Evidencing financial controls and demonstrating that they are working throughout the reporting supply chain has been transformed from a detached and infrequent activity to an integral and continuous aspect of financial reporting, supported by dedicated applications, work flow technology, dashboards and reporting on an enterprise wide basis. In this white paper, the first of a series of three, Gary Simon, FSN’s managing editor, looks at the GRC issues in the Reporting Supply Chain and new capability from suppliers such as Trintech.
CONTENTS
INTRODUCTION
The scope of the RSC has changed
Attitudes to governance, risk and compliance (GRC) have changed
WHAT SHOULD THE CONTROL ENVIRONMENT LOOK LIKE?
How does an organisation exert control?
The inadequacy of ERP
THE IDEAL ARCHITECTURE
UNLOCKING THE RECONCILIATION LOG-JAM
WHAT ARE THE ORGANISATIONAL IMPLICATIONS?
VENDOR TO WATCH: TRINTECH
SUMMARY
INTRODUCTION
The notion of a ‘Reporting Supply Chain’ (RSC) is a relatively recent phenomenon. Whilst transaction processing generally conforms to a well defined series of business cycles, such as ‘Quote to Cash’ and ‘Procure to Pay’, core management information processes have been largely sidelined and ill-defined. Yet the RSC is emerging as a critical management process that weaves its way through the entire organisation and forms the essential conduit for internal management reporting and external statutory disclosures and filings. So what exactly is the RSC?
The RSC is broadly recognised as the enterprise-wide process of collecting financial and non-financial information from Strategic Business Units (SBU’s) and their underlying reporting entities (subsidiaries, associates, joint ventures and minority interests) across the globe, consolidating it and generating final accounts, culminating (in the case of financial reporting) in the production of statutory filings and the ‘glossy’ annual report and accounts.
Although historically accurate, such a narrow definition is open to challenge because it neither recognises the massive changes in regulation and compliance over the last decade nor the significant strides in technology that have allowed previously separate strands of reporting to coalesce in one environment.
The scope of the RSC has changed
The historic definition suggests that the RSC commences after ‘period close’ in subsidiaries and ends with the generation of the statutory accounts. But over recent years the reporting supply chain has become elongated, reaching deeper into reporting entities as technology ‘melts’ the boundaries between ERP systems and reporting systems. As a result the modern RSC can now be viewed as a continuum that embraces fully all of the period close tasks, such as reconciliations that were previously out of scope. And although not part of this white paper it is worth noting that the RSC has become stretched in the other direction with the advent of digital reporting or XBRL which is automating the interface between corporations and regulators for statutory filings.
In practical terms, the advent of XBRL brings the benefit of more streamlined processes and the possibility of reducing error rates. But it also designed to accelerate the reporting process to regulators and as such will bring unwelcome pressure on an already stretched finance function. This underlines the vital importance of ‘re-engineering’ earlier phases of the reporting supply chain to eliminate wasteful tasks and increase automation where feasible.
Attitudes to governance, risk and compliance (GRC) have changed
The momentous events of the last decade, starting with Enron and more recently amplified by the global financial crisis have caused, politicians, regulators and corporations to question the robustness of financial reporting systems and, with the encouragement of new laws and penalties, to consider the control environment much more seriously. The emphasis has changed from merely collecting and reporting the numbers to asking “How do we know they are right?”
The inclusion of non-financial data around, say, environmental reporting and other novel areas of reporting which have financial consequences (for example, carbon trading) serves to underline the growing seriousness of the challenge of reporting accuracy.
As a result, evidencing financial controls and demonstrating that they are working throughout the reporting supply chain has been transformed from a detached and infrequent activity to an integral and continuous aspect of financial reporting, supported by dedicated applications, work flow technology, dashboards and reporting on an enterprise wide basis.
WHAT SHOULD THE CONTROL ENVIRONMENT LOOK LIKE?
There is a striking similarity between the control environment and the flow of numbers which it supports. In essence the overall velocity of the group financial reporting process depends on the speed of the slowest part of the organisation. Similarly the reliance that can be placed on overall controls is governed by the weakest link in the chain. A material control failure in any part of the organisation can undermine the dependability of the whole control environment and delay the announcement of results. It follows that it is essential that any control environment takes an enterprise-wide approach. But what exactly does the control environment include?
In broad terms, the purpose of the control environment around financial reporting is to ensure that every item is authorised and completely and accurately processed. In practice there can be thousands of interrelated controls connected in a complex hierarchy of dependency (key controls and compensating controls). Although no two organisations have identical controls there are some common threads defined by the chronology of the group reporting process. For example;
In subsidiaries:
Period end bank reconciliations, general ledger reconciliations, review of debtors and the agreement of inter-company transactions.
In transit:
Completeness of data capture, interface controls, mapping tables and controls over rejections.
At Group:
General ledger reconciliation, validation of data received from subsidiaries, intercompany matching, and exceptional items.
Although not a comprehensive list of controls this illustrates the breadth and complexity of controls that need to be managed. When this is magnified on a group-wide level, the scale of the undertaking starts to become apparent.
How does an organisation exert control?
In the past organisations have employed a variety of techniques to exert control but many have relied on spreadsheets, for say a reconciliation, backed by paper files and folders containing manually executed review and approval with initialized pages and signatures. Or perhaps they have used standalone and bespoke database to document control objectives and record test results. With the advent of Sarbanes Oxley a number of specialised applications for creating repositories of controls appeared but these were often technically and organisationally marginalised - falling outside of the routine workflow of the RSC process.
The history of the way in which financial controls is managed has not helped. Internal controls have always been understood to be a part of the finance function’s domain but responsibility for managing and testing controls has usually resided with the internal audit function supplemented once a year by an external audit. The recent history of control failures has changed that perspective in two fundamental ways. Firstly, regulators around the world have re-asserted that the primary responsibility for the control environment rests fairly and squarely within the finance function. Secondly, it is now very clear to audit committees and executive management that financial controls have to be monitored and confirmed to be working continuously throughout the year if reliance is to be placed upon them.
These key developments between them set the tone for the modern control environment, namely that;
- the control environment and the applications supporting it have to be inextricably linked (integrated) with the reporting supply chain and support collaborative working
- the control environment has to be pervasive, i.e. cover the entire RSC and be globally deployable to a consistent standard
- the applications need to be specialised to cater for the complexity and breadth of controls functionality in the modern organisation
A further driver for control improvements is the broader recognition that providing a sound control environment makes good business sense. After all, financial reporting underpins the performance management cycle, allowing management to monitor continuously the delivery of its targets and prospects for success. The greater assurance gained through dependable systems adds confidence to decision making and at the same time limits the risk to reputation through misstatements in earnings announcements and other public disclosures.
The inadequacy of ERP
But implementing a controls based solution that conforms to the broad requirements set out above has proved to be beyond the grasp of many organisations. ERP systems form the foundation of operational systems in most enterprises yet controls remain compartmentalised in separate applications and lack end-to-end integrity as, for example, they to not flow readily between transactional systems and group reporting applications. Furthermore, the traditional ERP platforms do not provide the specialist control functionality, workflow and controls reporting around typical period end tasks, such as reconciliations and balance sheet reviews. The more heterogeneous the group is, in terms of IT infrastructure and nature of trading, the more difficult it is to assert control. For example, different chart of accounts, (which is often the norm) and different vendors’ general ledgers/ERP systems create complexity around data capture, mapping and control, with limited tools for resolving differences and driving consistency through the enterprise.
As a result, with no basis for tackling these issues as they arise, reconciliation differences and unsubstantiated balances are frequently allowed to bunch up around the period close, creating a severe drain on resources at the worst possible time. Organisations find themselves compelled to staff up for the peaks in workload yet unable to reallocate head count to other needy tasks during the rest for the period. Under severe time pressure at month-end the temptation is to carry forward unresolved items from period to period, postponing error resolution and running the risk of material misstatements in financial position.
The impact of variable group policies around, say, the reconciliation of movements on general ledger balances, differences in staffing levels, culture and capability of finance personnel around the world contribute to a significant loss of control. But worst of all, none of this risk is quantifiable or visible to the centre when signing off the period’s accounts. Historically, dependence is necessarily based on a snapshot of controls testing and the theoretical extrapolation of the outcome to the whole period under review. Individual controls weaknesses can be ignored and material errors can be disregarded as a result of which the organisation fails to implement improvements and renders itself susceptible to more substantial errors in the future.
So is there a better way?
THE IDEAL ARCHITECTURE
It is only recently that complete suites of controls applications have appeared that are capable of supporting the RSC and being integrated with the group reporting process.
The ideal architecture is characterised by several factors;
- The ability to ‘superimpose’ the control suite on a miscellany of operational systems with the minimum of disruption.
- The ability to implement on a global or enterprise-wide basis over the web to smooth out the differences in time zones and connect disparate reporting entities to give complete end-to-end visibility of the financial reporting and controls environment.
- Specialist applications, such as detailed high volume reconciliations and GL reconciliations that fill the void left by ERP systems.
- Task management and flexible workflow that allows the definition, tracking and reporting of tasks throughout the RSC.
- Tight integration of the specialist applications with consolidation applications that inextricably link financial outcomes with controls (through reporting and dashboards) to prove that reliance on reported financial results is justified.
In many respects, the above architecture replicates the successful approach that many large organisations have taken to group financial reporting and consolidation. This has shown that the ability to superimpose the solution on existing operational systems is paramount – effectively specialist controls and reconciliation software becomes simply another strand of a proven and successful formula.
UNLOCKING THE RECONCILIATION LOG-JAM
The importance of reconciliations to the overall accuracy and velocity of group financial reporting has been seriously under-estimated – principally because the energies of group management have been focused historically on events post-period close in reporting entities and secondly because of the paucity of specialised application support.
But the effectiveness (speed and accuracy) of reconciliations can have a profound effect on the RSC. Reconciliations fall into two main categories, namely, high transaction volume reconciliations such as local bank reconciliations and secondly, more specialised and intricate reconciliation of balance sheet movements.
Both types have a fundamental impact. Generally speaking the high volume reconciliations are a pre-requisite of an effective period close in reporting entities. With modern labour saving software solutions a high percentage of transactions can be matched automatically and on a more frequent basis, leaving management to focus on the material exceptions which are often neglected using conventional manual methods. The result is a much higher success rate in reconciliation and significant reduction in errors and fraud.
By contrast, the General Ledger reconciliation has applicability to both group and reporting entities and can similarly have a profound impact on the RSC. With Charts of Accounts running to several thousand individual lines many companies find it challenging to ensure that material errors do not slip through the net because accounts are not reconciled promptly, or because nobody has been assigned the responsibility of performing the reconciliation. Ask an auditor where the greatest risk lies in an audit and it is likely he will say “unreconciled accounts”. The danger is that unreconciled items simply get carried forward from one review period to another with the detail becoming more difficult to resolve with the passage of time. This lack of oversight and balance integrity can lead to significant exposure. Using advanced reconciliation tools, companies can identify high risk accounts (for example those where a material error is likely) allocate and track the performance of reconciliations before they become a problem. But more importantly, the financial consequences of non-resolution can be surfaced and managed before they become a serious issue. Furthermore, the ability to identify and manage high risk or delinquent accounts early in the period end cycle allows companies to commence work on ‘difficult’ accounts sooner in the period and helps to smooth out peaks and troughs in workload.
WHAT ARE THE ORGANISATIONAL IMPLICATIONS?
One of the foremost benefits of a web based architecture for reconciliations, reporting and control is that, subject to security permissions, the group finance function has complete line-of-sight of the reporting process and control environment across the entire enterprise. This means that problems are identified as soon as they arise and a collaborative approach is encouraged to fixing short term issues and promoting best practice throughout a group.
In the past, reporting entities have operated in isolation and difficulties with say a critical reconciliation did not surface until late in the processing cycle – if at all. So errors are propagated up the reporting hierarchy (or organisational structure) unchallenged rather than being dealt with at source, where they are easier to fix.
Workflow management is a vital addition, reconnecting the finance function to the process in its charge whilst helping to ensure that tasks are completed according to plan and that major issues are escalated and resolved in a timely fashion.
The combination of workflow and integrated email capability means that the finance function can operate more effectively in different time zones with, for example, approval requests being routed automatically between time zones rather than waiting for the next working day.
The latest round of technology has also put the finance function in the driving seat, rather than having to rely on the IT department for every change. User configurable applications are allowing the finance function to define how the application will be deployed and to make changes to processes ‘on the fly’.
But one of the most noticeable organisational impacts is the ability to more clearly define and support specific roles in the process and the changed emphasis that a more proactive approach to problem resolution allows. For example, with automated reconciliations, resource is shifted from the mechanical task of matching to the more illuminating task of managing and resolving exceptions. This makes the process more effective and more fulfilling for the personnel involved with it, improving the entire user experience.
VENDOR TO WATCH: TRINTECH,
The changing face of the RSC is familiar territory for Trintech, a specialist provider of financial governance, risk and compliance solutions. Its Unity Financial GRC Suite is at the forefront of supporting and extending the traditional group financial reporting process with specialist applications for reconciliation, financial close and electronic filing, taking the control environment beyond the capability of most ERP systems.
Fig 1.1 Unity Financial GRC suite provides end-to-end visibility of the effectiveness of controls in the RSC
In common with the ideal architectures described earlier, Trintech’s capability stretches across the entire RSC, with its high volume reconciliation capability “ReconNET” reaching into individual reporting entities and its general ledger reconciliation “AssureNET GL” capable of being deployed at both a subsidiary and group level. Meanwhile, the controls capabilities in “Unity Compliance” and “Unity Enterprise Risk Manager” underpin these specialist applications, ensuring that financial reporting across the entire enterprise is swathed in a comprehensive controls environment.
Although the scope of the solution is far-reaching it can be implemented with relative ease since all of the technology is designed to be superimposed on operational ERP systems and to complement popular consolidation systems. For example, trial balances of all shapes and sizes are readily ‘lifted’ from general ledger systems in reporting entities, ready to be incorporated and available to the GL reconciliation functionality in AssureNET GL.
Recognising that a blanket approach to controls is inefficient Trintech takes a risk-based approach to determining which controls (GL accounts) need to be monitored and automates as much of the balance sheet substantiation process as possible. Risk can be set for each GL account individually. For example, an ‘owner’ or responsibility manager can be assigned to the reconciliation of each account and a risk setting applied to each account based on, for example, its materiality or history of difficulty. This allows the organisation to focus its efforts on the troublesome and important accounts. But risk levels can also be assigned dynamically by the system based on account activity and business rules set by the organisation, for example, balances over £250,000 which have not moved for 30 days.
Automation ensures that balances that fall within acceptable ranges are certified or ‘signed off’ but more risky accounts are funnelled into workflows for closer scrutiny and escalation as appropriate. Vitally, the potential Profit & Loss impact of each exception can be recorded so that there is immediate visibility of the financial consequences of unresolved account reconciliations. Email integration ensures that submission, remediation and approval of exceptional items is carried out efficiently whilst roles-based dashboards monitor the progress of tasks, such as the percent completion together with the unresolved financial exposure in local, group and reporting currencies as required.
Fig 1.1 Unity Financial GRC suite dashboard shows the status of controls and tasks
The manner in which reconciliations are performed is not restricted so that different accounting policies and reconciliation guidelines (held at account level if needed) can be accommodated across a globally diverse enterprise.
Trintech’s modular system architecture means that reconciliation tasks can be merged with other period-close tasks which can be monitored (locally and at group) in a single control environment. The result is that Group finance can view the condition of controls throughout the enterprise and trace back (drill down) from consolidated numbers in the balance sheet to confirm the status of tasks at any node or individual reporting entity in the organisational structure (Trintech supports multiple management hierarchies). If necessary, the system can require controls to be digitally signed off to provide further comfort at group that responsible officials throughout the company have complied with group policy.
The merging of financial reporting, reconciliation and controls, supported by highly automated processes, means that issues are dealt with earlier in the processing cycle, assisting management to avoid peak loading at the end of a financial period, reducing risk and accelerating the whole RSC.
But Trintech’s Financial GRC solutions do not only support the current period. The experience gained with the technology coupled with Trintech’s deep domain knowledge provides a repository of data which can be used to benchmark performance and drive continuous improvement in the group reporting process as well as promoting the promulgation of best practice.
SUMMARY
The Reporting Supply Chain has changed beyond all recognition in the last few years but traditional ERP and Business Intelligence systems have failed to keep pace. Financial controls, together with the management of period-close tasks and financial reporting are coalescing as management seek to demonstrate that statutory disclosures and filings are based on a solid foundation of control.
To date, many GRC (Governance Risk and Compliance) solutions have been developed and implemented separately from the RSC providing very limited assurance that vital tasks have been completed and that key controls are working. Organisations have relied on traditional internal and external audits together with a number of manual workarounds to prove the robustness of the controls environment. But recent advances in technology, coupled with specialist applications means that it is feasible to superimpose control over a variety of operational and ERP systems without causing major business disruption.
High volume reconciliations, general ledger reconciliations, close tasks and financial reporting can now be incorporated in a unified environment that inextricably ties the balance sheet back to the underlying controls. For the first time technology solutions, such as that provided by Trintech, gives the group finance function complete visibility of the RSC and provides early warning of material issues masked by complex organisational hierarchies.
Not only does the Trintech Financial GRC suite provide vital insight into the reliance that can be placed on controls, but it also permits greater collaboration in the finance function and through more emphasis on a risk based approach and greater automation is able to accelerate the group reporting process whilst supporting continuous process improvement.
|
About FSN |
|
FSN Publishing Limited is an independent research, news and publishing organisation catering for the needs of the finance function. The report is written by Gary Simon, Group Publisher of FSN and Managing Editor of FSN Newswire. He is a graduate of London University, a Chartered Accountant and a Fellow of the British Computer Society with more than 23 years experience of implementing management and financial reporting systems. Formerly a partner in Deloitte for more than 16 years, he has led some of the most complex information management assignments for global enterprises in the private and public sector. His bestselling book, “Fast Close to the MAX” was published in 2008. Whilst every attempt has been made to ensure that the information in this document is accurate and complete some typographical errors or technical inaccuracies may exist. This report is of a general nature and not intended to be specific to a particular set of circumstances. FSN Publishing Limited and the author do not accept responsibility for any kind of loss resulting from the use of information contained in this document. |
