As regulations continue to evolve in jurisdictions around the world, corporate boards and senior managers are paying very close attention to compliance efforts enterprise-wide. Organizations are reviewing procedures across business units and geographic boundaries to improve visibility into their regulatory compliance and mitigate compliance risks. In this process, though, treasury departments often get short shrift.
Deloitte recently published a book titled “Enterprise Compliance: The Risk Intelligent Approach.” Treasury & Risk sat down to discuss the book, and treasury’s role in enterprise compliance, with two of the firm’s thought leaders: Robert Biskup, director of forensic and dispute services, and Melissa Cameron, a Deloitte principal who specializes in treasury. Biskup previously served as the chief compliance officer for a Fortune 10 company, and Cameron served previously as a corporate treasurer and a wholesale banker. Both see the treasury function as a key, and often neglected, player in corporate compliance efforts.
T&R: More than a decade after the Sarbanes-Oxley Act brought regulatory compliance to the forefront for corporate boards and management, how well are most businesses doing in the area of compliance?
Robert Biskup: The past 15 years have been a very dynamic period of development in corporate compliance programs. In the pre-SOX [Sarbanes-Oxley] era, companies that weren’t in highly regulated industries, such as defense or financial services, commonly had compliance programs that consisted of a vision statement and little else. I think of that as the first generation of corporate compliance programs. Then, post-SOX, a lot of corporations started doing a good job of enhancing their vision statements; publishing robust codes of conduct; expanding their policies and procedures; and enacting everything that SOX specifically called for, including whistle-blower and incident-management programs. But despite these proactive aspects of compliance, some of the back-end aspects—around assurance, auditing, monitoring, things of that nature—were lagging. I think what we are seeing now is the unfolding of the third generation of corporate compliance programs. Companies have spent 15 years in an incubation period, filled with trial and error and experimentation. Now they have a better understanding of what the effective elements of a compliance program ought to look like.
T&R: What does an effective compliance program look like?
RB: Well, we could spend the better part of the day on that subject, but at a high level, we at Deloitte see an effective program as structured in three broad layers. The first layer, which we call the ‘environmental layer,’ requires an in-depth understanding of the company’s industry, geography, and emerging risk trends within the sector and locations where the company does business. The second layer we call the ‘evaluation layer.’ It includes a deep and rich analysis of risks and incorporation of enabling technologies like analytics into program and risk evaluation. And finally is the ‘execution layer,’ which consists of the tools, standards, and business processes involved in the program’s execution. [For more, see the sidebar “Key Considerations in Designing a Corporate Compliance Program,” below.]
T&R: How does the treasury function fit into the broader corporate model for compliance?
RB: Compliance is critical to treasury, and having a compliance-oriented mindset in the leadership of the treasury organization is especially critical. Like the bank robber Willie Sutton said when asked why he robbed banks: “Because that’s where the money is.” Companies have to have a compliance focus in treasury.
Melissa Cameron: It’s interesting. When I go out and meet with companies, I generally find that their compliance programs have evolved quite substantially over the last 10 to 15 years, as Rob described—but I often feel that the treasury organization is the poor cousin in finance. Most of the companies I work with have annual revenues between $1 billion and $50 billion. They might have a few hundred people in the finance organization, but rarely do we see more than 10 people sitting in treasury. Treasury departments are now handling a very substantial portion of the balance sheet. They’re managing the liquidity of the company, dealing with business units in many countries around the world. Yet there are very few people in the organization, and the compliance infrastructure may be underinvested in relative to other areas.
T&R: What kinds of control structures do you usually see, and where are the weaknesses?
MC: We often see a very high reliance on dual control—for example, in initiating and transmitting a wire transfer—which means that if two people decide to collude, they’ll break through just about every treasury control the company has. We also tend to see much less reliance on segregation of duties between a front office and a back office in treasury. Companies may be lacking independence around accounting and reconciliation, compared with the initiation and execution of trades. And accounting teams may not fully recognize the role they can play in detecting breaks in controls. If they’re reconciling bank accounts on a monthly or quarterly basis, that’s a big window of opportunity for someone who wishes to commit fraud before it might be detected.
Treasury departments do have much better technology in place than they had, say, 5 or 10 years ago. Still, most treasury departments face limitations, in large part because they just don’t have enough people in the department. Folks end up with more systems entitlements, or permissions, than they should have. Often they have access to both front-office and back-office functions because they’re backing each other up. The internal auditors might see a nice SOX process on a piece of paper, but the controls are actually pretty easily broken.
T&R: What should companies do to tighten up treasury controls?
MC: When we’re working with clients to implement treasury systems, we spend a lot of time taking them through case studies of what we’ve seen go wrong from a fraud perspective. Internal auditors need to start thinking like a crook and looking at what could go wrong, how to break the treasury controls. They can really get on top of this by proactively considering toxic combinations of duties within treasury organizations and then mapping those to the ways in which systems are entitled, including the trading portals for foreign exchange and investments, the treasury workstations, confirmation platforms, and all the other treasury systems. What are the process flows, and where are the manual breaks in automated processes that might allow someone to do something like change routing instructions for a payment?
T&R: What are some of the first steps that the average company should take to start improving compliance processes in treasury?
MC: One obvious step is to start doing quarterly reviews of system entitlements in all the company’s treasury and banking platforms. That doesn’t require new technology, just added vigilance. Organizations may want to create detective controls, as well. For example, if a systems administrator adds new users into treasury systems, an automated report might be sent to the treasurer, controller, or CFO. This would enable the manager to determine, “Did Joe Blogs really join the organization, or is Joe Blogs a fictitious person that was created by a systems administrator to get around dual controls?”
Companies should also pay special attention to whether they transact with their counterparties through any basis other than standard settlement instructions. If they choose to transact on a basis that allows routing to be developed and executed on any trade, then they have a higher risk profile than companies that use standard settlement instructions with their financial counterparties. Businesses that are doing that need to have additional reviews, and they need to set up templates for those kinds of wiring instructions.
T&R: Are the types of reviews you’re describing the domain of the audit team, or should someone within treasury be keeping an eye on these things on an ongoing basis?
MC: Both are very feasible. The treasury function might verify that Joe Blogs did join the organization. Then the internal auditors might want to take a sampling of transactions to make sure, for example, that the entitlements were set up correctly and that they don’t create a toxic combination of entitlements in any treasury system.
RB: If companies can also include some advanced anomaly detection and analytics within their internal audit protocols, those kinds of things can help reduce risk and strengthen overall compliance. It certainly starts with general ledger and financial transaction testing, but increasingly we’re also seeing the unstructured data universe being blended into the mix. There are some important correlations and anomalies and, as Melissa said, toxic combinations that can be uncovered through the use of techniques such as predictive analytics, where algorithms may look for X and Y as possible predictive combinations of Z.
T&R: Would this type of data analytics be something a company runs to receive alerts on an ongoing basis, or is it a process that a company should undertake to see whether there are any warning signs at a particular moment in time?
RB: Typically, we see a combination of both. For known schemes and anomalies, companies are going to engage in ongoing monitoring that focuses on what they know. There are steady-state programs that can be run on an ongoing basis to throw flags when possible anomalies occur. These are similar to the systems banks run in the anti-money laundering context, which detect in real time, as transactions are being processed, whether they have a suspicious element to them. However, in addition to the known world, there is the unknown world. That’s where the audit testing and the predictive analytics can be usefully employed.
T&R: Is training another element of improving controls? Are there other people within finance who should be educated about red flags that might come across their desk in one form or another that could alert them to a problem in treasury?
MC: Companies may want to give finance and treasury staff direction on what types of things to look for. If the treasury department is involved in accounts payable, for example, staff can look for duplicate payments, or they can pay close attention if a vendor changes the routing instructions. This is a pretty common fraud scenario: Someone creates a fictitious vendor and then makes a payment to them, and the money’s gone. Treasury can also start to be more vigilant around any small transactions on the bank statement that aren’t explained when they’re doing reconciliations. Many skimming schemes are established by people that know that if the amount is under, say, $100, no one’s going to investigate it because it’s not worth their time. Taking out just under $100 every day adds up over years and years.
Treasury managers need to run a tight ship and have a skeptical mindset, rather than just a compliance mindset. They need to think, ‘We push out so much money, and it’s so easy for us to push out. What are the things that could really go wrong? Do we have the right number of people? Do we have the right segregation of duties? Do we have the right reviews, and are we making people take vacations? Are we doing everything we can to uncover fraud?’
Control mechanisms that are very well-established in the banking industry are oftentimes not in place in multinational corporations. Perhaps they should be, even if it costs a little more for the company to have this type of infrastructure in place. Because, frankly, treasuries may be dealing with billions of dollars, and it doesn’t take a lot of extra budget to add a couple people to the treasury department to improve the robustness of the controls environment.