|
CODA White Paper
"Process automation for cost savings, efficiency and compliance"
16th January 2006 |
|
| |
Introduction
Ever since the invention of double entry bookkeeping by Luca Pacioli in renaissance Italy businesses have sought to simplify, streamline and automate their business processes. Initially, the concept of automation was largely confined to the factory production line and it is only in recent decades that some of the principles of 'time and motion studies' have been applied to transaction processing and information management.
Present day challenges such as the diversity of business operations, globalisation and an increasing emphasis on compliance and risk management have complicated the task of process automation but the drivers for change have remained largely unchanged. In the main, businesses seek to improve their business processes as a way of limiting costs, managing risk and improving responsiveness to a wide range of internal and external stakeholders, including regulators.
Collectively, businesses have been successful in driving down processing costs through successive rounds of automation but recent studies have shown that changes in compliance regimes such as Sarbanes-Oxley, International Financial Reporting Standards (IFRS) and EU Directives, which affect companies of all sizes, have exerted considerable upward pressure on the cost of the finance function.
Although the challenges of automation should not be underestimated, material changes in key technologies such as the web, workflow engines, office productivity and communication tools as well as underlying enabling technologies means that once again the prospect of a step-change improvement in process automation is well within reach. However, it would be misguided to suppose that radical change can be accomplished by technology alone.
Recognising the importance of human interaction is crucially important. Unlike factory processes which are often linear and predictable, or even transaction processes which can be routed across business functions with a fair degree of certainty, information processes in particular can have a variety of outcomes. So process automation has to accommodate human decision making, management review and appraisal as well as collaborative working and control.
The brief history of process automation
Manual processes have their place in all business systems but have notable limitations. Typically, they are labour intensive because they are often accompanied by paper documents and physical flows of information. Furthermore every new transaction introduced to the process is a fresh event and relies on the internal controls environment operating effectively on each occasion for its successful completion. Momentary lapses of control are inevitable in even the best run organisations and depending on the process, even a single failure in control can have dire consequences. Take for example the impact of an incorrectly entered trade on the dealing room floor of a bank, or the wrong price entered on a large contract or sales invoice. In theory every single manual transaction exposes the organisation to the risk of human error and as volumes increase so does the likelihood of a mistake. Repairing processing errors after the event by unwinding transactions that have gone wrong can be time consuming and costly. If they affect customers directly, say the delivery of the wrong goods, then reputations can also be irreparably damaged.
In recent years, the widespread availability of good quality applications software has improved the landscape so that organisations are often able to process high volumes of transactions with relatively few errors. Additionally, quality management initiatives such TQM (Total Quality Management) have concentrated minds on delivering more reliable processes.
The BPR (Business Process Re-engineering) mantra which accompanied the widespread introduction of ERP systems in the 1990s acknowledged the importance of combining people, processes and technology in the approach to any solution. Although notoriously costly to implement, this resulted in more efficient and repeatable processes and in large measure accounted for reduced finance function costs because of a drop in the cost of transaction processing. However, the cost of management information processing remained stubbornly high.
Once business processes had been streamlined across a multinational organisation it was then possible to consider amalgamating them into a shared service centre or regional data processing centre to drive out further economies of scale, although much of the saving was derived from the sharing of resources rather than refining processes still further. Similar thinking has created a flourishing outsourcing industry specialising in large scale processing for high volume entities such as utilities and public authorities. Automating processes and leveraging economies of scale has been essential to delivering the benefits of these arrangements.
The drivers for change
The inexorable pressure for cost reduction remains one of the principal drivers for increased automation. Shared service centres and outsourcing may be helpful to large scale organisations but businesses of all size benefit from process automation. Not only do streamlined processes deliver immediate cost saving through productivity gains and reduced cost of error correction but they also provide a platform for growth without necessarily increasing cost.
Implementing improved controls and auditability is also a key motive for automating business processes in any well managed businesses. Emboldened by a post-Enron change in culture and attitudes, audit committees of quoted companies and large public sector enterprises have a heightened awareness of risk management. They are much more likely to challenge management on the adequacy of their control environment. However, well managed private companies of all sizes also seek to manage their risks through tighter controls. Well designed and automated processes provide a perfect platform for planning and implementing appropriate controls. Unlike manual controls which are susceptible to failure at any time, automatic controls, once properly established, tested and refined can be relied upon to deliver consistent levels of assurance.
Whilst many companies endeavour to introduce best practice risk management processes on a voluntary basis others, depending on their industry and location are driven to make changes by regulatory and compliance pressures. For example, Sarbanes Oxley in the United States , Tabaksblat in the Netherlands , IFRS, Basel II and the EU Accounts Modernisation Directive. Regardless of source, most companies recognise that automation and efficient processes are key to driving down the cost of compliance.
Where have we got to?
Business Process Re-engineering, outsourcing and shared service centres have all played their part in the drive for process efficiency and undoubtedly driven down transaction costs but initiatives such as these have in the main been confined to large multinationals that stand to gain the most from economies of scale and unification of processes. Even they often struggle to manage the processes that link central shared service centres with remote subsidiary organisations and the complex interactions and hand-offs of responsibility that take place in such situations. For most other companies, the capability of application software and other tools such as workflow, document management and the internet has been the limiting factor.
Traditional design of financial application software has usually followed a functional route to process support. For example, an accounts payable application focuses on the needs of the purchase ledger department to process invoices and cash payments and typically, a separate purchase order processing module deals with order entry, goods inwards and invoice matching. Almost universally, the software industry has assembled applications in this modular way which has treated a process as a series of related but distinct steps where one functional areas passes the 'baton' to the next rather than, say, a seamless "Procure to Pay" process.
In addition, this transaction oriented view of an application has concentrated on processing accounting entries completely and accurately rather than providing process support. Master file maintenance, such as supplier, customer and employee set-up is typical of the neglected parts of the process yet are the very areas that give rise to the greatest risks. For example, fraudulent set up of a bogus supplier, payments to an employee that has left the company or creation of a customer that has an untrustworthy credit record. Clearly, process efficiency and control are two sides of the same coin. A well designed process not only reaches across the functional divide, but it also provides complete coverage and control.
New technology has played a part in papering over the cracks in processes, for example, the limited application of workflow technology allied to the provision of email has allowed organisations to pick off limited aspects of a process for improvement, say, customer authorisation. However, changes such as these are of limited value because the additional functionality is an afterthought and not truly embedded in the application.
Similarly, the web has allowed organisations to target specific areas of limited scope for process improvement through the addition of 'self service' capability and hosted best of breed applications. For example, the addition of self service capability to a human resources system which allows employees with appropriate access permissions to maintain basic information about themselves such as change of address, without recourse to the HR department, or employee travel expenses supported by an externally hosted expense management application.
For all its limitations, there are numerous examples of process automation around transaction processing, the so called, 'transaction world'. However, the same is not true of the 'Performance Management World' which is made up of statutory and management consolidation, budgeting, planning, forecasting and management reporting. In the main, each of these important areas has been served by parallel applications and the underlying process flows have been treated separately and unevenly. Although there is growing understanding that an effective performance management regime requires these applications to be integrated to share data and structural information (metadata) this has not been matched by process support. Classically, a budgeting application incorporates simple workflow governing the submission and approval of an annual budget but this is normally separate and distinct from, say, the submission and approval of the monthly management reporting pack from the same reporting entities.
How can CODA help?
CODA has a deep history in the provision of financial applications and a tradition of innovation in financial processes. It was one of the first software houses to harness imaginatively the power of computing by stepping outside of conventional thinking around the modular design of financial applications. CODA reasoned that maintaining separate ledgers for accounts payable and accounts receivable was a relic of manual processing. Rather than simply automating what had gone before, CODA challenged the process and produced the 'unified ledger' which was groundbreaking at the time and remains virtually unique in the marketplace.
This willingness to challenge accepted thinking underlines the latest developments at CODA as it broadens out from its traditional position as a provider of financial applications to a supplier of complete solutions for the finance function. For example, CODA branched out some years ago into the performance management world with it's datamart solution to support off-line data manipulation and analysis; it has now supplemented that through the addition of budgeting, planning and forecasting applications and most recently has added solutions for process definition and management, internal controls and compliance, with the "CODA-Control" suite.
However, CODA- Control is significantly different from other offerings in the market because it enables the connection of the process and transaction-oriented worlds. It operates across any transactional applications - be they standard ERP or best-of-class packages or custom-built applications - and allow process flows to be managed between people, between systems or between people and systems.
Following the introduction of The Sarbanes-Oxley Act in the US , most software vendors will claim to have compliant software or at least software that can support a suitable controls based environment. However, the documentation of those controls and the risks they are designed to mitigate, together with a record of how they are applied in practice is generally outside of the scope of their financial applications. Building on its experience in the US around Sarbanes-Oxley, CODA has brought controls definition, maintenance and assessment into main stream financial applications and integrated it with other aspects of process design. Whether the primary driver for process automation is to improve efficiency, make cost savings or to demonstrate an effective controls environment CODA-Control's integrated environment allows all of these factors to be taken into account when considering process re-design.
CODA-Control
CODA-Control is made up of three integrated applications. CODA-Control Manager governs the design, development and execution of newly created or revised processes. CODA-Control Architect provides a fully automated methodology for controls development and testing. Finally CODA-Control Assessor, as the name implies, provides the means for assessing the effectiveness of your controls program and reporting on it.
|
Delivering process efficiency with CODA-Control Manager  |
CODA-Control Manager has been developed to enable organisations with manually intensive processes to rapidly design and automate processes which are both well controlled and efficient. Ideal target processes tend to fall into three broad categories, namely; those for which existing application support is incomplete, those which are idiosyncratic or particular to an organisation or those for which there are no readily available software packages.
Integration is at the heart of the CODA-Control Manager application. Not only does this ensure that the automated process is truly embedded in the application but it also enhances its integrity and auditability. Additionally it ensures that personnel from different functional areas, reporting entities and geographical regions can work collaboratively on the same application.
Whatever the reason for process change, the implementation of a CODA-Control Manager commences with the design of the revised process. Whilst CODA is not totally prescriptive about the tools used to design and visualise the process there are advantages in using Microsoft Project to document the activities in the process, their expected duration, task dependencies and likely sequence since the data gathered can be shared more readily with other Microsoft tools such as SharePoint and InfoPath Forms. However, alternative tools such as Visio play a supporting role in helping to develop cross functional views of the process and to record the conditional logic associated with key decision points in the process.
|
Processes are described as a series of tasks in a portal  |
|
In broad terms, the process can be described within the application as a series of tasks which are laid out on a web page within a portal. Individuals involved in the process can see tasks assigned to them and tasks that are assigned to others, giving them a clear picture of where they fit into the process. Authorised users can view which tasks need to be completed before they can commence their activities, and their current status - for example, whether they have been started, completed or whether they are overdue. Colour coding and icons are used to emphasise progress (amber for in progress, green for complete) or the lack of activity (red for yet to be started as other activities need to be completed first). The whole workflow is integrated with email so that users can be notified automatically of tasks requiring their attention rather than waiting for them to log onto the appropriate portal. An example of a process where CODA-Control Manager might be used is in the annual budget process, where plans can be circulated to budget holders and decision makers, viewed via hyperlink and rejected, accepted or amended as appropriate.
Where relevant, the task email can be hyperlinked to additional reports containing up to date information which will assist completion of the task. Alternatively the links might open a part of an underlying application, for example, to post a transaction or perhaps update a supplier record - all with complete application, user and data security.
Where necessary, the process can make use of user-definable forms (using standard Microsoft forms technology) which are embedded within the application to capture, for example, authorisations for a part of the process, or to display selected data from the underlying applications such as SAP, CODA-Financials or other ERP systems. They can even be used to provide integration with underlying systems and act, say, as a posting document or journal to another application. Forms can also play a pivotal role in ensuring an adequate level of control and compliance by requiring company officials with responsibility for signing off parts of the process to signify their acceptance by 'signing' the electronic form. Audit reporting within CODA-Control Manager provides full audit traceability showing when forms were completed and by whom.
Creating a controls based environment with CODA-Control Architect
The number of accounting scandals since the millennium in the United States and around the world has put the subject of financial controls under the microscope once again. Although Sarbanes-Oxley places a mandatory obligation on US listed businesses to formally institute controls and attest to their satisfactory operation a sea change in opinion has exerted pressure on the management, external auditors and the audit committees of all quoted companies and large public entities to ensure that their financial controls are up to scratch. Whilst the provisions of Sarbanes-Oxley are widely regarded as burdensome and expensive most organisations acknowledge that the legislation is only putting safeguards in place that should be present anyway in any well run business. However, identifying controls, testing them and ensuring that they are effective in a complex, diversified and geographically dispersed business is not a trivial task.
One of the key lessons from experience gained in implementing the provisions of Sarbanes-Oxley in the United States and elsewhere is that manual controls and non-standard processes are expensive to audit, manage and maintain. Therefore companies that are eager to reduce the cost of Sarbanes-Oxley compliance in the future have dedicated themselves to higher levels of automation and process standardisation where feasible across all of their trading entities . This renders the processes more dependable and the controls more reliable. When the automation and redesign is supported by suitable enabling technology then the organisation also benefits from the possibility of more automated controls testing. Whilst the 'controls culture' may have been driven initially by regulation it is clear that an appropriate level of controls i.e. commensurate with the risks being managed, makes good business sense.
However, identifying business risks, deciding on relevant mitigating controls and designing appropriate test programmes are extremely time consuming. Additionally, documenting the controls regime for any reasonably large organisation is a Herculean task and cannot be accomplished competently without specific methodologies and supporting technology.
In another bold and characteristically innovative move, CODA has entered into a partnership with Control Solutions International, a consulting organisation specialising in controls design, implementation and testing, to provide a best practice database of risks and controls for the major applications used by most businesses, for example accounts payable and accounts receivable.
This best practice database of risks and appropriate controls enables a company to identify and establish their risk management and associated controls program very quickly and with minimum of cost and effort. Also, companies get assured comfort that the programs they are designing and implementing can not only be tailored to their organisation's specific requirements but contains best practice from many years of practical experience drawn from a range of industries. |
CODA-Control Architect provides a best practice database of risks and controls  |
|
Using the database in conjunction with CODA-Control Manager, organisations can build an application dedicated to distributing controls templates for testing, recording and sign off to satisfy both internal and external audit requirements.
CODA-Control Architect is a generic solution that can deliver best practice controls for compliance requirements other than SOX. CODA and Control Solutions International are developing databases of best practice controls for other compliance regimes, including Basel II.
Reviewing controls effectiveness with CODA-Control Assessor
CODA-Control Assessor, the final component of CODA-Control, supports the development of a collaborative web based site for a team of internal auditors to jointly record and audit processes and the supporting documentation such as testing programmes and the assessment of financial controls.
The test results can be recorded in the database and an executive dashboard and reports can be used to provide a snapshot of the effectiveness of controls tested during the audit programme. |
An executive dashboard provides a snapshot of controls effectiveness  |
|
| Although originally designed around the needs of Sarbanes-Oxley, the database can be used by any organisation seeking to develop a convenient way of generating audit programmes, testing controls and reporting the results. In subsequent years, the database acts as a record of prior year testing and provides the basis of a repeatable and rigorous process which capitalises on audit investments made in earlier years.
Summary
Whilst many companies have made significant strides in process automation it is clear that significant challenges remain. For them, far too many processes still rely on manual intervention which is costly and renders them prone to error and risk. Where automation has been applied it is often limited to that supplied by an application vendor and tied to a functional or modular view of a process. Technology, particularly the web has enabled improved but partial automation and quick fixes to processes. They are initially attractive because of the relative ease and cost effectiveness with which web based applications can be rolled out to a large user population but the fundamental problems of controls effectiveness and the underlying inefficiency of process design remains unchallenged. This is particularly true of the Performance Management World which is largely under-served and under-exploited from the standpoint of process efficiency.
In the past, organisations have embarked on process improvement primarily with either a cost cutting motive or a compliance agenda in mind. Yet these two approaches are not mutually exclusive. Whilst combining process automation and controls development makes good business sense, progress in this area has been held back by the absence of suitable cost effective software tools and methodologies. CODA-Control represents a 'first' in the financial systems marketplace because not only does it integrate process redesign with controls best practice but it also allows both elements to be deeply embedded in the underlying applications utilising standard Microsoft technologies for delivery over the web.
CODA-Control also fuses the disciplines of financial reporting and audit for the first time. For many organisations there is an organisational and process divide between the reporting of financial information and the delivery of the audit assurance on which it depends for its integrity. By linking controls design, testing and assurance in the same processing environment as the financials, organisations should be able to achieve a higher level of confidence in the robustness of their reporting as well as making savings on process automation and compliance.
|
| About FSN Publishing Limited |
FSN Publishing Limited is an independent research, news and publishing organisation catering for the needs of the finance function. The report is written by Gary Simon, Group Publisher of FSN and Managing Editor of FSN Newswire. He is a graduate of London University , a Chartered Accountant and a Fellow of the British Computer Society with more than 23 years experience of implementing management and financial reporting systems. Formerly a partner in Deloitte for more than 16 years, he has led some of the most complex information management assignments for global enterprises in the private and public sector.
Gary.simon@fsn.co.uk
www.fsn.co.uk
Whilst every attempt has been made to ensure that the information in this document is accurate and complete some typographical errors or technical inaccuracies may exist. This report is of a general nature and not intended to be specific to a particular set of circumstances. FSN Publishing Limited and the author do not accept responsibility for any kind of loss resulting from the use of information contained in this document. |
 |
For a printer friendly version of this article click here |
|
| |
|
