|
By: Jayant Dwivedy, CEO, Empronc Solutions
Spend Governance becomes a key pillar in the Corporate Governance framework. This is one area that involves heterogeneous categories of expenses and also in most cases a diversified set of beneficiaries. The geographies, complexities of the business and the changes add to the problem. An unattended problem invariably becomes a risk.
It is the onus of the leadership team to ensure that a risk management model is in place to detect and prevent spend frauds. It is also the responsibility of the same team to communicate the philosophy and the corporate spend model of the organization, both externally and internally. Simple and well stated messages go a long way in governing and in having the right culture to sustain the improvements. The translation of the corporate model to operational processes is a difficult task. The processes then need to be practical, business friendly, integrated and repeatable.
Repeatable processes are best achieved through electronic systems and automation. They however need to be flexible and configurable to support the entire organization and also future changes. Organizations often go wrong when they believe from a central perspective that adequate controls exist and transactions are automated - this particularly when the risks and options have not been debated and "out of the box" ideas have not been brought in.
The integrity and ethical values of the enterprise as a whole are influenced by each employee. The top management of an organization represents the proverbial tone and in this way influences employees in general to follow ethical means.
Protecting and empowering the organization is a management function. Risk workshops with external facilitation and cross functional representation are good starting points. However, such exercises done by internal staff that were given time and space (to use data, questionnaires, specialist software etc.) showed positive results. The management decision on what the acceptable level of risk in spend governance should be is based on the risk appetite of the organization (e.g. this should determine the electronic delegation matrix). However there should be no room for "fraud risk appetite".
Whistle blowing is used by a number of organizations. This allows employees, vendors, customers, suppliers and business partners to express their doubts, suspicions and comments on integrity to be submitted to a committee/ top management. While this is an agreed best practice, the success of the program is still dependant on the culture of the organization and may give varied results. In these circumstances the effectiveness of an electronic system being your "whistle blower" should be examined and applied.
A team of "soldiers" should constantly look out for manual operations that can be automated - this despite a recent large computerization. To everybody's surprise there would invariably be multiple areas which would still be paper formats, emails and spread sheets - an integrated spend management solution is necessary.
| Steps |
Typical situations in most organizations |
Recommendations |
| 1) Spend philosophy and model |
No consistent communication internally and externally |
a) Use company home page, induction programs, vendor forums, training sessions, company newsletters/ hand books and visual displays on the wall to speak about the philosophy/ model b) Invest in systems that enable e- Spend Governance |
| 2) Organizational processes and policies |
Not operational; not available at grass root |
Use spend management solutions that bring in best practices from the industry and other verticals; provide user friendly workflows to employees that ensure processes/ policy deployment |
| 3) Electronic systems and automation of transactions; Control mechanism |
Limited licenses of procurement/ financial systems; many of the process steps still manual across the organization |
Use bridging technologies to go beyond ERP and electronically connect all who influence or transact spend; minimize paper work; have and automated Spend Management Framework |
| 4) On-line reporting and continuous improvement |
Month end reports (post mortem); Reports not granular enough to detect fraud |
Granular online reports that are used extensively to run the business in a compliant fashion; auto generated "red flags” |
Some salient issues:
The Board Directive: It often states that the person who is tasked to buy or acquire goods and services carries the responsibility to ensure that all risks in each phase of the spend process receives due consideration. This should not absolve the management, finance function or any other cross functional representative who influenced the acquisition or was a part of the transactions flow- directly or indirectly. It is a collective responsibility. Effective risk management that is applied to the enterprise in its entirety, across all levels, functions and activities can only ensure fraud control. Is your current electronic system doing that? Probably no- that is where the risk resides.
Manual controls: Many organizations make the mistake of managing the risk through a set of people in their role as controllers, auditors and "super cops". This has a limited effect both in terms of coverage and duration. The reasons being:
- Monotony of the task
- Availability of information (scattered, requiring manual compilation)
- Familiar faces- people learn how to deal with them
- When they are looking at a particular area, they are not simultaneously covering what could be critical at that point of time in another part of the organization
- People move on - exits, transfers, promotions
- Not available on account of meetings, training programs, leave, travel etc.
The "super cops" are after all human!
Leaving things to chance: While it is to be believed that the directors understand that they are responsible for implementing an effective and ongoing process of risk assessment and for measuring the potential impact of risk on the enterprise, different surveys have pointed towards the fact that frauds in enterprises are discovered by chance.
A post incident investigation invariably reveals that control systems (many of them manual) appear to be in place but are ineffective. Management has unknowingly overlooked the controls or has colluded in circumventing them.
Capital Allocation for fraud control: Fraud risk financing is a vital step in fraud risk management. It is important to consider the cost and advantages associated with managing the risks. The director responsible may use return-on-investment criteria to evaluate the financial acceptability of the control measures.
Monitoring the fraud risk management process: The implementation and operation of the risk management system always needs attention. Technology solutions demand a fair amount of training and unlearning. Continuous internal evaluations and separate external interventions are necessary to keep the system sharp.
In summary, an agreed spend philosophy that is well publicized is absolutely necessary. Best practices need to be brought in through effective systems that enable good processes and policy deployment at "grass root level". Systematic elimination of manual operations using automation/ low cost automation is an absolute necessity. This enables organizations to maximize their electronic transactions and thereby compliance. Intelligent reports can be a good thermometer for fraud control. At the same time system generated "red flags" can effectively sound the management on potential frauds. A System that can be easily configured to cope with organizational changes, business requirements and the regulatory landscape and also ensure granular Spend Governance is the right way forward.
 |
