As regulations continue to evolve in jurisdictions around the world, corporate boards and senior managers are paying very close attention to compliance efforts enterprise-wide. Organizations are reviewing procedures across business units and geographic boundaries to improve visibility into their regulatory compliance and mitigate compliance risks. In this process, though, treasury departments often get short shrift.
Deloitte recently published a book titled “Enterprise Compliance: The Risk Intelligent Approach.” Treasury & Risk sat down to discuss the book, and treasury’s role in enterprise compliance, with two of the firm’s thought leaders: Robert Biskup, director of forensic and dispute services, and Melissa Cameron, a Deloitte principal who specializes in treasury. Biskup previously served as the chief compliance officer for a Fortune 10 company, and Cameron served previously as a corporate treasurer and a wholesale banker. Both see the treasury function as a key, and often neglected, player in corporate compliance efforts.
T&R: What kinds of control structures do you usually see, and where are the weaknesses?
MC: We often see a very high reliance on dual control—for example, in initiating and transmitting a wire transfer—which means that if two people decide to collude, they’ll break through just about every treasury control the company has. We also tend to see much less reliance on segregation of duties between a front office and a back office in treasury. Companies may be lacking independence around accounting and reconciliation, compared with the initiation and execution of trades. And accounting teams may not fully recognize the role they can play in detecting breaks in controls. If they’re reconciling bank accounts on a monthly or quarterly basis, that’s a big window of opportunity for someone who wishes to commit fraud before it might be detected.
T&R: Would this type of data analytics be something a company runs to receive alerts on an ongoing basis, or is it a process that a company should undertake to see whether there are any warning signs at a particular moment in time?
RB: Typically, we see a combination of both. For known schemes and anomalies, companies are going to engage in ongoing monitoring that focuses on what they know. There are steady-state programs that can be run on an ongoing basis to throw flags when possible anomalies occur. These are similar to the systems banks run in the anti-money laundering context, which detect in real time, as transactions are being processed, whether they have a suspicious element to them. However, in addition to the known world, there is the unknown world. That’s where the audit testing and the predictive analytics can be usefully employed.