How might driver-based forecasting—an approach that bases financial forecasts on operational drivers

How might driver-based forecasting—an approach that bases financial forecasts on operational drivers:

How might driver-based forecasting—an approach that bases financial forecasts on operational drivers—support your company's performance management needs? In the following Q&A—based on questions asked by participants during a live webcast on the topic—we discuss driver-based forecasting, the business models that lend themselves to this approach, and alternative planning and forecasting approaches.
We have a very low-tech environment and do most of our work in spreadsheets. Is implementing driver-based forecasting even possible for us?

Absolutely. Implementing driver-based forecasting is something you can set up in a spreadsheet environment for the purposes of scenario analysis with a very small, limited-use footprint. But to get even more value from driver-based forecasting you need an integrated platform where you can see the consensus forecast across the company, measure performance against drivers, and run a distributive process. It's possible to set something up through a spreadsheet, though an integrated tool can better execute this.
What are the biggest hurdles in implementing driver-based forecasting?

Getting organizational alignment around the entire framework tends to be the biggest hurdle. Everyone needs to understand their role in the driver-based framework—what pieces they own, what pieces they are accountable for. And you need to get alignment throughout the organization on which drivers and rates you'll be using. If you try doing this in isolation, people won't buy into it and you won't get all of the value out of it that you otherwise might.
How many driver levels do you typically see for forecasting revenue? For example: Revenue = Volume x Price, Volume = Category Growth x Share, Share = Base Volume Share + Incremental Volume Share, and so on.

We would suggest that it's even more complicated than just the levels. One of the challenges in the world of driver forecasting for revenue and volume is also your time window, because you can use different methods for the different time windows. The critical question is do you have good source data on your drivers. So if you have a good way to distinguish base and incremental, maybe through promoted or non-promoted or some other method by which you can isolate those drivers, then it is reasonable to bring them into the calculation. If you have an ability to look at distribution outlets, if you break down a channel, it can be reasonable to bring that in. One of the places where we see complexity emerge is where you expand it out too far into the theoretical and don't have any actual driver to bring into play. You may be able to add variables and levels of detail into your input, but they don’t necessarily give you an analytical benefit on the other side.
A big flaw I see in your model is the assumption that everything is variable in the short term. How do you account for fixed-cost elements that do not flex directly with volume?
This seems to be consistent with what we're saying. Some things lend themselves to driver-based forecasting, things that vary in cost and that flex with volume—typically volumes that are out of your control. For things that are more fixed, driver-based forecasting is probably not the best choice. Traditional or choice-based planning would be better, depending on whether you’re dealing with a discretionary or non-discretionary expense. You want to avoid artificially tying some driver to a fixed expense because you are trying to manage the overall cost envelope.
If I understand driver-based forecasting correctly, not only would you need a quality source for volume data but a very timely source so that leadership can manage appropriately. Do you agree?

Yes, the timeliness of the information is critical. Typically we see the variance analysis being done after month-end close and your volume data will be linked in to that process. When you bring in your actual data for financial values, you want to have an agreed-upon source to have these volumes brought in and then do that back calculation and do your three-way variance at that time. You can't be waiting three to six months down the line to get the data, because at that point you won’t be able to change course, if that's required.
Is there a preferred or optimal number of drivers to identify and manage on an ongoing basis?

It depends. There is no set or preferred number of drivers. In fact, we are suggesting that there is no clear effective practice that applies to everybody. It comes down to, first, what is your business model and, from that, the appropriate type of spending. And second, what are you trying to measure and what are the analytical decisions you want to make out of that. If you look at the three case studies we talked about, the Internet company didn’t have many drivers at all. The wireless telecom employed about 15. And the manufacturer had many more. So it depends on the business model and what analytical question you’re trying to answer.
How do you segregate the implications of one discretionary project from other projects or external forces when measuring results to hold a specific project accountable for their estimate?

To state your question another way: because so much can impact a driver or a rate, how can you effectively tie an investment or an initiative to one of those drivers or rates? This can be difficult. However, you can effectively apply it when you can tie your discretionary spending to a rate that is controlled internally, so you can filter out external, macro-economic factors. Suppose it is a rate that is controlled internally and you say, "You've been trending at $2,000 per unit against this particular driver, we're going to fund this investment but we expect to see that come down to $1,800." As long as everything is in the control of the organization and as long as six different investments aren't all hitting that same driver-rate calculation, you can tie a specific choice or investment with a particular driver over the long term. That said, it can be hard to do for a sales forecast because there are so many other factors. But thinking about it in a rigorous way and linking it into the planning model can be valuable process and make your business cases both more tangible and easier to understand.
Is an activity-based costing system a requirement for a successful driver-based forecasting system?

No. You don't need to have activity-based costing in place to do driver-based forecasting. They can exist independent of each other. If you have activity-based costing, it can accelerate your adoption of driver-based forecasting because you already have an initial sense of those activities which drive cost and the rates associated with those. If you have both activity-based costing and driver-based forecasting, it is very important to keep those two in synch so that you have consistency between them. Activity-based costing is likely going to exist at a level of detail that is deeper than driver-based forecasting. So they have to point in the same direction while you maintain the balance between the levels of detail.
How do you select drivers and rates when the rate changes based on the frequency with which the drivers occur? That is, how do you account for economies of scale that occur as driver frequency increases?

This brings up a couple of issues. One is planning process and you have to think about things like scales and changes to drivers within the timing of your planning process. Frequency is important. If a driver is adjusting at economies of scale every couple of months, you want a planning process that reflects that. If it changes more on an annual basis, same thing. Each company has to think about the rate of refresh — that is, how often do they execute their forecasting process or planning process and how do they deal with targeting and budgeting or forecasting and predicting. These questions are all related and it is hard to answer more definitively without knowing the frequency of your organization's process.
Breakeven analysis is very helpful as a predictor of profitability. How would you implement it? And what about the variable vs. fixed-cost challenge?

The driver-based model can be a very rigorous way to do a breakeven analysis for a new product or introduction. If you have the model figured out, you can plug in any sort of new growth and even isolate the other parts of the business that you don't want to model. Take the example of a new introduction. You can input that into a driver-based model and, for all the variable pieces, have that flow through and understand the full cost. You then need to understand what the fixed costs attributable to the new product introduction would be—and this is where the more traditional or choice-based planning would come in. This puts you at that point where you've got the breakeven analysis. The driver-based model can help blow out the variable piece of the breakeven analysis, but not the non-driver-based pieces.
How can product mix (e.g., returns) be factored into the volume/rate variance calculations?
You have to bring in product-level volume at a level of detail low enough to support the analysis. Bring in enough level of detail to make the analysis accurate. One might be product family and another might be stock keeping unit (SKU) level, depending on the importance of mix and margin.
You do have control over volume of returns as you drill down to why the returns occurred in the first place.

The enterprise may have some control—for instance, product development has control over how simple they make the product—but it’s still beyond the control of the person forecasting returns expense.
Is there an average time required for each planning type by specific industries?

Some people are more effective and efficient than others. And some industries that are more capital intensive may take longer. But we don’t see averages by industry.
Aren't those post-mortems often too late with capital expenditures?

We believe the process of doing a post mortem is more important than the timing of it.

Tadd MorgantiManaging Director | Deloitte Consulting LLP
tmorganti@deloitte.com

www.gmsisuccess.com

Internal audit failure leads to corporate governance failure

Toshiba - a case of internal audit failure:

Toshiba, a 140-year-old pillar of Japan Inc, is caught up in the country's biggest accounting scandal since 2011. In 2011, Olympus Corp was embroiled in a scandal. In July 2015, Toshiba Corp president Hisao Tanaka and his two predecessors quit after investigators found that the company inflated earnings by at least $1.2 billion during the period 2009-2014. Toshiba is one of the early adopters of the corporate governance reforms initiated in Japan. The corporate governance structure met corporate governance standards. Time and again cases of corporate governance failures have provided evidence that good corporate governance structure does not necessarily lead to good corporate governance. Organisation culture is a critical determinant of the quality of corporate governance.

Some of the observations of the independent investigation committee of the company on internal audit demand discussion and debate.

The investigation committee observes, "According to the division of duties rules of Toshiba, the corporate audit division is in charge of auditing the corporate divisions, the companies, branch companies, and affiliated companies. However, in reality the corporate audit division mainly provided consultation services for the 'management' being carried out at each of the companies, etc (as part of the business operations audit), and it rarely conducted any services from the perspective of an accounting audit into whether or not an accounting treatment was appropriate."

The observations of the committee give the impression that the fault of the internal audit in Toshiba was that it focused on consultation service rather than assurance service. Should internal audit avoid providing consultation service? I do not think so. It was not the fault of the internal audit that it provided consultation service. The fault was that it did not pay attention to accounting audit.

In Toshiba, the top management used to set targets that are unachievable. There was excessive pressure from the top management to achieve those targets.

The variable pay is a significant portion of the total pay. The compensation of executive officers comprises a base compensation based on title and a role compensation based on work content. Forty per cent to 45 per cent of the role compensation is based on performance of the overall company or business department. 'Challenge' to achieve unachievable targets and performance-based pay provide enough motivation to manage earnings. Therefore, accounting audit should have been a focus area for internal audit.

Internal audit can function independently only if the audit committee is capable, independent and effective, and the internal auditor reports to the audit committee.

In Toshiba, the audit committee was neither capable nor independent. The three external members of the audit committee had no knowledge of finance and accounting. An ex-Chief Financial Officer (CFO), who was the CFO during the timeframe when accounting irregularities occurred, was the only whole time member of the audit committee. Therefore, the internal audit was not independent of the management. Earnings management had the tacit approval of the top management. Therefore, it is not surprising that accounting audit was excluded from the scope of internal audit. It is incorrect to infer that the accounting audit did not receive the attention of the internal audit because its focus was on providing consultation service.

Contemporary literature defines internal audit as 'assurance and consulting service'. The issue is of balancing between consultation service and assurance service. Problem arises when the internal auditor forgets that the internal audit is primarily an assurance function. The consultation service flows from the assurance service. Although, the primary objective of operation audit is to obtain assurance that the internal control that is installed to achieve operation objectives is adequate and operating effectively, the auditees look to the internal auditor for suggestions and consultancy. Such consultation service is a by-product of the assurance service. Auditees should not be denied the benefits of internal auditor's understanding of the industry and the business, and the challenges before the auditees in achieving operation objectives. Exclusion of consultation service from the scope of internal audit would result in sub-optimal utilisation of internal audit resources.

Organisation culture also determines the effectiveness of internal audit. The investigation committee observes, "A corporate culture existed at Toshiba whereby employees could not act contrary to the intent of their superiors". In such a culture an upright internal auditor cannot survive, particularly if he is not independent of the management. Perhaps, it is the reason that the internal audit in Toshiba had chosen the easy path of focusing on 'consultation service' only without reporting internal control weaknesses.

Internal auditor is the 'eyes and ears' and 'go-to man' of the audit committee. Therefore, internal audit failure leads to corporate governance failure.

www.gmsisuccess.com

Risk of Internal Controls Failures

Risk of Internal Controls Failures

www.gmsisuccess.com

Last week’s announcement by the Securities and Exchange Commission (SEC) of the resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company continues to resonate and provide lessons for the compliance practitioner. [Full disclosure – I am a Halliburton shareholder] I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.

In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise.

According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period.

However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton.

In each of these attempts, the company bumped up against its own internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent”. In this initial attempt, the internal control held as the business folks abandoned their efforts to contract with the Angolan agent.

The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria).

Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t]his is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.”” In other words, the internal controls held and were not circumvented or over-ridden.

The Angolan agent was then moved from commercial agent status to that of a supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team was able to contract with the Angolan agent for these services in September 2009 and increase the contract price, all without the Angolan agent going through the procurement internal controls.

A second internal control which was over-ridden was the procurement requirement that the supplier procurement process begin with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backwards, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, there was a separate internal control that required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or over-ridden.

Companies are required to maintain and assess the effectiveness of Internal Controls over Financial Reporting (ICFR).

Teledoc, Inc., an emerging growth company, disclosed a material weakness in their ICFR in the risk factors section, but was not required to issue either a Management or Auditor’s Report on Internal Control Over Financial Reporting.

In connection with our December 31, 2015 and 2014 audits, we identified a material weakness in our internal control over financial reporting. A material weakness is defined as a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis.

The material weakness pertains to the breadth of our internal accounting team. Specifically, we do not have a sufficient number of accounting personnel to effectively design and operate proper internal controls over financial reporting. We are working to remediate the material weakness. We have begun taking steps and plan to take additional measures to remediate the underlying causes of the material weakness, primarily through the continued hiring of additional accounting personnel. In addition, we are in the process of documenting and assessing our internal controls over financial reporting and once complete, we will test these controls. The actions that we are taking are subject to ongoing senior management review, as well as audit committee oversight. Although we plan to complete this remediation process as quickly as possible, we cannot at this time estimate how long it will take to fully remediate the material weakness. If our remedial measures are insufficient to address the material weakness, or if significant deficiencies or material weaknesses in our internal control over financial reporting are discovered or occur in the future, it may adversely affect the results of our management evaluations and, when required, annual auditor attestation reports regarding the effectiveness of our internal control over financial reporting required by Section 404 of the Sarbanes‑Oxley Act. In addition, if we are unable to successfully remediate the material weakness and if we are unable to produce accurate and timely financial statements or we are required to restate our financial results, our common stock price may be adversely affected and we may be unable to maintain compliance with the NYSE listing requirements.

 How often does your organization complete a detailed 

review of its internal controls? How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?

Every organization develops internal controls to achieve the following objectives:

• Reliability of financial reporting
• Safeguarding of assets
• Complying with laws and regulations
• Effectiveness and efficiency of operations

These controls should be re-evaluated on a routine basis to ensure that they are operating properly and still meet their objectives. When designing internal control policies, there are some common risks that every organization should consider, including:

1. Management Override of Controls – Management is primarily responsible for the design, implementation, and maintenance of internal control and therefore, there is the inherent potential for management to override these controls. If an executive has the ability and an incentive – such as earnings targets or personal financial issues – to override controls and commit fraud, it is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified. In addition, setting the proper tone at the top can help the organization and its employees maintain their integrity.
2. Limited Segregation of Duties – No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed. Smaller organizations need to implement compensating controls to help ensure the objectives are met, such as oversight, supervision, and monitoring by management or those charged with governance.
3. Overreliance on Detective Controls vs. Preventative Controls – Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls, but also has preventative controls. Preventive controls can include things such as ongoing training of policies and procedures, implementing user names and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests prior to purchase.
4. Informal vs. Formal Controls –Smaller organizations may have key controls that are performed at the entity level vs. at the activity level. These entity level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
5. Overly Trusting – When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected. An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”

Internal controls serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks.  Consider the internal controls risks outlined above when evaluating your organization’s existing internal controls. It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate those risks, and implementing those controls successfully.

Accounting Information Systems and Internal Control:

www.gmsisuccess.in

 The accounting information systems that company's use to pull all of this wonderful accounting information together and make it available to internal and external users.  We will also learn about the internal controls that are built into the accounting information system to ensure the reliability of the financial information, the effectiveness and efficiency of operations and the company's compliance with applicable laws and regulations.  Therefore, a good system of internal control will help reduce errors and irregularities, and help minimize the "opportunity" to commit fraud.

There are a few reasons why treats to accounting information systems are increasing. The first reason is that information available is to an unprecedented number of workers. Besides, information on distributed computer networks is hard to control. Information is often distributed among many systems and thousands of employees. Customers and suppliers have access to each other’s systems and data.

Any potential adverse occurrence is called a threat or an event. The potentially dollar loss from a threat is called the exposure or impact. The probability that it will happen is called the likelihood of the threat.

Internal control is the process implemented to provide reasonable assurance that the following control objectives are achieved. It is a process because it permeates an organization’s activities and is an integral part of management activities. Internal control provides reasonable assurances. Complete assurance is difficult to achieve and prohibitively expensive.

Internal control perform three important functions:

1. Preventive controls deter problems before they arise.
2. Detective controls discover problems that are not prevented.
3. Corrective controls identify and correct problems as well as correct and recover from the resulting errors.

Internal controls are often segregated into two categories

1. General controls. This type of control makes sure an organization’s control environment is stable and well managed.
2. Application controls. This type of control makes sure transactions are processed correctly.

A Harvard business professor has espoused four levels of control to help management reconcile the conflict between creativity and controls.

• Belief system. This system describes how the company creates value and helps the employees understand the management’s vision.
• Boundary system. This system helps employees act ethically by setting boundaries on employee behavior.
• Diagnostic control system. This type of system measures, monitors, and compares actual company progress to budgets and performance goals.
• Interactive control system. This system helps managers to focus on key strategic issues and to be more involved in decisions.

The Foreign Corrupt Practices Act (FCPA) was passes to prevent companies from bribing foreign officials to obtain business. In the last 75 years, the SOX is the most important business-oriented legislation. After the SOX was passed, the SEC mandated that management must base its evaluation on a recognized control framework. They also must disclose all material internal control weaknesses and must conclude that a company does not have effective financial reporting internal controls if there are material weaknesses.

There are three frameworks used to develop internal control systems.

• COBIT framework. The ISACA developed Control Objectives for Information and Related Technology (COBIT) framework. This framework addresses control from three vantage points.
  • Business objectives. This is to satisfy business objectives.
  • IT resources. These includes people, application systems, technology, facilities and data.
  • IT processes. These are broken in four domains: planning & organization, acquisition & implementation, delivery & support and monitoring & evaluation.
• The Committee of Sponsoring Organizations (COSO) consist of a few organizations. The COSO issued internal control – integrated framework (IC), which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.
• COSO developed another control framework to improve the risk management process. It’s called Enterprise Risk Management – Integrated Framework (ERM). ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess management risks, and provide reasonable assurances that the company achieves its objectives and goals.

The internal environment, or company culture, influences how organizations establish strategies and objectives and structure business activities. A weak or deficient internal environment often results in breakdowns in risk management and control. An internal environment control consists of the following:

• Management’s philosophy, operating style, and risk appetite
• The board of directors
• Commitment to integrity, ethical values, and competence
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
• External influences

Companies have a risk appetite, which is the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, the risk appetite must be in alignment with company strategy. The more responsible management’s philosophy and operating style, the more clearly they are communicated, the more likely employees will behave responsibly.

An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions. Public companies has an audit committee of outside, independent directors. The audit committee is responsible for financial reporting, regulatory compliance, internal control and hiring and overseeing internal and external auditors.

The policy and procedures manual explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provide to carry out specific duties. The manual includes the chart of accounts and copies of forms and documents. It is a helpful tool for both current employees and new employees.

Employees should be hired based on educational background, experience, achievements, honesty and integrity, and meeting written job requirements. Sometimes there is a background check. A thorough background check includes talking to references, checking for a criminal record, examining credit records, and verifying educating and work experience.

One of the greatest control strengths is the honesty of the employees. Policies should convey the required level of expertise, competence, ethical behavior and integrity required. The following policies and procedures are important.

• Hiring
• Compensating, evaluating and promoting
• Managing disgruntled employees
• Discharging
• Vacations and rotation of duties
• Confidentiality agreements and fidelity bond insurance
• Prosecute and incarcerate perpetrators

Objective setting is the second ERM component. Management determines what the company hopes to achieve, often referred to as the corporate vision or mission. The company determines what must go right to achieve the objectives and establishes performance measures to determine whether they are met.

• Strategic objectives
• Operation objectives
• Reporting objectives
• Compliance objectives

The risks of an identified event are assessed in several different ways.

Inherent risks exists before management takes any steps to control the likelihood or impact of an event.

The residual risk is what remains after management implements internal controls or some other response to risk. Companies should assess inherent risk, develop a response, and then assess residual risk.

Management can respond to risk in one of four ways

• Reduce the likelihood and impact of risk by implementing internal controls
• Accept the likelihood and impact of the risk
• Share risk or transfer it to someone else
• Avoid risk by not engaging in the activity that produces the risk

Accountants and systems designers help management design effective control systems to reduce inherent risk. They also evaluate internal control systems to ensure that they are operating effectively.

One way to estimate the value of the internal controls involves the expected loss, the mathematical product of impact and likelihood.

Expected loss = impact x likelihood

The value of a control procedure is the difference between the expected loss with the control procedure and the expected loss without it.

Control activities are policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management’s responsibility to develop a secure and adequately controlled system.

Controls are much more effective when placed in the system as it is built, rather than as an afterthought. Managers need to involve systems analysts, designers, and end users when designing computer-based control systems.

Control procedures fall into the following categories

• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records and data
• Independent checks on performance

Because management lacks the time and resources to supervise each company activity and decision, it establish policies for employees to follow and then empowers them. This empowerment, called authorization, is an important control procedure. Authorization are often documented by signing, initializing, or entering an authorization code on a document.

Computer systems can record a digital signature, a means of signing a document with data that cannot be forged.

Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur. In contrast, there is a procedure known as general authorization. This is without special approval.

Good internal control requires that no single employee be given too much responsibility over business transactions and processes. An employee should not be in a position to commit and conceal fraud. Segregation of duties is discussed in two separate sections: segregation of accounting duties and segregation of system duties.

Effective segregation of accounting duties is achieved when the following functions are separated (see also figure 7.3 on page 217).

• Authorization: approving transactions and decisions
• Recording: preparing source documents
• Custody: handling cash, tools, inventory, or fixed assets

With Segegration of system duties, authority and responsibility should be divided clearly among the following functions

• Systems administration: make sure all information system components operate smoothly and efficiently.
• Network management: ensure that devices are linked to the organization’s internal and external networks.
• Security management: makes sure that systems are secured and protected from internal and external threats.
• Change management: is the process of making sure that changes are made smoothly and efficiently.
• Users: record transactions, authorize data to be processed and use system output.
• Programming: take the analyst’ design and create a system
• Computer operations: run the software on the company’s computers.
• Information system library: maintains custody of corporate databases, files and programs in a separate storage area.
• Data control

Important system development controls are the following

1. A steering committee. This committee guides and oversees systems development and acquisition.
2. A strategic masterplan. This is a plan developed and updated every year to align an organization’s information system with its business strategies.
3. A project development plan. This is a plan that shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones.
4. A data processing schedule. This schedule shows when each task should be performed.
5. System performance measurements. These are established to evaluate the system. Measurements include throughput, utilization and response time.
6. A post-implementation review. This review is performed after a development project is completed to determine whether the anticipated benefits were achieved.

Some companies hire a systems integrator to manage a systems development effort involving its own personnel, its client, and other vendors. Companies using systems integrators should use the same project management processes and controls as internal projects. They should develop clear specifications and monitor the project.

Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately. They include the following:

• Top level reviews.
• The management should monitor company results and periodically compare actual company performance to a planned, prior period or competitor’s performance.
• Analytical reviews.
• This is an examination of the relationship between different sets of data.
• Reconciliation of independently maintained records.
• Records should be reconciled to documents or records with the same balance.
• Comparison of actual quantities with recorded amounts.
• Significant assets are periodically counted and reconciled to company records.
• Double-entry accounting.
• The maximum that debits equal credits provides numerous opportunities for independent checks.
• Independent review.
• After a transaction is processes, a second person reviews the work of the first, checking for proper authorization etc.

Information and communication constitute the seventh component of the ERM and is also a very important component in the accounting information system. This relates directly to the primary purpose of an AIS, which is to gather, record, process, store, summarize, and communicate information about an organization.

An audit trail allows transactions to be traced back and forth between their origination and de financial statements.

Accounting systems generally consists of seven subsystems, each designed to process a particular type of transaction using the same sequence of procedures, called accounting circles.

ERM processes must be continuously monitored and modified as needed, and deficiencies must be reported to management. Key methods of monitoring performance include the following:

• Perform ERM evaluations.
• The effectiveness is measured using a formal or a self-assessment ERM evaluation.
• Implement effective supervision.

This involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets.

• Use responsibility accounting systems.
• This systems include budgets, quotas, schedules, standard costs, and quality standards.
• Monitor system activities.
• For example risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found and suggests also improvements. The software also monitors and combats viruses, spyware, adware, spam etc.
• Track purchased software and mobile devices

The business software alliance (BSA) tracks down and fines companies that violate software license agreements. The increasing number of mobile devices should be tracked and monitored, because their loss could represent a substantial exposure.

• Conduct periodic audits.
• External, internal and network securities audits can assets and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces erros. Auditors should regularly test susyem controls and periodically browse system usage files looking voor suspicious activities.
• Employee a computer security officer and a chief compliance officer.
• A computer security officer (CSO) is in charge of system security, independent of the information system function and reports to the chief operating officer (COO) of the CEO.
• Engage forensic specialists

Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Computer forensics specialists discover, extract, safeguard and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.

• Install fraud detection software
• Neural networks are programs with learning capabilities. These networks can accurately identify fraud.
• Implement a fraud hotline.
• A fraud hotline is an effective way to comply with the law and resolve whistle-blower conflict.

Challenges faced by senior management and the Board in understanding fraud

Challenges faced by senior management and the Board in understanding fraud:
Enhanced focus on the consideration of fraud risks:
www.gmsisuccess.com
• Fraud risk is not considered top of the Board’s agenda due to the perceived low cost of losses due to fraud;
• Inordinate reliance on internal audit teams to tackle fraud risks;
• Limited understanding of what constitutes an effective fraud risk management program.

*Assess the types of frauds that can impact business:

Consider relevant types of fraud, such as fraudulent financial reporting, possible loss of assets, and corruption schemes through which fraud and misconduct can occur.

*Consider ways that fraud can occur :

Some of the factors to be considered, include:
• Management bias (e.g., in the selection of accounting principles)
• Degree of estimates and judgments in external reporting
• Vulnerability to management override and potential schemes to
circumvent existing control activities
• Understanding bribery and corruption risks
• Geographic regions, where the entity does business, and prevalent
fraud risks in that region
• Incentives that may motivate fraudulent behavior (e.g., identifying
the entity’s fraud risks, particularly when earnings pressures and
aggressive incentive compensation programs exist)
• Nature of technology and management’s ability to manipulate
information
• Unusual or complex transactions subject to significant management influence.

*Address fraud risks in light of changes in the operating environment:

Re-evaluate fraud risks as and when there are changes in the entity or external environment, such as regulatory changes or business environment.

*Understand fraud risks through business partners:

Assess the manner in which work is performed by vendors, outsourced agencies and other third parties doing business for and on behalf of the company.

*Review results of the fraud risk assessment undertaken:

Periodically review the results of the fraud risk assessment with the audit committee, and challenge the findings of the assessment for aspects, such as management override of controls.

 

Why Management Accountants Can Play Important Role for application of Six Sigma in Industry

www.gmsisuccess.com
The nature of business has changed dramatically since the late 1980s when the United States’ lead in productivity was subjected to increasingly direct foreign competition from Asian and European industries. The American response to these challenges has been twofold. First, industries in the United States have moved production of less-complex standardized goods to foreign plants or, in many cases, seceded such low-profit manufacturing to developing nations. The net effect of such actions has been an unprecedented increase in the size of the service sector and a concentration on high-valueadded manufactured products. 
     Currently, the service sector, defined as private nongoods-producing industries, accounts for approximately 70% of total economic activity in the United States. Services can include warehousing, transportation, distribution, and sale (rather than production) of a good, or they may involve the provision of a service such as medical care or the preparation and serving of restaurant meals. Second, American industries have found that they must maintain a sustained focus on quality in the production of goods and services in order to be globally competitive. 
      The American Society for Quality Control defines quality as “the total features and characteristics of a product or a service made or performed according to specifications to satisfy customers at the time of purchase and during use.”
1 These two continuing trends—the rise of the service sector and the increased focus on quality—challenge the traditional role of the cost accountant, who historically was trained to track and cost out mass-produced standardized items. In addition to expertise on production and costing methods, today’s successful management accountant must have in-depth understanding of service quality. To ensure maximum productivity, profitability, and quality of complex tangible goods and intangible services, companies are using the sophisticated Six Sigma business management strategy. Much has been written about the Six Sigma methodology and its contribution to improving business processes. For example, Michael L. George discusses how to select projects that can be improved to deliver the maximum value with the least effort.
2 Jay Arthur focuses on methods to dramatically improve speed and quality in manufacturing as well as service organizations.
3 Unfortunately, most authors fail to discuss the crucial role that management accountants and accounting consultants can play in the successful adoption and use of Six Sigma methods. These require a team effort utilizing experts from a variety of disciplines, and we believe that management accountants, with their expertise in problem solving, should be key players on any Six Sigma team. To demonstrate these possibilities, this article will consider how management accountants can become involved in the five phases of the Six Sigma process as applied to service industries in particular. To aid in understanding how management accountants might contribute to a Six Sigma team, we will first discuss how service providers can use Six Sigma methods to improve their operations. As a case study, we will present research on the potential use of such techniques to improve the U.S. Army supply warehouse system. 
We will then consider how management accountants can become involved in the five phases of the Six Sigma process in the service industry as either team leaders or key team players. 

BACKGROUND ON THE U.S. ARMY SUPPLY SYSTEM AND SIX SIGMA :
The current missions in Iraq, Afghanistan, and Kosovo, as well as other humanitarian logistics operations in which the U.S. military has an increasing role, require highly efficient distribution, warehousing, and business processes. To maximize the readiness of tactical units, Supply Support Activities (i.e., the activities of direct support supply units, missile support elements, and maintenance support units) must be highly effective, ever reducing customer wait times and improving quality 
The goal of Lean Thinking is to increase efficiency within an organization by eliminating defects and minimizing variation in every product, process, and transaction. Examples of defects in a warehouse include delivering a part in 15 days when a customer is promised receipt in 10 days or an inventory accuracy of 94% when the goal is 97%. Variation can be applied to any activity that can be measured, such as delivery times, weights, inventory counts, performance scores, etc. 
Processes with more variation are typically not as efficient as processes with less variation. One of the primary methods for instituting Lean Thinking is the utilization of Six Sigma methodology. 

Sigma (s) is the Greek symbol used to represent the standard deviation for a set of measured data. If data are represented as a bell curve distribution, then distances from the midpoint of the distribution can be measured in terms of Sigma. Sigma levels are used to describe how well the variation in a process meets the customer’s requirements.
 What the customer wants is used as the standard mean, and not meeting the customer’s needs is described as a defect. Sigma is therefore defined as the standard deviation of a process in statistical control. The quantitative goal of the Lean Six Sigma program is to obtain six times the standard deviation between the mean process and the closest tolerance limit. Implementation of Six Sigma creates a process capable of producing only 3.4 defects per million opportunities. The Department of Defense warehousing operations offer an excellent case for assessing the potential use of Lean Six Sigma methodology 

IMPROVING ARMY WAREHOUSING OPERATIONS WITH LEAN SIX SIGMA:

Selecting the Project. The first step in effective application of a Lean Six Sigma process is selecting projects that can be improved to deliver the best value with the least effort. There are two basic methods for project selection, both of which have benefits and drawbacks. The first method is the top-down approach, which uses input primarily from top management who view failure as gaps between strategic initiatives and actual performance. This method ensures commitment from upperlevel management but may not provide enough detail about defects and their underlying causes to clearly determine the need for Lean Six Sigma methods. In contrast, the bottom-up method involves soliciting ideas from both upper management and lower levels in an organization. Ideas gleaned from this method are screened and grouped in order to identify opportunities for specific Lean Six Sigma projects. 
An advantage of the bottom-up method is that a larger group is allowed to participate, which provides a variety of project ideas. The drawback of this method is that some project suggestions might not be supported by data or be compatible with strategic goals. Regardless of the method used to generate ideas, all potential projects should undergo goal-congruence evaluation and cost/benefit analysis. Projects must be congruent with the mission, strategic goals, and objectives of the organization, and the financial and nonfinancial benefits must outweigh costs of the project. 
Potential projects not meeting these criteria should be eliminated. The remaining projects are possible candidates that should be researched further by the Lean Six Sigma team. In the case of DoD supply chain management, the most crucial link is local warehouse operations. The U.S. Army personnel who are most knowledgeable about warehousing operations are its Quartermaster Supply Technicians, the warrant officers who manage Army warehouses. These U.S. Army Quartermasters have extensive knowledge about the causes, effects, mitigation, and remediation of errors in warehouse operations. Therefore, the most efficient approach to pinpointing problem areas and opportunities for specific projects in military warehouse operations is the bottomup methodology. We have used a survey of U.S. Army Quartermasters as the basis for identifying problems in the warehouses and the probable causes of those problems.5 According to these managers, customer complaints concerning local warehouse management was the primary problem. Once a significant problem has been pinpointed, that process must be improved. 
In Lean Six Sigma, the DMAIC model is the recommended approach. It is a five-stage methodology that consists of “Defining, Measuring, Analyzing, Improving, and Controlling” a project. In the next section we explain how each stage might be applied to improving customer satisfaction for a hypothetical U.S. Army warehouse.

THE IMPORTANT ROLE OF MANAGEMENT ACCOUNTANTS :

The intent of this study is to demonstrate how management accountants can and should be team members or team leaders in each step and phase of a Lean Six Sigma project. To this end, we will examine the crucial role management accountants can play in the projectselection step and the five phases of the DMAIC process, referencing the hypothetical Army warehouse operation. Selecting the Project. Project selection is the most important step because all other actions are dependent on which problems and opportunities are addressed. 
Management accountants are particularly suited to either direct this phase of the Six Sigma process or provide crucial support as team members. In the Army warehouse case, we used a bottom-up approach to problem definition. This approach is almost identical to the consultative manner in which management accountants develop participative budgets for their yearly operational budgets and plans. In bottom-up participative budgeting, management accountants use the input of lower- and middle-management employees to derive estimates for their master budgets. 
Management accountants know that, while this approach is timeconsuming, it enhances employee motivation, communicates goals and performance levels to the employees, and ensures that employees understand and accept corporate goals. Most management accountants have extensive experience soliciting information from employees at all levels, developing plans from that information, and providing feedback about variances from actual versus expected performance. Management accountants working with managers and company engineers are therefore ideal candidates for directing a bottom-up Six Sigma survey study. 
In some cases, it may be more appropriate to use a top-down approach to project selection, especially when there are time constraints or the problems to be addressed are highly complex and require expert knowledge. In these situations, a top-down approach to problem definition may be the best course of action. The top-down method can effectively identify processes with unacceptable performance variation and develop projects to improve those processes. Statistical analysis also can be used to identify processes with unacceptable variation. Then a cost/benefit analysis may be performed to determine the potential net benefits of improving that process. 
This analysis requires comparing the profitability generated by relevant business segments, products, and customers within that process with the costs of meeting the needs of the customers. Customer needs can be evaluated with reference to surveys, warranty information, and other satisfaction indicators. Once net benefits of improving a process are determined, a process analysis can help develop specific projects for improving that process. 
Again, management accountants have experience in this type of information solicitation based on previous interaction with managers and executives regarding strategic issues such as capital project evaluation, plant acquisitions and divestments, segment performance, value stream analysis, and product life-cycle profitability. 

In summary, experienced management accountants have the expertise and knowledge of their company required to direct the all-important problem-defining phase of a Six Sigma project. As noted earlier, the Army warehouse project involved customer complaints about timely delivery of supplies. In this case, management accountants would have been highly qualified to interpret the results of Quartermaster surveys, for example, to determine the best project.