Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

Reengineering GraphicReengineering internal controls for efficiency
Designing internal control systems for reengineered processes

by Matthew Leitch, April 1996.


Introduction
Why internal controls must be reengineered
Rethinking risk analysis
Rethinking control objectives
Rethinking internal controls
The role of the controls design specialist
Conclusion

Introduction

"Reengineering is the fundamental rethinking and radical redesign of business processes to achieve dramatic improvements in critical contemporary measures of performance, such as cost, quality, service, and speed."

From "Reengineering the Corporation" by Michael Hammer and James Champy 1993

The case studies featured in the book from which this definition is taken propelled Business Process Reengineering (BPR) to management theory superstardom. Offered by most management consultants as something radically new, scorned by many accountants as just another buzz phrase for good management, BPR has been controversial from the beginning.

However, from the case studies it is clear that at least some organisations have made major changes to the way they do their work, and at least some have benefited greatly from doing so. For the foreseeable future we can expect organisations to try to learn from the success stories and be successful themselves in achieving breakthroughs in performance.

Hammer and Champy's main contribution was to collate successful examples and suggest common factors. What should worry accountants and, in particular, auditors is that the common factors identified by Hammer and Champy appear to contradict directly the advice which auditors have been giving their clients about internal controls for decades.

This paper highlights the apparent contradictions but then suggests how internal control systems need to be reengineered to match reengineered processes.

BPR versus the auditors

For decades the bulk of advice given by auditors to their clients in letters to management concerned weaknesses in internal control systems and recommended stronger controls. The drive towards ever increasing levels of internal control and better "corporate governance" has gathered pace in recent years after some spectacular cases of corporate fraud .

Much of this advice is based on thinking that appears contrary to the principles of BPR as distilled by Hammer and Champy. Some might argue that in the process of improving internal controls most organisations have reduced their effectiveness and efficiency.

The following table shows how Hammer and Champy's recurring themes in BPR often appear to conflict with the traditional advice of auditors.

Hammer & Champy BPR

Traditional auditor's advice

Several jobs are combined into one.

Segregation of duties is needed.

Workers make decisions.

All transactions should be authorised before they occur.

The steps in the process are performed in a natural order (i.e. not necessarily one after the other).

It is normally assumed that work passes through a series of stages, obtaining sign offs and authorization to proceed after each stage.

Processes have multiple versions (e.g. simple version for simple cases, complex version for complex cases, with early split of cases).

It is normally assumed that there is only one procedure for doing a job. It is usual to recommend that controls are applied to all items.

Work is performed where it makes most sense (and by the people who sensibly should do it).

Generally discourage book keeping outside the accounts department because it tends to be done less well.

Checks and controls are reduced.

Controls should be increased.

Reconciliation is minimized.

Everything should be reconciled if possible.

A case manager provides a single point of contact.

Segregation of duties is needed.

Hybrid centralized/ decentralized operations are prevalent.

Generally prefer the supervisory control that comes from having book keeping done centrally.

Information technology is used heavily.

Auditors do not oppose the use of information technology but have always been worried by its use, fearing computer fraud and systematic errors.

Note: The final point about use of information technology is not included in Hammer & Champy's list of principles, but they give a whole chapter to it in their book.

Auditors' recommendations have steered organisations towards splitting work between different people, with plenty of checks and reconciliations, and ensuring that all items are processed with equal rigour.

BPR suggests the opposite: work should not be split up, people should be empowered (with minimum checks and reconciliations), and different procedures can be used as alternatives.

Why internal controls must be reengineered

BPR is just not compatible with conventional control methods and preferences.

BPR practitioners need methods of exerting control that do not contradict BPR, or at least which minimise the loss of efficiency caused by adding controls to a reengineered process.

But before these control techniques are introduced into a reengineered process we need to appraise the risks of the process and set appropriate control objectives.

Rethinking risk analysis

Although reengineered processes tend to have less segregation of duties and be more reliant on computer systems (with all their associated control risks) there is a positive side to most reengineering principles that should be considered before deciding what controls, if any, may be needed.

The effects of BPR principles on inherent risks are suggested in the following table.

Hammer & Champy BPR

Effect on inherent risk

Several jobs are combined into one.

Personal accountability is increased and there are fewer opportunities for errors from misunderstandings, lost documents, etc.

Workers make decisions.

This should be achieved by providing workers with more information and with programmed advice, so the chances of a bad decision by the worker are less.

The steps in the process are performed in a natural order (i.e. not necessarily one after the other).

Later processing may reveal problems so the sooner it is done the better and the faster turnaround means there is less risk of a decision being based on facts which are out of date.

Processes have multiple versions (e.g. simple version for simple cases, complex version for complex cases, with early split of cases).

This will be based on risk so the most rigorous procedure will be followed for the most risky items.

Work is performed where it makes most sense (and by the people who sensibly should do it).

The risk of error through miscommunication is reduced.

Checks and controls are reduced.

Not applicable to inherent risk.

Reconciliation is minimized.

Not applicable to inherent risk.

A case manager provides a single point of contact.

Personal responsibility is enhanced and the chances of error through miscommunication are reduced.

Hybrid centralized/ decentralized operations are prevalent.

This is usually achieved by using computer systems in ways that can extend central control outwards.

Information technology is used heavily.

Computers tend to be more reliable than people.

Rethinking control objectives

The conventional approach to setting control objectives is based around checklists of control objectives worded so that they require total completeness, accuracy, validity, and so on. Risk analysis might be used to weight the importance of each objective, exclude some objectives, or introduce more detail for others.

Bounded total cost

However, some examples of BPR reflect what could be called a bounded total cost approach, and this may be more appropriate generally for reengineered processes.

Hammer and Champy give this example (p58):

"Consider the credit card-based purchasing process we just described. Compared to more traditional processes, this one seems almost devoid of controls. Departments might use their credit cards to go on wild spending sprees. People could run away to Brazil with the spoils of their raids on office supply vendors. Or so feared the company's internal auditors. But they were wrong because the reengineered purchasing process does have a point of control; unauthorized purchases will be detected when the credit card tape is run against the department's budget and when the departmental manager reviews the expenditures. Given the credit limit on the cards, the process designers felt it was better to swallow the limited exposure to abuse that the new process embodies in order to eliminate the overhead cost associated with the traditional controls."

This approach has two steps:

  1. The maximum exposure is limited to an acceptable amount using low cost controls such as post hoc review or highly selective authorization.

  2. The cost of the remaining exposure to loss is balanced against the cost of preventing the loss by introducing further controls.

At the control objective setting stage all that is required is a statement of the maximum loss limit and of the costs that should be considered in applying the limit.

Cost minimisation is done during controls design.

Rethinking internal controls

Established preferences for control techniques need to be revised. Preferred control techniques should provide adequate control but should not slow down or add costs to basic business processes.

Segregation of duties

Segregation of duties is described by the Auditor's Operational Guideline on Internal Controls as "One of the prime means of control".

However, in a typical reengineered process the transaction and its recording are initiated by a single person and carried out by an integrated computer system. As far as possible all the activities needed to carry through a process from start to finish and to record it are placed under the control of one individual or, if this is not possible, a small team. An example is a line of checkouts in a supermarket.

Since segregation of duties is not available alternative control techniques are needed.

  1. The computer system

    The integrated computer system is itself a powerful control. Provided the worker is reliant on the system to carry out actions (e.g. order stocks) and provided the system records every action correctly and its records cannot be altered by the worker, the records will be reliable.

    At a supermarket checkout the operator can only work using the electronic till. At modern checkouts control over incorrect pricing is provided by forcing operators to use a barcode reader or enter product codes rather than prices while the till displays descriptions and prices of goods to the customer to be checked.

  2. Comparison between workers

    Supervisory control can also be exerted by comparing the behaviour of individual workers with that of others doing the same work.

    This is more likely to be possible in a reengineered process because of the very reorganisation that removed segregation of duties.

    For example, in a process involving three activities performed one after the other the work might originally have been performed as if by a production line, with each worker responsible for a particular activity, but for all items (e.g. for all customer orders).

 

Activity 1

Activity 2

Activity 3

Order 1

Alan

Bob

Collette

Order 2

Alan

Bob

Collette

Order 3

Alan

Bob

Collette

After reengineering each worker performs all three activities but not for all items.

 

Activity 1

Activity 2

Activity 3

Order 1

Alan

Alan

Alan

Order 2

Bob

Bob

Bob

Order 3

Collette

Collette

Collette

Provided the system can distinguish between work done by each worker and perform analytical summaries and comparisons, the actions of each worker can be compared. If one worker's profile is unusual it can be investigated to find the reason. This provides protection against fraud, error, and persistent incompetence while helping to identify successful workers.

In a supermarket the checkout operator's scope for fraud can be limited to entering incorrect product codes by hand (instead of using barcodes) and not coding some of the products a friend has brought to the checkout. The supervisor can look for lower than normal values passing through the till in a particular shift, lower than usual numbers of items, and excessive use of manual product code entry.

Since performance analyses of the kind needed are more usually provided for whole processes rather than for individual activities there is a better chance that the software will be able to do what is required in the reengineered process.

Authorization

According to the Auditor's Operational Standard on Internal Controls "All transactions should require authorization or approval by an appropriate responsible person." Traditionally, this has meant that for every transaction a person wants to carry out or process there should be at least one signature written by a more senior person beforehand.

In one particularly severe case observed by the author a credit note for 5.69 required three signatures, two by the Sales Director (but on different occasions!) before it could be sent to the customer.

  1. High level authorization with computer enforcement

    Authorization can be easier and less obstructive if it is carried out at a high level, with computer systems used to prevent actions outside those authorised. For example, a spending plan covering dozens of purchases could be authorised removing the need for any further authorizations. Stocking policies could be worked out, authorised, and programmed, removing the need for further authorizations until the policy needs to be changed.

  2. Selective authorization

    There is usually no need for every transaction to be authorised by a second person before it takes place. Only items that are high risk because they are complex, subject to fraud, or high value need be authorised beforehand.

    The computer system should selectively raise these items for online authorization and give workers the option of requesting an authorization for other items if they want the reassurance of a second opinion.

    The same technology allows data input to a computer system to be checked as it is entered, not just to prevent input of data which must be wrong, but also to raise a warning and request confirmation when an input is unusual, and therefore probably wrong.

  3. Enhanced post hoc review

    Regardless of the policy for pre-transaction authorization all activities should be reviewed post hoc. To be really effective this should be computer assisted.

    This is an area where many organisations have weak controls, partly because they think pre-transaction authorization makes post hoc review unnecessary. (Whereas in fact it is the other way around.) In one case, an organisation's purchasing procedure had so many signatures, forms, and delays built into it that employees bypassed it altogether and telephoned their orders to suppliers directly. No post hoc reviews were carried out so the extra purchases were not noticed.

    Computer assistance could include reports and screen displays highlighting large or unusual items, subtotalling items of the same type or initiated by the same person, making comparisons with budgets, previous periods, and other staff, searches for duplication, missing data, breaches of business policies, items being more or less numerous than expected, items with values outside the usual range, and variations in ratios and summary statistics.

    For example, sophisticated computer assisted post hoc review is used by the regulators of LIFFE who continually analyse patterns of trading using data downloaded from the exchange's centralised dealing system.

    The more exact the computer system's expectations for transactions the more powerful the assistance can be. Activity based modelling and forecasting can provide very detailed expectations by relating non-financial to financial information. Such techniques can be used to analyse actual results for items which may represent errors or fraud.

    Even if specific rules for detecting incorrect items are not known the quantity of data freely available makes training neural networks quite feasible. The network can identify the risk factors for itself.

  4. Audit reviews

    In preventing and detecting fraud, normal internal controls can be vulnerable. They are mechanistic, predictable, and there are usually chinks in the armour of regular checks, reviews, reconciliations, and so on. Once a weakness has been found it can be exploited repeatedly with confidence.

    If the purpose of a control is mainly to prevent or detect fraud (rather than error) it may be more efficient to withdraw regular, predictable reviews and substitute irregular, unpredictable reviews. These might involve picking small points at random and following them up in depth.

    From the fraudster's perspective the reviews should appear completely random and unpredictable - and frighteningly thorough when they occur. It should not be possible to predict what will be examined, how, or when. Potential fraudsters should be sent a clear message: a review could look at anything, to any depth, at any time.

    Although many reviews should be triggered at random, others should be triggered by risk factors picked up from post hoc reviews, from personal contacts, from the personnel records, and so on. For example, complaints by customers, book keepers who haven't taken a holiday for nine months, employees known to be unhappy with their employer, teams with unusually high or low performance, and managers close to performance bonus thresholds.

Checking and inspections

Many of the comments regarding authorization apply equally to checks and inspections. However, one feature of reengineered processes that deserves further examination is the tendency to perform work in a natural order i.e. not necessarily in a series of stages, each of which must be finished before the next can begin.

An example is the way software development is being reengineered from waterfall lifecycles towards Rapid Application Development. In RAD, many documents, reviews, iterations, meetings, etc are replaced with a few intense sessions in which end users and developers work together to create a system. Many steps and stages are compressed into just a few and there are far fewer "sign offs" of supposedly agreed deliverables along the way.

RAD introduces fewer control problems than might be expected. Firstly, because it is quicker and so more likely to deliver a system that meets current requirements. Secondly, because pushing forward with the design in certain areas (e.g. by prototyping) can reveal errors in early design decisions. Thirdly, because design documentation can be organised into a waterfall structure even though the thinking was chaotic. Indeed, using a suitable computerised tool the team can attack the problem at any point, backtracking and jumping ahead freely, but store their decisions in a logical structure as if they had derived their design in a logical, step by step way.

The main controls required include:

Reconciliations

Global reconciliations and control totals are powerful accounting controls that usually do not hinder business processes.

The reconciliations Hammer and Champy particularly have in mind are detailed reconciliations between the accounting records of one enterprise and the accounting records of another. For example, between cash on bank statements and cash in the cash book, or between invoices expected (based on agreed prices and recorded deliveries) and invoices actually received.

Shift the burden

The main example of reengineering affecting reconciliations in "Reengineering the Corporation" is a poor one since the amount of reconciling was not reduced.

Ford used to reconcile invoices received to records of deliveries and agreed prices. Now, under Ford's Evaluated Receipts Scheme (ERS), it is the supplier who is forced to carry out the reconciliation. Ford's computers calculate the amount Ford should pay and any difference between that and what the supplier was expecting to receive is up to the supplier to challenge. This is reengineering but the amount of work done has not changed, only the enterprise that has to do the work.

Cooperative alternatives

For organisations with less power than Ford this is not a viable option. Reconciliation between the accounting records of trading enterprises is a valuable defence against the errors and dishonesty of others and also uncovers one's own errors.

However, the cost of reconciliations can be reduced by Electronic Data Interchange and automatic matching of items.

Shared electronic markets such as those used for trading securities, provided they are regarded as accurate and reliable, can provide an alternative to detailed reconciliations. A trusted third party carries out data processing that otherwise would have to be duplicated and reconciled between the trading parties.

Perhaps in future companies will put their products "on the market" by having them listed on independently run Internet markets covering vast ranges of products and services. Customers will buy the products by placing orders in the same markets. Both parties will receive electronic statements of purchases and sales which will be regarded as definitive and not checked in detail.

The role of the controls design specialist

A specialist in controls design, using ideas such as those presented above, can contribute to the BPR effort in a number of ways:

Conclusion

Traditional internal controls can introduce significant delays and costs to processes that have been reengineered. Unless suitable risk analysis, control objectives, and control techniques are used controls can be like a ball and chain around the ankle of a process designed for speed.

BPR practitioners should ensure they have designed control into their processes to avoid having brilliantly reengineered processes cramped by inappropriate controls demanded by auditors. This is particularly important where controls can be built into the software used to support the process.

Auditors should be more sensitive to the cost implications of their control recommendations and suggest a range of controls including more sophisticated post hoc review techniques.

References

"Reengineering the Corporation" by Michael Hammer and James Champy 1993

"Design Methods" by J Christopher Jones 1980

"Internal Controls" issued by the Auditing Practices Committee 1980



© 1996 Matthew Leitch
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr