Working In Uncertainty
Reengineering internal controls for efficiency
First published April 1996.
‘Reengineering is the fundamental rethinking and radical redesign of business processes to achieve dramatic improvements in critical contemporary measures of performance, such as cost, quality, service, and speed.’
From ‘Reengineering the Corporation’ by Michael Hammer and James Champy 1993
The case studies featured in the book from which this definition is taken propelled Business Process Reengineering (BPR) to management theory superstardom. Offered by most management consultants as something radically new, scorned by many accountants as just another buzz phrase for good management, BPR has been controversial from the beginning.
However, from the case studies it is clear that at least some organisations have made major changes to the way they do their work, and at least some have benefited greatly from doing so. For the foreseeable future we can expect organisations to try to learn from the success stories and be successful themselves in achieving breakthroughs in performance.
Hammer and Champy's main contribution was to collate successful examples and suggest common factors. What should worry accountants and, in particular, auditors is that the common factors identified by Hammer and Champy appear to contradict directly the advice which auditors have been giving their clients about internal controls for decades.
This paper highlights the apparent contradictions but then suggests how internal control systems need to be reengineered to match reengineered processes.
BPR versus the auditors
For decades the bulk of advice given by auditors to their clients in letters to management concerned weaknesses in internal control systems and recommended stronger controls. The drive towards ever increasing levels of internal control and better ‘corporate governance’ has gathered pace in recent years after some spectacular cases of corporate fraud.
Much of this advice is based on thinking that appears contrary to the principles of BPR as distilled by Hammer and Champy. Some might argue that in the process of improving internal controls most organisations have reduced their effectiveness and efficiency.
The following table shows how Hammer and Champy's recurring themes in BPR often appear to conflict with the traditional advice of auditors.
Note: The final point about use of information technology is not included in Hammer & Champy's list of principles, but they give a whole chapter to it in their book.
Auditors' recommendations have steered organisations towards splitting work between different people, with plenty of checks and reconciliations, and ensuring that all items are processed with equal rigour.
BPR suggests the opposite: work should not be split up, people should be empowered (with minimum checks and reconciliations), and different procedures can be used as alternatives.
Why internal controls must be reengineered
BPR is just not compatible with conventional control methods and preferences.
BPR practitioners need methods of exerting control that do not contradict BPR, or at least which minimise the loss of efficiency caused by adding controls to a reengineered process.
But before these control techniques are introduced into a reengineered process we need to appraise the risks of the process and set appropriate control objectives.
Rethinking risk analysis
Although reengineered processes tend to have less segregation of duties and be more reliant on computer systems (with all their associated control risks) there is a positive side to most reengineering principles that should be considered before deciding what controls, if any, may be needed.
The effects of BPR principles on inherent risks are suggested in the following table.
Rethinking control objectives
The conventional approach to setting control objectives is based around checklists of control objectives worded so that they require total completeness, accuracy, validity, and so on. Risk analysis might be used to weight the importance of each objective, exclude some objectives, or introduce more detail for others.
Bounded total cost
However, some examples of BPR reflect what could be called a bounded total cost approach, and this may be more appropriate generally for reengineered processes.
Hammer and Champy give this example (p58):
‘Consider the credit card-based purchasing process we just described. Compared to more traditional processes, this one seems almost devoid of controls. Departments might use their credit cards to go on wild spending sprees. People could run away to Brazil with the spoils of their raids on office supply vendors. Or so feared the company's internal auditors. But they were wrong because the reengineered purchasing process does have a point of control; unauthorized purchases will be detected when the credit card tape is run against the department's budget and when the departmental manager reviews the expenditures. Given the credit limit on the cards, the process designers felt it was better to swallow the limited exposure to abuse that the new process embodies in order to eliminate the overhead cost associated with the traditional controls.’
This approach has two steps:
At the control objective setting stage all that is required is a statement of the maximum loss limit and of the costs that should be considered in applying the limit.
Cost minimisation is done during controls design.
Rethinking internal controls
Established preferences for control techniques need to be revised. Preferred control techniques should provide adequate control but should not slow down or add costs to basic business processes.
Segregation of duties
Segregation of duties is described by the Auditor's Operational Guideline on Internal Controls as ‘One of the prime means of control’.
However, in a typical reengineered process the transaction and its recording are initiated by a single person and carried out by an integrated computer system. As far as possible all the activities needed to carry through a process from start to finish and to record it are placed under the control of one individual or, if this is not possible, a small team. An example is a line of checkouts in a supermarket.
Since segregation of duties is not available alternative control techniques are needed.
After reengineering each worker performs all three activities but not for all items.
Provided the system can distinguish between work done by each worker and perform analytical summaries and comparisons, the actions of each worker can be compared. If one worker's profile is unusual it can be investigated to find the reason. This provides protection against fraud, error, and persistent incompetence while helping to identify successful workers.
In a supermarket the checkout operator's scope for fraud can be limited to entering incorrect product codes by hand (instead of using barcodes) and not coding some of the products a friend has brought to the checkout. The supervisor can look for lower than normal values passing through the till in a particular shift, lower than usual numbers of items, and excessive use of manual product code entry.
Since performance analyses of the kind needed are more usually provided for whole processes rather than for individual activities there is a better chance that the software will be able to do what is required in the reengineered process.
According to the Auditor's Operational Standard on Internal Controls ‘All transactions should require authorization or approval by an appropriate responsible person.’ Traditionally, this has meant that for every transaction a person wants to carry out or process there should be at least one signature written by a more senior person beforehand.
In one particularly severe case observed by the author a credit note for £5.69 required three signatures, two by the Sales Director (but on different occasions!) before it could be sent to the customer.
Checking and inspections
Many of the comments regarding authorization apply equally to checks and inspections. However, one feature of reengineered processes that deserves further examination is the tendency to perform work in a natural order i.e. not necessarily in a series of stages, each of which must be finished before the next can begin.
An example is the way software development is being reengineered from waterfall lifecycles towards Rapid Application Development. In RAD, many documents, reviews, iterations, meetings, etc are replaced with a few intense sessions in which end users and developers work together to create a system. Many steps and stages are compressed into just a few and there are far fewer ‘sign offs’ of supposedly agreed deliverables along the way.
RAD introduces fewer control problems than might be expected. Firstly, because it is quicker and so more likely to deliver a system that meets current requirements. Secondly, because pushing forward with the design in certain areas (e.g. by prototyping) can reveal errors in early design decisions. Thirdly, because design documentation can be organised into a waterfall structure even though the thinking was chaotic. Indeed, using a suitable computerised tool the team can attack the problem at any point, backtracking and jumping ahead freely, but store their decisions in a logical structure as if they had derived their design in a logical, step by step way.
The main controls required include:
Global reconciliations and control totals are powerful accounting controls that usually do not hinder business processes.
The reconciliations Hammer and Champy particularly have in mind are detailed reconciliations between the accounting records of one enterprise and the accounting records of another. For example, between cash on bank statements and cash in the cash book, or between invoices expected (based on agreed prices and recorded deliveries) and invoices actually received.
Shift the burden
The main example of reengineering affecting reconciliations in ‘Reengineering the Corporation’ is a poor one since the amount of reconciling was not reduced.
Ford used to reconcile invoices received to records of deliveries and agreed prices. Now, under Ford's Evaluated Receipts Scheme (ERS), it is the supplier who is forced to carry out the reconciliation. Ford's computers calculate the amount Ford should pay and any difference between that and what the supplier was expecting to receive is up to the supplier to challenge. This is reengineering but the amount of work done has not changed, only the enterprise that has to do the work.
For organisations with less power than Ford this is not a viable option. Reconciliation between the accounting records of trading enterprises is a valuable defence against the errors and dishonesty of others and also uncovers one's own errors.
However, the cost of reconciliations can be reduced by Electronic Data Interchange and automatic matching of items.
Shared electronic markets such as those used for trading securities, provided they are regarded as accurate and reliable, can provide an alternative to detailed reconciliations. A trusted third party carries out data processing that otherwise would have to be duplicated and reconciled between the trading parties.
Perhaps in future companies will put their products ‘on the market’ by having them listed on independently run Internet markets covering vast ranges of products and services. Customers will buy the products by placing orders in the same markets. Both parties will receive electronic statements of purchases and sales which will be regarded as definitive and not checked in detail.
The role of the controls design specialist
A specialist in controls design, using ideas such as those presented above, can contribute to the BPR effort in a number of ways:
Traditional internal controls can introduce significant delays and costs to processes that have been reengineered. Unless suitable risk analysis, control objectives, and control techniques are used controls can be like a ball and chain around the ankle of a process designed for speed.
BPR practitioners should ensure they have designed control into their processes to avoid having brilliantly reengineered processes cramped by inappropriate controls demanded by auditors. This is particularly important where controls can be built into the software used to support the process.
Auditors should be more sensitive to the cost implications of their control recommendations and suggest a range of controls including more sophisticated post hoc review techniques.
‘Reengineering the Corporation’ by Michael Hammer and James Champy 1993.
‘Design Methods’ by J Christopher Jones 1980.
‘Internal Controls’ issued by the Auditing Practices Committee 1980.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Words © 1996.