Cash Management 101

6:15 AM

(0) Comments

Cash management is a need common to both large and small businesses alike. In its simplest terms, cash management is the assurance that today's receivables plus today's account balances exceed today's payables. Failure to practice this business management process guarantees bankruptcy.

Every large organization has a cash management group, sometimes called the treasury. This group's function includes management of such items as investments and borrowing in addition to the organization's daily cash flow. In small to medium businesses (SMBs), usually the chief financial officer (CFO), president, or owner performs the task of cash management.

Regardless of a company's size, the important thing is that cash management is practiced on a regular basis—at least weekly—and with sufficient attention to details. In difficult times, when liquidity is "tight" (at a minimum), it should be performed daily.

Crucial to organizations' successful cash management are the deals they make with their financial institutions for short-term placements and for borrowing funds. Unlike in other countries, in the United States, a bank account that is credited with deposits does not begin to earn deposit interest until three business days have passed. Furthermore, an American business account specifically may not be overdrawn, which necessitates cash management to be the most important activity of a business's financial management.

For all companies—and in particular, public traded companies—major financial statements include the income statement, the balance sheet, and the statement of cash flows. An organization's CFO, accountant, or proprietor will likely share this snapshot of financial performance with lenders, equity investors, and the company directors and key stakeholders.

Surprisingly, most SMBs and large organizations find spreadsheets a useful tool for cash management. The cash management facilities serve as the basis for entries on the spreadsheet. The spreadsheet is easy to manipulate and allows for what-if scenarios and forecasting. Yet cash management for many companies is a mix of financial software and spreadsheets, with the majority of decisions based on spreadsheet manipulations.

Cash Management Operations

Effective cash management requires having a firm handle on the following two areas:

1. Cash inflows

* Daily morning and afternoon deposits from the Automated Clearing House (ACH)—where morning deposits are received from local banks and afternoon deposits are received from banks located more than two time zones away—electronic data interchange (EDI) transfers, e-mail notifications, etc.
* Forecasted deposits for the day, generated from cash management software. These are based on reliable deposits taken from sales invoice dates plus credit days allowed (e.g., net 30, 2 percent net 10, etc.).
* Checks received in the mail.
* Over-the-counter cash receipts.
* Credit card receipts.
* Forecasted deposits based on disputed invoices (i.e., invoices where credit notes may have to be issued) or the "poor payer" category of customers, generated from cash management software.
* Investment income.

2. Cash outflows

* "Must pay" accounts (e.g., payroll).
* Commissions; local, state, and federal liabilities (e.g., taxes, social security, etc).
* Payment to liability accounts (e.g., insurance, mortgages, leases, employee travel expenses).
* Valuable suppliers that provide payment discounts for early payment.
* Suppliers whose limits within agreements can be stretched (e.g., net 30 days).
* All bank account balances.
* Loan payments due.
* Interest payments or term deposits due.

The Price of Cash Mismanagement

When cash flow is tight, cash management helps a company decide who must be paid and whose payment can be skipped for a given week. Mismanagement of cash inflows and outflows will cause a company to face a liquidity crunch. A liquidity crunch forces a company to borrow money at a disadvantage, meaning a company that is in dire need of short-term cash will pay more interest on a loan or line of credit than it would have had it used better cash management techniques.

Poor decisions and practices by a company's financial managers can have disastrous effects on the business too. Following are examples of poor decisions and practices:

* Transferring too much of the business's liquid assets into the acquisition of fixed assets, such as machinery or real estate. Monthly commit¬ments must be properly managed by obtaining long-term financing for such large capital investments.
* Failing to budget properly. To avoid this problem, construct a spreadsheet with columns that represent weeks or months, and with rows that represent inflows or outflows. Lay out, by month, the known inflows and outflows. Toward the bottom of the sheet, place the less-certain inflows and outflows. Each period's column total (closing balance) should be brought forward to the next column as an opening balance.
* Failing to make use of a business line of credit (LOC), or exceeding the LOC limit, resulting in refinancing with factorers. Factorers are organizations that provide funds to a business, using the business's inventory as collateral. A factorer can be a vendor's representative as well, selling on commission. Factorers can also provide cash based on a business's future confirmed receivables. Their rates for lending money are usually higher than bank rates.
* Failing to manage business risks (e.g., making poor client choices, overextending credit to poor payers, under or overestimating product sales, etc.).
* Failing to keep personal money out of the company. It is essential to separate personal and business dealings. Obtain business credit cards and keep detailed track of business expenditures for shared assets (e.g., vehicles, travel, entertainment, etc.).
* Failing to go after nonpayment or late payment accounts.
* Failing to pay attention to inventory or inventory turns. Inventory turns is a measure of the number of times inventory, save for safety stock, is sold. In general, the more the number of turns, the lower the cost of warehousing and insuring stock, as well as in tying up capital.
* In cash shortage periods, failing to defer some invoices for payment in a later financial period. (Become a 90-day payer with some suppliers, but it is not recommended to do this with the same supplier over and over again.)

The Web is a direct vehicle to a wealth of information on cash management. One highly recommended source is the Internet-based tutorial from the Hancock Bank: Cash Flow Management. Another is an article from the Business Development Bank of Canada: Techniques for Better Cash Flow Management. The Treasury Management Association of Canada (TMAC) offers onsite and Internet-based full-day training courses on cash management. Its web page contains the topics covered in the course and bullets the areas you should follow as standard cash management business practices.

A Helpful Tool: Enterprise Resource Planning (ERP)–based Cash Management

Every ERP system offers some elementary accounting functions. To get started in cash management, a few basic sets of reports that every ERP and accounting system provides include the following: open sales orders, aged analysis, open and closed purchase orders, shipping reports, inventory evaluations, fixed assets, and general ledger statements.

Bring this information together with other financial information to the ubiquitous spreadsheet program. Produce a cash-flow analysis schedule. Look at all areas of your business practices and get a good feel for where to make improvements. Go after areas that will yield the most results from being improved. Find out how much businesses similar to yours spend in these areas. Ask your accountancy firm for advice. Look at business process optimization to determine if there is too much paper-handling and if there are inefficient workflow processes.

Cash management is an analytical process performed by humans, using industry knowledge, gut feelings, and knowledge of the levels of risk. Computer applications that feed business decisions do not think and do not have knowledge. Rather, they apply the kind of logic needed, for example, to compare .001 to .0001. They cannot do what the human brain can do, and that is think. Humans make the final business decisions, not machines.

Some ERP applications have better financial capabilities than others; they have financials which include analytical applications that go beyond the simple accounts receivable (A/R) and accounts payable (A/P) tools. They perform the intelligent, automated merging of the items listed above. They also allow the following items to be entered, to create a big picture of an organization's situation:

* a cash balance report, which shows bank balances, incoming and outgoing cash, and dollar fluctuations
* bank web sites, to spot-check morning or afternoon incoming cash status before authorizing purchase invoice payments
* a cash diary, to identify cash inflows and outflows by absolute certainty transactions (e.g., investments, expenses)
* payroll reports
* business intelligence (BI) triggers and alerts
* ACH receipts and bank files
* budgets

Some vendors to consider for an ERP application to help you handle your cash management processes include Agresso, Flexi, SAP, and Lawson. These vendors are known for their focus on financial ERP systems and cash management. You can learn about more vendors and their offerings here.

zen

Project-oriented versus Generic GL-oriented ERP/Accounting Systems

6:12 AM

(0) Comments

The unique business needs of project-oriented organizations, when addressed by large ERP vendors that offer general-purpose enterprise software, require heavy customization in order to work. On the other hand, when project-oriented organizations turn to small off-the-shelf project-management solutions, these solutions are soon outgrown by the user company. These organizations are looking for systems to support the project manager, who is responsible for sharing and tracking the revenue, expense, and profitability of a project. Most enterprise-wide business systems sold by software vendors are general purpose in design and without significant tweaking, they do not address many of the unique requirements of businesses engaged primarily in providing products and services under project-specific contracts and engagements.

Project-oriented organizations have many project-specific business and accounting requirements including the need to track costs and profitability on a project-by-project basis, to provide timely project information to managers and customers, and to submit accurate and detailed bills/invoices, often in compliance with complex industry-specific and regulatory requirements. Yet, traditional generic GL-oriented accounting systems have not been designed with project phases, work breakdowns or detailed time capturing in mind, and thus, they can merely report how much has been spent or collected, but not why a certain project is losing or winning money.

Not many enterprise products will support the following project-based processes: job costing, managing the sub-contactor, financial reporting, managing the workforce, process time and expense, winning new business, purchasing goods and services, managing the project, and building to order. If these high-level processes sound too ordinary, then digging to a level deeper might reveal their true intricacy and attention to detail such as employee time, billing rates, budgeting, collections, or project proposals, which are supported by only a few vendors.

For example, the job costing process can be broken down into the following steps: setup project work breakdown structure (WBS), pay suppliers, pay employees, accrue purchase orders, allocate indirect costs, calculate estimated time to completion, calculate contract ceilings, compute revenue, bill customer, and report the project status. The process time and expense cycle would have the following steps: create project, create project workforce, enter timesheets by project, enter labor adjustments, enter travel expenses, apply project business rules, approve time and expenses, pay expenses and payroll, bill expenses and payroll, revenue recognition, and project status reports (PSRs), which are used for period reporting on a project/task/phase level, and which can be regarded as the financial statement for the project.

The managing-the-project process would feature the following detailed steps: create opportunity plan, establish detailed scope of services, create project plan with work breakdown structure (WBS), establish task schedules, search and add resources to plan, establish budget at resource level, add consultant and expenses to project plan, add direct costs for plan, establish profit performance, save baseline budget, monitor time and expense costs, monitor schedule projected profit and revenue, and submit the project deliverables and closeout project. A build-to-order process would involve ERP materials management functionality through support for the following steps: customer demand, bills of materials (BOM)/routings, engineering change notice (ECN), materials requirement planning (MRP), capacity planning, purchase requisition/order, receiving and quality assurance, fill inventory, issue manufacturing orders, final subassembly and finished goods, customer delivery, billing, revenue recognition, and PSR.

Dealing with Government Contracts

Furthermore, many project-oriented organizations provide products and services under government contracts, and project accounting for these organizations often requires the use of sophisticated methodologies for allocating and computing project costs and revenues. There are many different types of contracts governments use and within each of those there are dozens or more variations, whereby each variation will drive its own type of billings, revenue recognition and requirements for reporting back to the government customer.
The US government requires its contractors to collect and allocate costs in certain ways; for example, according to the Defense Contract Audit Agency (DCAA) rules, labor costs must be recorded daily. Also, a contractor is required to keep track of several contracts simultaneously, meeting the rules for different types of contracts and being consistent in accounting for a number of indirect costs. According to the Small Business Administration Pro-NET sourcing service database, there are tens of thousands of small and minority-owned companies that are doing business with the federal government. With the new emphasis on improving homeland security and expanding anti-terrorism operations around the world, many of these firms will likely experience significantly greater demand for their services and grow rapidly over the next several years.

Expanding Market

Additionally, service business application software systems are expanding as a result of a number of economic trends. Service organizations traditionally have utilized project accounting more than manufacturing firms due to the need to customize services for each client and to properly allocate the associated revenues and costs. Therefore, as the shift from a manufacturing-based economy to a service-based economy continues, the market for project-oriented organizations is expanding. Furthermore, the trend towards outsourcing an increasing range of activities broadens the market for project-oriented organizations as both customers and vendors need to track the costs associated with their projects.

Finally, many organizations with significant internal development activities can benefit from the use of project accounting systems to closely monitor progress and costs. Also, although somewhat conversely, more progressive firms may even try to boost their marketing, advertising, and PR expenditures in order to gain more project contracts during the market contraction, where for example, a proposal automation capability can come in handy. While project management and resource planning software applications help service organizations deliver within a budget, in the long term, these organizations need to win a new stream of projects or customers, which involves pre-sales customer relationship management (CRM), marketing and proposal management, and post-sales elements like travel and expense (T&E) management.

As the number and type of project-oriented and professional service organizations increases, such businesses are demanding increasingly sophisticated tools to address their core information and accounting needs, including project accounting, employee time collection, project budgeting, project reporting, CRM, sales force automation (SFA), and proposal generation. At the same time, these organizations are recognizing that because most aspects of their businesses revolve around their customer project relationships, they can achieve efficiencies in a number of project accounting and core back-office business functions. These accounting and business functions such as general ledger, accounts payable, accounts receivable, materials management, and human resources, are supported through the use of software applications designed to address the special needs of project-oriented organizations. Like other businesses, project-oriented and professional services organizations are also demanding solutions that allow them to combine their business software applications into a single integrated, enterprise-wide system.

Time is of the essence for any business that bills for its services rather than sells a physical product, but the concept can be particularly tricky for design/construction firms that may need billing at different rates depending on, for example, project phase, task, client type, or escalation clause. At the same time, the industry is quite fragmented, with legions of specialist contractors, and it also has a long tradition of technophobia.

zen

Throw Away Your Financial Statements: Managing by Metrics

6:07 AM

(0) Comments

Accounting systems have always had two primary goals: track information in detail and generate financial and operational reports. Until recently it has not been technologically possible to do anything else., except process information, create invoices, pay invoices, pay employees, track costs, and generate financial statements at the end of the month. That's fine, but the problem is that financial reports are sometimes generated forty-five or more days after a fiscal period begins and the information they present must, out of necessity, start at the highest, most general level. If the results are below or even above expectations, additional reports may need to be generated and studied in an attempt to determine what went wrong or right. In addition, the factors contributing to poor financial results may have started their downward trend at the beginning of the fiscal period and will therefore still be creating problems forty-five or more days later. I use the word "later" because the drill-down analysis will require several days if not weeks to complete, once the financial statements have been published.

This style of after-the-fact management may have been the only way to conduct business in the past, but technological and more specifically, reporting advances now make it possible to identify these problem areas as they develop.

Management by Metrics

Technology can currently support the concept of digital dashboards that can display information in a graphical format, with whatever level of detail may be required. Rather than starting with the highest level of information analysis and presentation (which are the standard financial statement) users can "flip" their priorities by identifying these critical KPIs, track these values on whatever time frame is best suited, isolate those KPIs that require attention, take steps to improve the KPIs, and then track the results to confirm that the steps taken have the desired effects.

The key to this proactive management style is that if the correct set of KPIs is identified, closely monitored, and effectively managed, the financial statements will take care of themselves. In essence management by metrics eliminates the need to publish financial statements and their underlying operational analysis reports. Managers no longer have to wait for periodic reports and then invest additional time trying to determine what went wrong (or right).

Naturally there is one significant proviso. While the concept of management by metrics will improve efficiency and effectiveness, it will do so only if the correct set of KPIs is identified, responsibility assigned to the correct set of managers, and managers react quickly to an ever-changing set of business imperatives.

To some extent it has always been possible to identify and publish KPIs. Most accounting systems support some form of report writer that allows users to extract the information required and publish that information in report format. In addition most products supports some form of export whereby information can be exported to a spreadsheet and KPI graphs can be created.

The advantage of a digital dashboard is that users do not have to rely on static reports that display a single value or even that value over x number of weeks or months. Presenting graphical information in a spreadsheet is almost the same as a digital dashboard but users do not have to export/import the information or flip from on spreadsheet to another to view multiple KPIs.

Putting Management by Metrics into Practice

Digital dashboards present constantly refreshed information to users and only the information of interest to that user is presented. Unfortunately most accounting software vendors have not yet taken the concept to its most effective potential so we cannot really cite specific systems as examples. I suspect or hope that vendors or resellers will develop their systems further or begin to really understand what Management by Metrics is all about.
While everyone accepts the fact that a picture (in this case a graph or other visual display) "is worth a thousand words", most examples of digital dashboards I have seen depict a bar chart or possibly a pie chart of the top ten customers. My question is quite simple: Is knowing who your top ten customers are (and even their revenue) going to mean anything? Is this information going to help you determine that you are on or off course? Is the information going to induce you to take some form of action? A graphical presentation of your top ten customers does not support any form of action and, therefore, is useless as a KPI.

If a KPI is to be an effective management tool, it must lead to some form of action. If inventory turns is 3.2 and that is unacceptable to the person responsible for managing inventory levels, then that person will take some form of action to increase inventory turns. If the value is acceptable, the person responsible will see this instantly and move on to a review of other KPIs. Each business must therefore define those KPIs that are applicable to their industry or unique to their organization. Of equal importance they should assign specific responsibility for managing these KPIs to individuals.

There is no doubt that if KPIs are to become the powerful management tool everyone assumes they can be, users must spend a significant amount of time determining which KPIs are important to their organization and who should be responsible for their management. This design process must be thorough and it will generate design and implementation costs. The ROI, however, should be significant both in terms of reduced time analyzing results as well as productivity gains as potential problems are identified and addressed earlier than is possible with static reports.

Employ Time-phased KPIs

A single value does not tell a story. It is a static picture taken at a unique instance in time. Financial statements fall into this same category. They are no more than a snapshot of a firm or one of its business units taken at a specific point in time. Since business conditions constantly change, single frame snapshots tell us nothing.

Let's return for a moment to the example of inventory turns. If 3.2 turns is acceptable, a second question has not been answered: In which direction is inventory turns headed? If the value last month was 3.4 and this month was 3.2, then what's important is the trend, not the absolute value. If 3.0 represents an unacceptable value for inventory turns, then the trend appears to be heading downward and the inventory manager may want to analyze the situation in more depth and start to take action before inventory turns becomes unacceptable. This then becomes pro-active management, not reactive management and that's exactly the management style you want to practice.

Utilize Straight-line Graphs

Rather than looking at this month's value for inventory turns and then flipping back to another report that shows last month's value, inventory turns should be displayed in a single view that clearly shows not just the values, but the trend. Line graphs are the best vehicle to handle this time-phased analysis.

In some instances, specific KPIs may vary wildly from month to month and therefore obscure the actual trend. In this case, users may want to use some form of averaging such as a six month smoothed average. By using a running average based on several time periods, the volatility is dampened and the trend exposed.

Smoothing does tend to reduce volatility, but it has a hidden flaw that must be taken into consideration. The smoothed average can hide the fact that the most recent time periods are more negative than past periods' values. In this case users must be ready to react more quickly. Some averaging equations allow users to give more weight to current values and this may be preferable to equations that give the same weight to all period values.

Straight-line graphs are more useful than other types of graphs but users need to determine which technique will give them the best possible view of their operations. Again this takes time and study, but if you are going to utilize graphical KPIs, you must be prepared to do it correctly.
Now that users have identified which KPIs should be utilized, and have created time-phased line graphs to display this information, one last step should be taken. Again returning to the example of inventory turns, the fact that inventory turns is 3.2 and is above some pre-determined acceptable value, users should now take the last step to further strengthen this KPI display: add a second line to indicate the target value. Now the inventory manager cannot only see where inventory turns last month, where it has been and by interpolation where it appears to be going, but also he/she can see how that value compares against targets that have been set.

These target values perform essentially the same function as budgets. Managers now have something against which they can compare their actual results. Users can and should consider establishing different values for each time period to reflect expected improvement. While the target for January may be 3.4, the target for December could be 3.6 to reflect the fact that upper level management expects inventory turns to be improved. Alternately the values could rise and fall depending on seasonal or other expected fluctuations. Business is slow during the first and last quarter, thus leading to an expected reduction in inventory turns. However, order increase during the second and third quarters and therefore inventory turns should increase as well.

zen

Three Ways ERP Can Help Manage Risk and Prevent Fraud

6:04 AM

(0) Comments

Business is all about taking risks. But intelligent managers know how to manage risks, thus preventing accidental losses as well as other operational, financial, and strategic risks—including fraud.

To manage business risks by using technology, we must first understand and prioritize the risks a specific business faces, and then understand how IT can help that business. Then we can come to understand how those risks intersect with the IT systems a business might already have in place.

One risk within your business may stem from operating in an e-commerce environment. In that case, you want to know how IT is supporting the Web portal. Do people simply view a catalog, or do they order online and log back into your system later to view their order status? How does that portal tie in with your back-end systems and business data?

Or maybe you have multiple business units, several running on a top-tier enterprise resource planning (ERP) system like IFS Applications. But a Mexican unit is still running a homegrown application, passing its data to you in spreadsheets modified to reflect currency exchange. The manual processes involved in this data transfer and data alteration represent a business risk that could be mitigated by the built-in security features of an ERP system.

So, while technology might be designed to assist in risk management, that technology must still be configured and used intelligently to deliver this business benefit.

Indeed, intelligent use of an ERP system can not only help ensure compliance with legal requirements and accounting rules, but it can also help prevent fraud. An ERP application and its user permissions settings can prevent theft. Aggressive and intelligent use of an ERP system's safeguards can save time during auditing. Properly configuring an ERP application can help protect your company from fraud and costly corporate mistakes in a number of ways. Following are three practical approaches a business can take to protect its assets through its ERP system.

1. Use a top-down approach to identify risks.

Business risk management requires a top-down approach. Senior management often focuses its efforts on creating competitive advantages and might not see one in spending extra money on compliance. But even companies not immediately affected by regulations like the US Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 can benefit from applying some of the principles required for compliance to their business. Efforts to comply with basic data security and risk prevention guidelines can even further reduce the risk of financial loss through administrative mistakes or fraud. The specific steps necessary to ensure compliance with these guidelines will differ from one company or business model to the next, but any company needs to pay attention to such basics as good financial statements, data security, privacy, and housing of key information—and how that information affects things like ensuring accurate financial reporting.

Part of this top-down approach involves identifying what information is key to your business. For a manufacturer, this data might consist of accounting, payroll, and health insurance information, plus things like physical plant assets and inventory. In contrast, a professional services environment is much simpler, with key information consisting of things like customer service and payroll data, with the only other real assets consisting of phones and perhaps leased office space.
Of course, this information comes from the heart of a business: its key business processes, or the mechanisms by which resources flow in and out of the company. When these processes differ, they prevent different risks. A company selling a small number of high-value products (industrial equipment, for instance) to a small number of customers faces a very different risk profile than a company selling hundreds of thousands of items to a large number of customers.

A company serving a smaller number of customers with very high-value products needs to make sure that only authorized people are able to set up new customers in their accounting systems. Consequently, the company must be careful to ensure that payment terms, credit limits, and other controls are set up properly.

However, the customer creation process will not be a critical control point for a company with a higher volume of customers and lower value per sale. It is important to understand your business flow and transaction volumes and the implications for relationships with your trading partners. An ERP system can be an excellent tool for formalizing processes for setting up new customers, and perhaps more importantly for setting up supplier relationships in your systems.

Surprisingly, many companies with powerful ERP packages in place circumvent those controls by using Microsoft Excel more than they say they do. Unmonitored use of Excel and other tools outside of an enterprise application may be of special concern during and after mergers and acquisitions. In a merger situation, a company must determine the maturity of the acquired company's IT tools and processes, and how best to integrate them into the existing systems. But at least during an interim period, the primary means of transferring information from the systems of the acquired company to its new parent may be unsecured spreadsheets.

Even without the challenges of mergers and acquisitions, a business might use outside tools like Hyperion as part of its reporting routines. Any time that tools outside an enterprise application are used, you need to ask how your data transfer methods can ensure completeness and accuracy in your business processes as data flows between two or three—or maybe more—separate and distinct systems. Using ad hoc tools like Excel—tools without a lot of built-in controls—means it's harder to guarantee data integrity. Taking measures to reduce alterations to your data outside of the ERP system makes a huge difference not only in preventing incorrect or fraudulent activity, but in streamlining your processes before an audit.

2. Harness the general user controls in your application.

Even when a company keeps 80 percent of its information in a top-tier ERP system and minimizes risks resulting from the use of ad hoc tools, it may not be familiar with the capabilities of its ERP system and how that system can be configured for risk management. Often, these capabilities are overlooked during implementation because risk management was not a main deliverable in the project proposal—and of course the company isn't anticipating an audit or attempted fraud. Because risk management can take a backseat to other deliverables, it's important for project managers and consultants to act as advocates and encourage people to consider three main risk management areas during ERP planning and implementation:

i) Prevent mistakes and fraud through role-based security. This is an ERP feature not everyone understands. You must ensure the right people are assigned to the right activities and prevented from engaging in the wrong activities. Generally, this requires a separation of powers, as you don't want to allow one person to complete every activity within a business cycle—whether that cycle is orders-to-cash or purchase-to-pay. For instance, if a single person can create a supplier, create a purchase order for that supplier, purchase the product, and cut and send a check, how do you ensure that person's cousin doesn't suddenly become a supplier? If that person also has access to inventory records, he or she could make an adjustment to inventory to hide the fact that a product from his or her imaginary supplier was never received. Physical inventory would never catch it, but the company would have paid for the imaginary product, and before the discrepancy is detected, the perpetrator could have inventory-adjusted it out. Some enterprise applications simplify identification and elimination of role-based security risks (see figure 1).

Figure 1. Segregation of duties analysis (provided by IFS North America).

Even some companies that attempt to segregate all the necessary functions to deliver role-based security still employ a financial clerk. This clerk can perform a number of tasks for accounts receivable, accounts payable, general ledger, and inventory adjustments. This violates a number of rules of financial segregation, despite the fact that the company is using a major ERP system designed to deliver financial segregation and role-based security, and in some cases separates those duties in other positions.

Correctly segregating duties to manage risk requires analysis of a company's key business cycles to identify which administrative roles need to be separate and distinct. This is not as simple as it sounds: in a small or midsized department, three people may have different roles in the company, but they are also each other's back-up. As each employee goes on vacation or takes sick leave, others assume the absent employee's duties, often with help from a system administrator. When the employee returns to the office, often there is not a process in place to remove the system permissions. Without diligent attention to assigning and managing these user permissions, before long, role-based security disintegrates.

Role-based security must be built into an application, defined and configured during implementation—and then maintained.

ii) Implement detective as well as preventive controls. Sometimes a company's administrative staff is too small to segregate roles with enough granularity to truly benefit from role-based security; or, it may operate in too complex a manner to make role-based security practical. But even when good preventive controls such as role-based security are in place, it is critical that a company can monitor employees' access to its business systems, and track what they do with that access.

Let's say that according to your role-based security schema, an individual can create customers in the system, but normally does not set up a whole customer record, leaving some of the work for others. It makes sense to monitor this individual on a monthly basis to track that key activity (see figure 2). Another way detective controls can be useful is if a double approval of check is required. The system may have to be altered when the president, for instance, is out of the office. But when the president returns, he or she can review a log to see what checks were cut in his or her absence.

Figure 2. Activity and event tracking (provided by IFS North America).

Detective controls can also be used to ensure that preventive role segregation controls are not being circumvented. You can do this by checking to see who is changing people's access in the system. Reviewing audit logs of permission changes is one way to maintain good segregation of duties.

Some activities, however, require timelier tracking and validation than permitted by reviewing log files. Fortunately, some ERP systems proactively send messages when specific events occur (see figure 3). For instance, perhaps your chief financial officer (CFO) wants to be automatically notified when anyone writes a check for over $10,000.00.

Figure 3. Functional area conflicts (provided by IFS North America).

The general awareness that the ERP system can create these alerts may serve to prevent some large-scale fraud. But there are cases when an employee knows of a limit and engages in fraudulent transactions under that limit. So, in addition to established limits that alert you to checks over $10,000.00, you could also create a control that notifies you if two or more transactions for over $9,000.00 or $8,000.00 occur in a defined period of time (for example, in 14 hours). Tracking an accumulation of minor events is a smart thing to do, as those minor events can combine to make a major one. But you may want to avoid broadcasting these incremental controls, or they could be rendered ineffective.

iii) Manage IT-driven risks. Apart from managing regular users, an ERP system should offer preventive and detective controls to thwart system administrators, database administrators, and programmers from making mistakes or engaging in conduct that could present financial risk to the company.

As is the case in identifying risk on the business-administrative side, managing risk on the IT side of an ERP package starts with an analysis of where business risk and IT intersect. This involves determining how the application's architecture supports the IT side. Situations should be avoided where a single person has access to the source code of the ERP application and the database it runs on. In such cases, an IT manager or system administrator can do more damage than a simple user of the system, and moreover may have the skill to conceal any illicit behavior during an audit. So it's important to use the ERP application's multitiered environment to segregate roles on the IT side, ensuring the database is secured on a separate server from the source code of the application.

Only the database administrator should have access to the database server, and someone else—like the ERP manager—should have access to the source code or the system itself. This ensures that the database administrator can change the raw data in the database, but not the application's source code; and that the ERP manager can change the source code of the application, but not the underlying data it's running on.

IT preventive and detective controls need to be closely intertwined. For instance, log files can track changes to tables made by the database administrator. But many times a database administrator is only given entry access, and can therefore enter but not change data in the application's underlying tables. If a database administrator is particularly astute, however, he or she could get into the log files that track changes to that database and alter them to hide various database transactions. That why it's important to consider using an ERP application's capacity to track when a database administrator is logged onto the server, and keep that information on yet another server to which the database administrator doesn't have access permissions (see figure 4). Consequently, in the event that there are unexplained inventory changes or other anomalies, you can compare the timing of those events with the administrator's activity in the system.

Figure 4. Table showing log-in times (provided by IFS North America).

Some ERP systems have migration utilities—a development environment that allows technical staff to identify new segments of code and move them into a quality assurance (QA) environment for testing. After testing, the code goes into a staging area or even directly into production. In order to allow rapid recovery, in case that new code does not perform as anticipated within the application, there is also typically a quick back-out capability that returns the system to its previous state.

It is important to consider an application's capabilities in tracking the activities of employees involved in change management and in moving code from a development environment to a live one. A system administrator could maliciously change the application's source code or even create a program that changes the source code by using a migration tool (built into many enterprise applications) to hide a piece of code that executes functions a single time. This may result in the one-time transfer of $100,000.00 to a specific bank account. After performing its function, the code could be programmed to expunge the resulting log file—and finding the exact cause of that anomalous transaction is impossible without reviewing millions of individual lines of code.

There are two ways to deal with these risks from both preventive and detective standpoints. Detective controls include good cataloging to track the production environment, and who enters what code into production. Preventive controls involve, again, segregation of roles. A programmer's access would be limited, for instance, to the QA environment, while the ability to move code into production would be reserved for a system administrator. Once duties are segregated logically, it is a simple matter of determining how the ERP application can facilitate that separation of duties.

3. Enjoy the efficiencies that come with automated risk management.

The old axiom is that people will work harder to keep someone from stealing $10.00 from them than they will work to make that $10.00 to begin with. And while risk management is primarily about preventing loss, there is a real upside to automating processes that prevent costly mistakes and fraud. Implementing automated risk management practices within your ERP environment can help you document risk management and compliance activities. This can deliver efficiencies that you will appreciate during an audit, or anytime you need to document the safeguards built into your business systems.

Many ERP preventive and detective functions are automation tools that expedite the compliance and documentation processes a business may face. Once an ERP event engine (like IFS Applications) is configured to test for various exceptions and send notifications when they occur, you can document and use that exception reporting system to your advantage during an audit. To pass an audit, controls must be baselined, which means testing the controls and saving the test information so you can show your auditor that credit limits have not changed—and if they had, you would have been notified. Moreover, your ERP application should allow you to keep audit logs of every transaction in the system, providing additional documentation and detective controls.

zen