The burden of managing financial risk, cash flow, strategic investment and compliance is a complex job.
How can you be confident that the risks of fraud, error and abuse are being well-managed without getting in the way of achieving your performance objectives? The typical approach is to rely on the types of internal controls that are built into processes, and in particular, into Enterprise Resource Planning (ERP) systems. But how dependable is this approach in practice?
Here are 5 technology-driven best practices that play a role in balancing control and performance and understanding the natural gaps in your ERP system:
1. Really understand the risks…then define intelligent control measures
You’re already well aware of the general risks that exist in different business processes and the typical control measures that should be in place, such as segregation of duties and manager approvals.
But, there are always variations in the way that systems and processes work. Take time to consider the “what-ifs” of things that could go wrong. Once this is set, it’s pretty likely you rely entirely on ERP system controls to ensure all is running well (until your auditors arrive on the scene!). But this should make you wonder: how do you know if your risk management and controls measures are effective? Which leads to the next best practice…
2. Find out if your risk management and control measures are effective
Getting insight into what is working well and what is a problem is an essential step—and where your ERP systems really start to let you down. Specialized risk analytics and monitoring software has transformed this concept into something that is not complicated. Using technology, you can examine every transaction in an entire population of data to determine whether: 1) the transaction complies with the control procedures that should be in place, or 2) there are indications that there are risks and problems for which no effective control is in place.
3. Cut to the actual red flags
Monitoring can produce volumes of potentially very important information…that no one is actually using. Risks and control problems often go unaddressed because people are focused on other things, inadvertently letting issues escalate to the point of causing serious harm to your organization. This is where the ability to fine-tune automated testing thresholds becomes very important. Fine-tuning allows false positives to be almost eliminated, so that the system only identifies red flags that are very likely to represent a real control risk.
4. Perform ongoing risk assessment and status reporting
Risk and control monitoring software not only manages the workflow aspects, but also allows the entire process to be reviewed and for the current status of all monitoring activities to be illustrated and quantified. This is where software plays another uniquely powerful role: it provides the ability for executive management to see a current assessment of the entire universe of risks and control effectiveness. The risks arising from different business process area can be compared—and also put into the context of other enterprise-wide categories of risks.
5. Gather input on risk and controls from across the organisation using surveys and questionnaires
Software that supports automated surveys and questionnaires can gather large amounts of information directly from individuals in different control roles across the organisation and rapidly interpret what is found. Analysis of survey responses to issues is a new and rapidly developing area in the world of risk and control management.