Tuesday, April 17, 2007
Oversight Systems Financial Executive Survey Finds More Than Half of Shared Services Centers Fall Short of Operational Goals
ATLANTA (April, 2007): Shared service centers have yet to show their full potential for many companies according to the 2006 Oversight Systems Executive Report on Shared Service Centers. The national survey of financial executives found that more than half of respondents report their shared service centers (SSCs) are well short of achieving their operational goals. First implemented in the 1990s by many large enterprises, the SSC model allows companies to consolidate client-facing functions in an attempt to reduce costs. However, the report released today finds that 52 percent of executives report their SSC are only meeting half or fewer of their business goals. The free report is available to download at www.oversightsystems.com/survey. "Companies adopted shared service centers for the immediate cost savings, but executives are now struggling to continually improve their operations," said Patrick Taylor, CEO of Oversight Systems. "This survey shows that shared service centers must develop strategies and implement systems that support ongoing improvement."
Reflecting the recent development of most shared service centers, more than half of executives (59 percent) report that their SSCs have been in operation for less than five years. Regardless of the youth of the concept, companies are putting much stock into these centers. Most executives (85 percent) report their SSCs serve four or more business units with 40 percent reporting to serve 10 or more. Although the C-suite goals are clear, achieving them is often met with adversity.
The most prevalent challenges to ongoing SSC operations were maintaining continuous improvement (61 percent), skepticism from business units (59 percent), employee retention/turnover issues (43 percent), meeting customer service level agreements (26 percent) and threats of outsourcing business processes (13 percent).
The Real Measure of Performance When it comes to shared service centers there is no measure of performance more important than cost savings and that is the silver lining in this report. Nearly three-quarters of executives (73 percent) classify their SSC as “world class” or “average to above average.” As such it comes as no surprise that nearly the same number of respondents (71 percent) report having almost reached, reached or exceeded their cost savings expectations. In fact, the study found that 85 percent of executives were prompted to embrace the SSC model in an attempt to reduce and control operating costs. Although cost was the driving factor for implementing an SSC model it was not the only reason. Other reason included:
* Improve quality (69 percent)
* Improve their customer focus (63 percent)
* Free up resources for other purposes (49 percent) and
* Improve company focus and reduce risks (34 percent).
Goals for 2006 Beyond the central goal of reducing costs, executives do have other goals for their shared service centers. Topping the list of 2006 goals with 52 percent support is to improve on service level agreements or SLAs. Other popular goals include: re-engineer business processes (51 percent), increase transaction throughput and capacity (40 percent), expand business offerings (39 percent), and reduce aggregate error rates (35 percent). Less frequently cited goals include: increasing the percentage of one-touch transactions (30 percent), implementation of Six Sigma programs (23 percent), and automation of Sarbanes-Oxley compliance (20 percent).
Regardless of the hurdles that are faced with implementation and operations of shared service centers, 97 percent of executive point to sustainable benefits of SSCs as opposed to traditional outsourcing of business processes. When compared to outsourcing, executives say SSCs offer benefits such as:
* Improved level of service and quality (81 percent)
* Better responsiveness to customer demands (68 percent)
* Greater flexibility in adapting to evolving business needs (62 percent)
* Lower aggregate costs of operations (51 percent).
posted by Zeleon @ 1:35 PM
Philadelphia Eagle Running Back Gets Paid $3M - Twice
When most people receive an errant duplicate paycheck it means a couple thousand dollars - at most. Something that may or may not even be detected and something they may or may not report. But, when an NFL superstar gets paid twice the impact is a tad bit worse. According to an Associated Press article posted on the Fox Sport web site, titled "Eagles accidentally pay Westbrook twice," Brian Westbrook received an extra $3 million from the Philadelphia Eagles in an accounting error. The star running back intends to pay the team back after getting his roster bonus twice. However, the Eagles filed a grievance with the NFL against Westbrook because the money hasn't been repaid yet, a team spokesman said Saturday. Continuous monitoring of payroll transactions can detect potential duplicates BEFORE they leave the corporate boundaries. When you view duplicate payroll, duplicate vendor payments, unused discounts and unused credits in cummulative form, you're talking real money and real materiality.
posted by Zeleon @ 1:31 PM
Monday, April 16, 2007
Current Privileged User Monitoring Solutions Don't Leverage Lessons from the Past
I just read a ComputerWorld blog entry written by Eric Ogren regarding the need to focus "Privileged User Monitoring" on transaction and business monitoring versus the old access management model.
I could not agree with him more. If there's one thing information security professionals can tell you with confidence... it's what does not work. Things change so frequently within the IT risk domain that it's often difficult to solve a problem with certainty. But, when it comes to dealing with "trusted" users in the real world, we all know what doesn't work. What does not work is printing out long monthly list of users with "excess privileges" and expecting this to significantly reduce the risk of fraud and misuse - at least at the material levels associated with SOX and A-123. In today's world access management and provisioning is a serious manpower drain. And, when you couple this with the need to provide periodic reports identifying the issues and progress, that just adds more manpower requirements... UNLESS you shift the focus to the highest risk issues and higher impact solutions.
Printing out these monthly excess-privilege list places a huge burden on our IT and InfoSec professionals but operational realities are operational realities. Key managers still receive conflicting privileges in order to support all areas under their control. And, key managers also receive powerful privileges such as those allowing them to actually "override" existing system-based control. 99% of the time used, they're probably just doing their job and ensuring the business keeps on functioning properly. But, it's that other 1% that can result in a major failures - e.g., a privileged user modifying quarterly revenue with a simple manual journal entry to conceal a bad quarter. In this case, the user is just using an "authorized" privilege for an "unauthorized" change.
And, what about when an AP Manager creates a vendor, purchase order, invoice, and voucher as part of an ellaborate procurement fraud scheme.
Or, when a database administrator uses their root access to make modifications to a payment record just before its released through the EFT system.
All of these are real examples of high risk conditions and real-world incidents concerning trusted insider - or privileged users.
So, lets stop using the 20/80 solution model and flip things around and do the 80/20 thing. Meaning, lets stop focusing on routine user access privilege conflicts and, instead, monitor and detect the use of privileges to misuse the system or conduct fraud.
posted by Zeleon @ 5:59 PM
Thursday, April 12, 2007
Not Complying With the OFAC Can Impact Your D&O Policy
Most organizations consider OFAC compliance to be just a routine issue but the Department of Treasury means business when it comes to doing any type of business with forbidden countries, business entities, and people. And, insurance carriers are beginning to translate this into policy and payout restrictions that could have a significant impact on an unsuspecting company or individual that just happens to stumble upon a long-term OFAC violation.
The Department of Treasury is quite clear that any delays in reporting any/all dealings with OFAC entities can result in serious consequences. Is a quarterly review of the OFAC list good enough... well, you be the judge. Here's what the Department of Treasury has to say within their FAQ:
DIRECTLY FROM THE U.S. TREASURY WEB SITE:
QUESTION: At what point must an insurer check to determine whether an applicant for a policy is an SDN?
ANSWER: If you receive an application from an SDN for a policy, you are under an obligation not to issue the policy. Remember that when you are insuring someone, you are providing a service to that person. You are not allowed to provide any services to an SDN. If the SDN sends a deposit along with the application, you must block the payment. [09-10-02]
QUESTION: What should an insurer do if it discovers that a policyholder is or becomes an SDN--cancel the policy, void the policy ab initio, non-renew the policy, refuse to pay claims under the policy? Should the claim be paid under a policy issued to an SDN if the payment is to an innocent third-party (for example, the injured party in an automobile accident)?
ANSWER: The first thing an insurance company should do upon discovery of such a policy is to contact OFAC Compliance. OFAC will work with you on the specifics of the case. It is possible a license could be issued to allow the receipt of premium payments to keep the policy in force. Although it is unlikely that a payment would be licensed to an SDN, it is possible that a payment would be allowed to an innocent third party. The important thing to remember is that the policy itself is a blocked contract and all dealings with it must involve OFAC. [09-10-02]
QUESTION: How frequently is an insurer expected to scrub its databases for OFAC compliance?
ANSWER: That is up to your firm and your regulator. Remember that a critical aspect of the designation of an SDN is that the SDN's assets must be frozen immediately, before they can be removed from U.S. jurisdiction. If a firm only scrubs its database quarterly, it could be 3 months too late in freezing targeted assets. The SDN list may be updated as frequently as a few times a week or as rarely as once in six months. [09-10-02]
posted by Zeleon @ 11:13 PM
Wednesday, April 11, 2007
Katrina Fraud: FEMA and Army Corps of Engineers Ripped Off
Hurricane Katrina was truly one of the most horrific natural disasters to ever hit American soil. Thousands killed, injured, and left homeless. Unless you've experienced this type of loss first hand, it's probably meaningless to even try to fully understand the suffering these families went through.
And, during this time of emergency and national outreach to the victims, FEMA and the US Army Corps of Engineers rushed to open their wallets to the rightful victims. Billions of dollars of Federal Disaster relief funds poured into the region to help feed the hungry, put clothes on the homeless, and to shelter those without the capacity to shelter themselves. Regardless of all the stories written about either agency's preparedness levels or ability to actually respond to such a catastrophe, these agencies truly pushed the envelope of financial management and controls to put mission and operational necessity first - before bureaucracy. We applaud them for that.
But, take a look at the attached link to some of the recent stories related to the rampant fraud associated with these relief efforts. It's absolutely atrocious. And, if you want more insight, go to http://www.gao.gov/new.items/d06844t.pdf for the entire GAO report released this past summer.
What you will notice is that somewhere between $600M and $1.4B (yes, Billion) was lost just to improper payments associated with individual assistance. Think about this for a moment, $600M to $1.4B lost to just one category of risk. And, that’s not the only shocking finding. This loss represents between 10-20% of the total funds spent on individual assistance. Wow! 10-20% of all funds intended for people in need went to the lowliest types of fraudsters in the world... those that would steal from starving and homeless children so they might be able to enjoy a night at the strip club (actual case study info).
If you dig into the fraud then carried out associated with actual reconstruction and what the US Army Corps of Engineers may have been swindled out of, the cost is surely too staggering for most of us to really appreciate.
I do have one major recommendation though, in many many of the reported cases of fraud, simple continuous monitoring-based controls would have prevented the fraud.
For example: 16% of the fraud could have been prevented with a better individual assistance registration procedure. Simple monitoring-based controls that alerted FEMA of invalid social security numbers, bogus addresses, invalid registrant to address matches, and duplicative registration data amongst multiple recipients would have shut down the majority of this type of fraud.
If Oversight was in place, the impact would have been between $96M and $224M. What could FEMA have done with these funds if they had not made their way into the fraudsters hands?
posted by Zeleon @ 11:57 PM
Retired Congressman Michael Oxley blames the PCAOB for starting "all the problems" with the Sarbanes-Oxley Act
Well it seems all the pain, agony, and expense we've all experienced while implementing the requirements of "Sarbanes-Oxley" was all just a big misunderstanding. The originating law makers actually intended the process to be much easier and much more focused on a risk-based approach. Somehow, the executing agencies and audit community just misunderstood the real intent- that is according to a recently published interview with Congressman Oxley in CFO Magazine.
According to the interview with CFO Magazine, Congressman Oxley says "It was Auditing Standard No. 2 [the standard for auditing internal controls over financial reporting], promulgated by the PCAOB, that started all the problems."
He further elaborates by stating "Of the complaints you hear [about Sarbox], 99.9 percent are about 404. It was two paragraphs long, but by the time the PCAOB was done, it was 330 pages of regulations. It was far too prescriptive and [more] expensive than anyone anticipated."
Take a quick look at the attached article. It's very enlightening.
Also, you'll be pleased to note that Congressman Oxley believes the true intent of the law is only now being realized. His most encouraging quote is a resounding call for a risk based approach to risk management. For example, he is quoted by CFO Magazine stating, "the Securities and Exchange Commission proposed a risk-based assessment to better define material weakness, with more emphasis on internal audit. It adds flexibility with smaller companies. Those are common-sense proposals that I am confident will be adopted this year with a 5-0 vote, which would be a ringing endorsement of [SEC chairman Christopher] Cox's leadership and reaffirmation that the SEC and PCAOB want it to work in a more efficient manner. It will protect the investor and make regulations work to everyone's satisfaction."
Personally, I like the use of Congressman Oxley's reference to "common sense." If we were all able to define, implement, and manage our risks based on common sense and traditional ROI principals, I think we would all find it easier to embrace the true benefits of quality and compliance programs. The emphasis would shift from "what do we have to do to comply" to "what do we need to do to optimize operations and returns." Herein lies the financial controls challenge of the this decade. How do we make the shift from "a world from an auditors perspective" to "a world from an operations perspective."
posted by Zeleon @ 11:29 PM
Monday, April 09, 2007
Audit Data Warehouse
At MIS Training's Super Strategies conference in Las Vegas Oversight will present an early morning workshop (7:30 to 8:15am) on the characteristics of a robust audit data warehouse (ADW).
The audit data warehouse can provide the basis for continuous auditing (CA) and continuous monitoring (CM) solutions. There are considerable efficiencies that can be gained by leveraging a single data infrastructure for both programs. However there are a number of critical requirements that the ADW must meet to maintain the integrity for the regulatory compliance applications.
First and foremost the ADW must maintain an uncorrupted copy of the transaction data, then the subsequent analysis for CA and CM can occur without compromising compliance. In a sense the ADW is equivalent to the financial systems themselves and obviously both CA and CM can be applied to the same financial systems. The ADW is simply a mirror of the financial systems. Typically the ADW data structures follow a different organizational layout than the financial systems. Financial systems have an on-line transaction processing (OLTP) based data model. The OLTP model is designed to support a high transaction rate while the ADW is designed to support decision support queries. Ralph Kimball is often cited as one of the originators of specific data warehouse data models - see www.kimballgroup.com
See you early in the morning in Las Vegas.
posted by Patrick Taylor @ 10:51 PM