There is no magical “audit software” to make you audit-ready. First you must know your risks, adopt a framework to control them, and then actually control those risks using Microsoft Dynamics GP.
Quick question: If Deloitte or KPMG (or worse, the SEC) knocked on your door today, could you pass an audit?
“Don’t have to,” you might say. “We’re a small, private company that makes school supplies and operates in the U.S. only.” So, no SOX compliance, no FDA requirements, and you’re not subject to Foreign Corrupt Practices Act (FCPA) rules. “Generally accepted accounting principles (GAAP) are good enough for us.”
The correct answer, respectfully, is that they’re not nearly enough. There are several instances in which clean books and auditability benefit you:
• If you are considering an IPO, you’ll be required to hire an audit firm.
• Banks are more willing to offer loans to small companies who have audited financials.
• Larger companies are more willing to acquire companies that demonstrate an understanding of risk.
• Nonprofits can protect their status and donor confidence by mitigating risks (whereas fraud can quickly put an end to even the best of causes).
• A $150,000 embezzlement is a rounding error for a Fortune 500 company. An event of that size may put a small company or nonprofit out of business.
If you have Microsoft Dynamics GP installed, you’re halfway there. John Livingood, director of ERP Solutions at Protiviti Inc., a global consulting firm, told me, “Running an ERP system such as Dynamics GP enables companies to systematically enforce business and IT controls and run standard reports that can be used for manual controls. As part of an audit, an auditor might look at the completeness of these controls and the approval process for the control design. In most cases, companies will want to make sure that their business process leads are included in the control design and provide their approval.”
So with Microsoft Dynamics GP, you’ve got the tools in place to manage and control risks at your operation; but there’s more to being audit-ready. You need 1) a clear understanding of your business and its risks; 2) a framework to manage those risks, and; 3) control of those risks (which is where Microsoft Dynamics GP comes in).
Know Your Company (And Its Risks)
A lot of companies have never put a framework or controls in place and ask, “Where do we start?”
We advise clients to “Know thyself as a company,” which tells you where your key risks are.
There will be obvious risks – say, from natural disasters. If you’re based in Iowa as Fastpath is, your hurricane risk is practically non-existent, but if you’re in a flood plain, that’s worth insuring against.
Then there are risks specific to your business. Heineken has inventory, and its risks include spoilage, recalls, and interruptions to the supply chain. Kentucky Fried Chicken cannot let its secret recipe get out. General Motors cannot allow a costly defect to trigger a recall.
Accounting risks affect every company, for example, in procure-to-pay. Say you buy Xboxes for everyone at the company as a reward for a great year. You risk exceeding a budget, or having someone slip in a couple of extras for their own use, or a “fat fingers” error in which someone orders 300 instead of 30. Ultimately (we’ll visit this in depth later), you want automated controls over the procure-to-pay. You want, for example, segregation of duties (SoD), so the person writing the PO cannot approve and release the PO. You want POs over a threshold amount to trigger an approval process.
Bear in mind, a $100,000 error is just a rounding error for Microsoft; it can kill a small business’s ability to meet payroll. And how often does a company recoup embezzled funds? Embezzlers tend to spend the money ASAP. Once the cash is gone, it’s either slow in coming back, or it’s just plain gone.
You will mitigate or control all these risks, but understand that you don’t have to do everything at once. Ordinate your highest risks first, and understand that some risks are inevitable and out of your control (like natural disasters). You can mitigate them, but you cannot eliminate them.
A very good resource for conducting a risk analysis is from the Federal Emergency Management Agency (FEMA), which provides all the steps of conducting a Risk Assessment (www.ready.gov/risk-assessment) and a Business Impact Analysis (BIA) (www.ready.gov/business-impact-analysis). The risk assessment asks, “What could happen?” while the BIA asks, “What are the consequences?” While FEMA’s framework includes such unlikely risks as terrorism and pandemic disease, it also covers such business process-oriented risks as supplier failure and cyber-attack.
Adopt a Framework
A framework is in essence a plan to control risks. It is not a software solution, but software controls are included in the framework.
There are a few official frameworks out there, most based upon COSO, the Committee of Sponsoring Organizations of the Treadway Commission Internal Control Framework 2013.
COSO is typically used by SOX and SEC-regulated public companies, multi-nationals and Fortune 1000 companies. SMEs are usually less bound to implement a framework; for that matter, COSO is not mandatory at any company. But lack of a framework is, as the phrase goes, “frowned upon” by the Securities and Exchange Commission (SEC).
Still, a framework is perhaps more important for an SME to have such oversight – again, because smaller organizations cannot bear a loss of capital the way that a Fortune 500 can, and because any organization seeking an IPO or an acquirer must submit to an audit as part of due diligence.
COSO covers financial systems, largely, while the Public Company Accounting Oversight Board (PCAOB) provides a framework that is more specifically IT-based. As PCAOB describes itself, the organization is directed by the Sarbanes-Oxley Act of 2002 to establish auditing and related professional practice standards for registered public accounting firms to follow in the preparation and issuance of audit reports.
When a company lacks in-house audit capability, execution of these frameworks falls to what we call the “inconvenient auditor,” who might be the controller or CFO at a small- to mid-sized organization.
But the gist of a framework is a plan to “patch the holes” that you identified in understanding your business and performing a risk assessment.
This brings us to automated and configurable controls.
Use Configurable Controls
Microsoft Dynamics GP includes numerous configurable controls you’ll use to put a framework in place. A few example are:
1. Module settings
2. Workflows
3. GL posting profiles or groups
4. Tolerance limits
5. Activity tracking
6. Customized reports
As Livingood describes the setup, “As an example, most companies have at least a 2-way match control that requires vendor invoices to be cross-referenced with an approved purchase order and fall within the company’s allowable tolerance policies. So are we being billed for what we ordered, and how much we ordered? If the answer is yes, then, permit the billing. If not, then require further analysis prior to allowing the billing.”
“In order to make that happen in Microsoft Dynamics, you have to have the appropriate configuration settings to enable that systematically.”
Tolerance limits are quick-set configurations; POs below $2,500 require no approval while those above that tolerance trigger a hierarchical approval process. Very simple.
Microsoft Dynamics GP’s Activity Tracking is not specifically in the audit trail, but it enables you to track, for example, failed login attempts. Activities like that can be charted on a configured, custom report.
There are a few simple steps to take to implement a control framework around Microsoft Dynamics configurations:
1. Set a baseline for the configuration settings and document it.
2. Include configuration changes in the company’s standard change management process.
3. If changes are approved, update the relevant documentation accordingly.
4. Do a risk assessment to determine the key configurations.
5. Set up a periodic review and sign off on key configurations.
6. Consider deploying a tracking or audit trail solution that monitors changes to key configurations.
Number 5 above is important – very important, else your configurations fall to the negligence of, “set it and forget it.” You’ve created an elegant workflow; however, did someone turn off those workflows in an upgrade? Did someone included in those workflows leave the company? Have your business process rules changed?
Workflow must be periodically monitored to ensure they were never accidentally, purposefully, or fraudulently disabled. The approval hierarchy should be reviewed to ensure accuracy after users have moved in and out of the company and positions. Finally, adding an audit trail to this configuration and setup information will help notify the business process owners of any changes and help prevent unauthorized transactions from leaving the building.
Do not expect users to tell you that a workflow has changed or been disabled, especially if the workflow lifts restrictions upon them. In Fastpath’s experience, no one ever raises a hand and says, “Please control me more.”
Add-ons and Benefits
Microsoft Dynamics, of course, has a rich ecosphere of independent software vendors (ISVs), Fastpath included, that can further automate and “turbocharge” the solution’s capabilities.
Our own Fastpath Assure, a SoD compliance tool for Microsoft Dynamics and other ERP packages, automates SoD risk analysis. It detects SoD conflicts, sensitive access, and potential policy violations for existing users. It provides access certification which automates periodic recertification of user access by supervisor, role owner, or process owner (that maintenance we described above) as well as role management to reduce SoD conflicts and improve administration efficiency by providing mechanisms for role design.
Our aim is to reduce the need for internal employees or hiring third-party firms to perform SoD risk analysis, and we can prove that we save up to $55,000 in total savings in labor hours per audit. A feather in our cap is GameStop, the provider of electronic games, consoles, and tablets. They took four weeks a quarter in audit preparation and reduced it to one day.
The short story is this: Configurable controls benefit any size of organization, especially smaller organizations with their thin margins and lower risk tolerance. Microsoft Dynamics GP users have elegant tools at their fingertips, and even more tools available through the Microsoft Dynamics partner channel. The goal is not simply compliance – you may fall under the compliance radar – it is also a healthier organization with more capital left over.