its operations across multiple business lines and divisions. The great du Pont-General Motors alliance allowed du Pont finance executives to pass along their knowledge to General Motors in the 1920s, when a financial crisis almost bankrupted the company. With this knowledge base from du Pont, Sloan led GM to become the most admired corporation of his day.

My Years with General Motors by Alfred P. Sloan

While developed at the du Pont Company, financial controls were refined at General Motors, and Sloan outlined their need and implementation in his 1963 bestselling book,
My Years with General Motors. In the book, Sloan explains his role of integrating financial controls into operations "for finance could not exist in a vacuum."

Through the study of General Motors, 20th century enterprises emulated the automotive giant and adopted organizational structures that allow divisions to operate autonomously but still enable oversight from central management. In following General Motors' example, financial controls provided a new level of corporate governance in the form of highly coordinated:

• Consolidate cash management
• Uniform appropriations processes
• Inventory & production management to align with market demand.

Sloan put it quite simply: "The need for financial controls grew out of crises. Controls were brought in to ensure that crises did not recur." For General Motors, financial controls powered new avenues of management that could avoid its past stumbles where:

• Each division managed its own operating cash flow and manipulated cash reserves to its own benefit while ignoring the cash requirements of the greater organization;
• Managers received approval for their maximum appropriations requests without consideration of all other requests and available funds; and
• Overly optimistic division heads accumulate inventory and set aggressive production schedules to meet lofty sales goals without consideration of real market conditions.

Through the implementation of financial controls, Sloan mitigated business risk for General Motors and created an organization where individual managers were responsible for growth of their business units but the direction of the enterprise was set at the top. These basic financial controls allowed GM to align the strategies of all divisions to meet market demands and the corporate vision.

Sloan accomplished this at General Motors through executive committees, which played a key role in providing the necessary oversight. While these committees added significant new responsibilities at the corporate office and new process requirements for division managers, these financial controls allowed a huge organization like General Motors to respond to changes in the market and more closely align its operations with business cycles.

Evolution of Financial Controls
While financial controls ? and a revolutionary organization structure ? played a key role in General Motor's growth and market leadership, financial controls evolved and extended throughout organizations at all levels to govern individual responsibilities. Financial controls are often applied to spending limits where each manager can autonomously appropriate funds up to a certain limit but must seek approval for expenses greater than the established cap.

Enterprises applied these concepts of financial controls throughout all levels of the organization to address other business risks, such as fraud and payment errors, by essentially introducing corporate policies for how business transactions were to be processed. Segregation of duties emerged as a key element of financial controls to prevent fraud and payment errors, for example, by not allowing the same person to sign a purchase order, validate receipt of goods, and authorize a check payment. The division of responsibilities works to prevent a single person from defrauding the organization.

To handle the increasing need to process and validate payments in accordance to the financial controls, enterprises developed separate controls departments. As separate entities unto themselves, controls departments provided independent oversight to ensure that checks matched up with receipt of goods, which matched up with purchase orders, and that the procure-to-pay process followed all enterprise policies.

While initially necessary for the enforcement of financial controls and strong governance, control departments — and controls themselves — grew to become bureaucratic in nature. Meanwhile employees and managers viewed controls as obstacles to accomplishing their jobs. It was at this point where enterprises were forced to seriously reconsider the tradeoffs between stringent controls, inefficiencies created by controls, and business risks they were willing to accept.

However, Sloan never intended for controls to limit the productivity and effectiveness of operations. In his book Sloan wrote, "If we had the means to review and judge the effectiveness of operations, we could safely leave the prosecution of those operations to the men in charge of them."

The implementation of financial controls also increased the need for internal audits to validate compliance with these controls and policies. Most of these audits are based on accumulative reports and sampling-based analysis of events and transactions.

Controls Today
The old controls department became irrelevant and unnecessary overhead with the emergence of automated business systems that allowed financial controls and policies to be embedded into the business applications. Enterprise resource planning (ERP) software systems initiated these systems-based controls, which now extend into supply chain management, customer relationship management (CRM), and human resource systems.

Most of these applications and business systems allow for internal controls whereby the organization customizes acceptable use for each authorized user. These controls can set levels of authorization whereby, for example, an entry-level accounts payable clerk can access modules only related to his specific job function while the chief financial officer can access any module in the system.

The integration of financial controls into business systems led to the creation and dependence upon system oriented job classifications and complex application configurations. However, the classifications and configurations are expensive to design and deploy. As employees are promoted, reassigned, or terminated, organizations must continually update their business systems with everyone's correct authorization level. The same must be true for consultants, contractors, and business partners. The sharing of passwords only complicates the issue.

And while enterprises no longer operate with a separate controls department, tight controls within a business system can exacerbate the bureaucratic burden and whittle away the projected benefits of the automated business system. An enterprise with 3,000 ERP users can expect to dedicate more than five full-time IT personnel to supporting and maintaining the classifications and configurations.

However, most enterprises struggle with the initial implementation and maintenance of these procedural rules. Organizations spend millions of dollars to implement ERP systems in a process that can take up to three years. The implementation of these classifications is often the last phase of the project and as a result does not receive the required attention if the project is commonly over budget or behind schedule.

Effectiveness of Controls
As measured against fraud detection and error prevention, today's controls do not do enough to mitigate business risks. According to reports from the Association of Certified Fraud Examiners (ACFE), fraud and white collar hacks collectively drain 6 percent of an organization's annual revenue. In 2002, these losses totaled over $600 billion. The PricewaterhouseCoopers Economic Crime Survey pegged the average loss per company at greater than $2 million. Ernst & Young has called this "a bigger loss problem than viruses and worms combined."

The ACFE study found that the average scheme lasted 18 months before it was detected. More than half of the detected schemes accounted for losses greater than $100,000; nearly one in six caused losses greater than $1 million. The study also reported that nearly two-thirds of all identified fraud was detected by "accident" or employee tips.

Even with existing controls, payment errors remain a significant drain on corporate assets. Accepted industry studies have reported duplicate errors as approximately 2 percent of total payables. Rather than returning the cash and payment back from a duplicate payment, vendors who receive the duplicate payment often extend a credit to the double-paying buyer who suffers unneeded pressure on its cash flow. However, 10 to 20 percent of duplicate payments are never recovered, which means that the average enterprise suffers an annual cash drain equivalent to 0.1 to 0.2 percent of its total payables.

Under Sarbanes-Oxley, public companies are forced to document and monitor the effectiveness of their financial controls. While instances of fraud and errors were once a private matter, this regulation thrusts some companies into the spotlight to bear public scrutiny for financially draining losses from fraud and errors.

Transaction Incident Monitoring New motivations for evaluating financial controls have driven some enterprises to re-think their approach to applying Sloan's principals in today's environment. The real-time nature of information, analysis, decision-making, and policy validation introduce new metrics for financial controls to consider.

Some businesses and government organizations are implementing transaction incident monitoring as an effective alternative to traditional financial controls and, in the process, are realigning the tradeoffs between stringent controls, operational efficiency, and business risk. Instead of decreasing risk by severely restricting user privileges within a business system, transaction incident monitoring allows an enterprise to loosen the restrictions within a business system but actively validate every transaction the system processes.

While stringent systems controls may stop the one percent of insiders who intended to defraud the enterprise, stringent controls place a heavy burden on the 99 percent of insiders who are honest. Theoretically, transaction incident monitoring allows an enterprise to remove all system restrictions and rely on real-time analysis to flag transactions that do not comply with enterprise policies.

Transaction incident monitoring relies upon sophisticated data acquisition and multi-perspective analysis to correlate information from ERP systems, legacy mainframe applications, network monitoring solutions, and external data sources as relevant to:

• Accounts payable
• Accounts receivable
• General ledger
• Human resources & payroll
• Inventory management

After collecting all relevant transaction information, transaction incident monitoring solutions analyze each event and the context of the transaction with the same level of scrutiny that an internal auditor and fraud examiner would employ. This complex analysis is a combination of domain engineering, automated link analysis, behavior, deductive analysis, and standard business intelligence. The transaction analysis flags suspicious activities and clearly distinguishes real concerns from hundreds of indicators of fraud, misuse, and errors. However, a key feature of a transaction incident monitoring solution is to detect acts of concealment and conversion designed to circumvent standard auditing techniques.

The benefits of transaction incident monitoring are clear.

• This type of transaction monitoring establishes a business environment that deters employees and other insiders from breaking enterprise policies or defrauding the company.
• Transaction incident monitoring provides the benefits of rigorous financial controls without the administrative overhead and bureaucratic burden.
• Even if classifications are not 100 percent maintained or employees learn to game the system, risk managers are satisfied with a solution that keeps pace with real-time business transactions.
• Transaction incident monitoring acts as the ultimate layer of security from outsiders who penetrate the network as authorized users.

While Sarbanes-Oxley heightens enterprise focus on financial controls, transaction incident monitoring provides the next step in the evolution of Sloan's accepted principles. Enterprises can trust their employees to make the right decisions and verify that the correct decisions were made. Without restrictive limitations, financial controls can finally lift their burden on operational efficiency while maintaining risk mitigation.