As the business world adopts a 24/7 timeframe, more companies are instituting controls that operate continuously. Talecris Biotherapeutics, a North Carolina-based maker of medical treatments, put in place a system that lets both business heads and the audit group keep tabs on controls.
The effort began as Talecris prepared to go public, a change that "meant that we needed to be able to focus everyone on controls," says Mary Ann Tourney, the company's senior director of internal audit. Given the audit department's size, automating testing of controls "would allow us time, with a small staff, to accomplish over 100 audit tests every week automatically, look at the results and engage the business process owners in looking at their own controls," Tourney says.
Talecris has two units: Talecris Biotherapeutics, which uses blood plasma to make treatments, and Talecris Plasma Resources, a chain of plasma collection centers.
Tourney started with the purchase-to-pay area because it presented the greatest risk of fraud. Using technology from ACL, a Vancouver-based provider of business assurance technology, Talecris automated its monitoring of purchasing cards, implemented controls on its vendor list and eliminated many inactive vendors. It also tightened its policies on returned goods, and used ACL tests to track expense usage.
The plasma collection centers did most of their business in cash, giving rise to frequent errors and fraud. Talecris implemented SAP's Supplier Relationship Management to better track transactions with plasma donors. To limit the use of cash, it put ATMs in each center to disburse payments to donors, and it used business intelligence technology to track the ATMs' cash flow. The audit group devised its own module to monitor the centers' payments and assess their risks.
Miklos Vasarhelyi, a professor at Rutgers University Graduate School of Business in Newark, N.J., argues that the increasing use of automation, especially the adoption of enterprise resource planning systems (ERPs), makes continuous controls a necessity. "In the old days, you could control by looking at what people are doing," he says. "Now, things are being done by ERPs, and ERPs cannot be directly observed."
Vasarhelyi, who wrote a paper on the Talecris implementation, says the work "seems to have been extremely useful," and cites in particular the level of participation. Tourney credits the project's success in part to its focus on partnering with the businesses, rather than policing them. "You get buy-in from the business process owners on how this helps them," she says.