19 May 2020 | Repost from Jehan Salib
So, do we really believe that the issue, in the corporate world of big public organisations & retailers, that the Board Members, CEO, CFO and Business Teams of organisation X, all agreed on a Business Plan over X years, to rip their employees of $X million to make their bottom line look better !!!
Wesfarmers chief executive Rob Scott told media that harsh punishments should not fall on companies who experience "inadvertent administrative errors" ..."There have been some significant issues across payroll systems in the market, which in part reflects the incredible complexity of the systems that we're dealing with." ... "People make mistakes."
This still doesn't mean that those organisations are not fully responsible for their actions and the failure to manage and continuously examine processes and controls. It just means that the public, media and the heads of those organisations need to identify the issue and to name it for its true reason.
"Failure in Risk Management to Monitor the Efficiency & Accuracy of Processes and Controls"
Fully agree with the Industrial Relations Minister Christian Porter statement ... " I don’t think it’s intentional but it’s hopeless, it’s not good enough!”
Regardless of which organisation have been caught recently with this problem. It is not thanks to their ongoing internal examination of processes and controls that they have caught this issue now, nor it is thanks to our ingenious politicians who seem to be catching the wave at its end. The reason that these cases are all showing up now, one after the other, is that once one case was reported, all other organisations went frantically checking their data & controls to see if they have fallen into the same trap. A bit like the Corona virus checking process the countries are following these days to ensure they have not been contaminated.
The issue is the general attitude in the corporate world, that if they invest in one of the Big ERP systems and employ a few highly qualified IT gurus to run these sophisticated systems, everything else will just fall into place, they’ve done their duty and all is working in order. Great if it was that simple!!
I’ve been working on data analysis and continues control monitoring for the past 20 years, have assisted all different types, shapes & sizes of organisations. Usually the point of contact for us would be the Risk Management or Internal Auditors teams who are trying to implement proper controls and checks for their organisation. Through the process of implementing those checks, the irony was that we found that the fate of the organisation is held in the least liable level of the organisation, it is all in the hands of the business teams running the daily process, all the strings start and are held at that business process level.
If we stick to the Payroll departments only for the sack of the subject at hand of Wage Theft. How much do we really think the CFOs and CEOs know about the setting up of the daily process of payroll rules, rates, allowances … etc.? Well, practically very little, if not nothing. They don’t need to either, that is why they employ payroll specialists who should have this knowledge and experience.
Payroll is one of the most complicated process of any organisation & the bigger this organisation the more diverse and complex it becomes. Your average payroll specialist is usually very highly experienced and know their role inside out with all its complexity. But, unfortunately because human error is a part of life which we can’t change, and because technology is moving much faster than employees can be retrained to catch up with the IT world of changes, handling large numbers of transactions, continues rules & personnel changes can become a cumbersome task and errors can happen. Any of these changes not captured on time or missed in the process can easily cause those millions of missed payments.
Over the years I spoke to various Payroll business teams, to explain to them why there is a need for data analysis and continues control monitoring of the daily process & data integrity of their work. The standard response, with no fail, is always … “We have the best xyz ERP system, all these controls are already in place and we utilise the built in reports to control and catch any errors, why do we need any more testing, it will only duplicate what we are already doing and increase the workload”. Well! If only I had just $1 for every time I heard this from all types of business teams through the years, I would have been on the list of the top 500 richest people in the world. My answer now, obviously, would simply be: Why did all these big organisations with top xyz ERP systems short paid their employees millions of dollars over the years and it’s all gone unnoticed??
In a simplistic summary, the main four misconceptions noted in the corporate world when it comes to Risk Management are;
The Internal Auditors and Risk Managers are looked upon as the enemy of the Business, they are there to pick on the business teams and highlight their errors. Therefore, they are provided with minimal co-operation from those business teams. They are given limited access to systems and data, which totally defeats the purpose of their roll. Internal Auditors and Risk Management are there to protect the organisation from the inevitable, in a best-case scenario an unintended error, or in worst cases, fraud and theft. Their role is to apply controls and checks to catch any failing in the process, being a human or system error, and save the organisation millions of dollars in over or under payments (they are both equally damaging to an organisation) in the long run
The vast majority of internal auditors and risk managers still think they can do it all themselves. There is a general underestimation or a misconception of the size of information and data gathered during the daily process of the business, especially in big organisations and retailers, which needs to be properly and regularly tested and checked to successfully ensure the needed controls are in place. The standard random check, coloured spreadsheets used month after month with manually manipulated untraceable formulas or the old ticking the boxes process don’t work anymore. Presenting executives with nice coloured charts and dashboards and reporting the odd captured error every now and then, don't suffice. It is not the objective any longer, "it’s not good enough!". Controls must mean that the organisation understand and check, every single transaction being processed. This can only be achieved by, correctly interpreting and understanding the data at hand, asking the right questions and implementing the proper analysis and reports to examine these large numbers of data transactions and identify controls or processes failures and errors.
IT system gurus are looked upon as the Gods of the organisation, because they know all the technical stuff which we don’t know. Yes, most certainly, can’t do without them for one second, the whole world would collapse. But, they are not data or business process specialists, they have no idea if what the business entering or processing into the system is right or wrong, not their role or area of speciality.
ERP systems have no intellectual intelligence, as the saying go, rubbish in rubbish out. The system won't capture an incorrect rate or calculation rule entered into it. They are sophisticated and built with high level of general controls and reports, but again, they are not specifically tailored for the needs of every organisation. Standard built in reports are based on a general idea of use. They are usually ridged to customise, don't provide all the needed details and built in parameters are not always clear. System controls are also customisable so can be switched on or off and can be manipulated, posing a high risk which needs to be monitored too.
DATA = MONEY, the value of an organisation's data is exactly equal in importance to, if not even more valuable than, assets and cash in bank. Proper interpretation of the information and data at hand needs specialised knowledge and skills to enable an organisation to properly manage and set up an effective risk management plan.
Sticking to our subject here of missed or incorrect Payroll Payments, intentionally or unintentionally ... The conclusion is .. without utilising the proper resources and skills for data interpretation, analysis and continuous monitoring, the risk of one small error in applying a rule, award, rate, period or calculation going unnoticed, can and did cause millions of dollars to slip through the cracks over the years. Such errors won't be caught in the colourful charts & dashboards at an annual board meeting, at that level of reporting, it will just disappear in the rounding of the bottom line.
About Author - Jehan Salib
Over 18 years of experience in Data Analysis and Continues Control Monitoring testing modules, Financial & Contract Compliance, backed by over 12 years of financial and management accounting experience. Extensive experience in servicing customers from various sectors private and public, contributes to a vast knowledge, in-depth and hands-on understanding of finance, procurement and HR Data sets, Processes and Controls. Also Anti Money Laundering controls and reporting.