As regulations continue toevolve in jurisdictions around the world, corporate boards andsenior managers are paying very close attention to complianceefforts enterprise-wide. Organizations are reviewing proceduresacross business units and geographic boundaries to improvevisibility into their regulatory compliance and mitigate compliancerisks. In this process, though, treasury departments often getshort shrift.

Deloitte recently published a book titled “EnterpriseCompliance: The Risk Intelligent Approach.” Treasury& Risk sat down to discuss the book, and treasury'srole in enterprise compliance, with two of the firm's thoughtleaders: Robert Biskup, director of forensic and dispute services,and Melissa Cameron, a Deloitte principal who specializes intreasury. Biskup previously served as the chief compliance officerfor a Fortune 10 company, and Cameron served previously as acorporate treasurer and a wholesale banker. Both see the treasuryfunction as a key, and often neglected, player in corporatecompliance efforts.

T&R: More than a decade after theSarbanes-Oxley Act brought regulatory compliance to the forefrontfor corporate boards and management, how well are most businessesdoing in the area of compliance?

RobertBiskup: The past 15 years have been a very dynamicperiod of development in corporate compliance programs. In thepre-SOX [Sarbanes-Oxley] era, companies that weren't in highlyregulated industries, such as defense or financial services,commonly had compliance programs that consisted of a visionstatement and little else. I think of that as the first generationof corporate compliance programs. Then, post-SOX, a lot ofcorporations started doing a good job of enhancing their visionstatements; publishing robust codes of conduct; expanding theirpolicies and procedures; and enacting everything that SOXspecifically called for, including whistle-blower andincident-management programs. But despite these proactive aspectsof compliance, some of the back-end aspects—around assurance,auditing, monitoring, things of that nature—were lagging. I thinkwhat we are seeing now is the unfolding of the third generation ofcorporate compliance programs. Companies have spent 15 years in anincubation period, filled with trial and error and experimentation.Now they have a better understanding of what the effective elementsof a compliance program ought to look like.

T&R: What does an effectivecompliance program look like?

RB: Well, we could spend the better partof the day on that subject, but at a high level, we at Deloitte seean effective program as structured in three broad layers. The firstlayer, which we call the 'environmental layer,' requires anin-depth understanding of the company's industry, geography, andemerging risk trends within the sector and locations where thecompany does business. The second layer we call the 'evaluationlayer.' It includes a deep and rich analysis of risks andincorporation of enabling technologies like analytics into programand risk evaluation. And finally is the 'execution layer,' whichconsists of the tools, standards, and business processes involvedin the program's execution. [For more, see the sidebar “KeyConsiderations in Designing a Corporate Compliance Program,”below.]

T&R: How does the treasuryfunction fit into the broader corporate model forcompliance?

RB: Compliance is critical to treasury,and having a compliance-oriented mindset in the leadership of thetreasury organization is especially critical. Like the bank robberWillie Sutton said when asked why he robbed banks: “Because that'swhere the money is.” Companies have to have a compliance focus intreasury.

Melissa Cameron: It's interesting. When Igo out and meet with companies, I generally find that theircompliance programs have evolved quite substantially over the last10 to 15 years, as Rob described—but I often feel that the treasuryorganization is the poor cousin in finance. Most of the companies Iwork with have annual revenues between $1 billion and $50 billion.They might have a few hundred people in the finance organization,but rarely do we see more than 10 people sitting in treasury.Treasury departments are now handling a very substantial portion ofthe balance sheet. They're managing the liquidity of the company,dealing with business units in many countries around the world. Yetthere are very few people in the organization, and the complianceinfrastructure may be underinvested in relative to other areas.

T&R: What kinds of controlstructures do you usually see, and where are theweaknesses?

MC: We often see a very high reliance ondual control—for example, in initiating and transmitting a wiretransfer—which means that if two people decide to collude, they'llbreak through just about every treasury control the company has. Wealso tend to see much less reliance on segregation of dutiesbetween a front office and a back office in treasury. Companies maybe lacking independence around accounting and reconciliation,compared with the initiation and execution of trades. Andaccounting teams may not fully recognize the role they can play indetecting breaks in controls. If they're reconciling bank accountson a monthly or quarterly basis, that's a big window of opportunityfor someone who wishes to commit fraud before it might bedetected.

Treasury departments do have much better technology in placethan they had, say, 5 or 10 years ago. Still, most treasurydepartments face limitations, in large part because they just don'thave enough people in the department. Folks end up with moresystems entitlements, or permissions, than they should have. Oftenthey have access to both front-office and back-office functionsbecause they're backing each other up. The internal auditors mightsee a nice SOX process on a piece of paper, but the controls areactually pretty easily broken.

T&R: What should companies do totighten up treasury controls?

MC: When we're working with clients toimplement treasury systems, we spend a lot of time taking themthrough case studies of what we've seen go wrong from a fraudperspective. Internal auditors need to start thinking like a crookand looking at what could go wrong, how to break the treasurycontrols. They can really get on top of this by proactivelyconsidering toxic combinations of duties within treasuryorganizations and then mapping those to the ways in which systemsare entitled, including the trading portals for foreign exchangeand investments, the treasury workstations, confirmation platforms,and all the other treasury systems. What are the process flows, andwhere are the manual breaks in automated processes that might allowsomeone to do something like change routing instructions for apayment?

T&R: What are some of the firststeps that the average company should take to start improvingcompliance processes in treasury?

MC: One obvious step is to start doingquarterly reviews of system entitlements in all the company'streasury and banking platforms. That doesn't require newtechnology, just added vigilance. Organizations may want to createdetective controls, as well. For example, if a systemsadministrator adds new users into treasury systems, an automatedreport might be sent to the treasurer, controller, or CFO. Thiswould enable the manager to determine, “Did Joe Blogs really jointhe organization, or is Joe Blogs a fictitious person that wascreated by a systems administrator to get around dualcontrols?”

Companies should also pay special attention to whether theytransact with their counterparties through any basis other thanstandard settlement instructions. If they choose to transact on abasis that allows routing to be developed and executed on anytrade, then they have a higher risk profile than companies that usestandard settlement instructions with their financialcounterparties. Businesses that are doing that need to haveadditional reviews, and they need to set up templates for thosekinds of wiring instructions.

T&R: Are the types of reviewsyou're describing the domain of the audit team, or should someonewithin treasury be keeping an eye on these things on an ongoingbasis?

MC: Both are very feasible. The treasuryfunction might verify that Joe Blogs did join the organization.Then the internal auditors might want to take a sampling oftransactions to make sure, for example, that the entitlements wereset up correctly and that they don't create a toxic combination ofentitlements in any treasury system.

RB: If companies can also include someadvanced anomaly detection and analytics within their internalaudit protocols, those kinds of things can help reduce risk andstrengthen overall compliance. It certainly starts with generalledger and financial transaction testing, but increasingly we'realso seeing the unstructured data universe being blended into themix. There are some important correlations and anomalies and, asMelissa said, toxic combinations that can be uncovered through theuse of techniques such as predictive analytics, where algorithmsmay look for X and Y as possible predictive combinations of Z.

T&R: Would this type of dataanalytics be something a company runs to receive alerts on anongoing basis, or is it a process that a company should undertaketo see whether there are any warning signs at a particular momentin time?

RB: Typically, wesee a combination of both. For known schemes and anomalies,companies are going to engage in ongoing monitoring that focuses onwhat they know. There are steady-state programs that can be run onan ongoing basis to throw flags when possible anomalies occur.These are similar to the systems banks run in the anti-moneylaundering context, which detect in real time, as transactions arebeing processed, whether they have a suspicious element to them.However, in addition to the known world, there is the unknownworld. That's where the audit testing and the predictive analyticscan be usefully employed.

T&R: Is training another elementof improving controls? Are there other people within finance whoshould be educated about red flags that might come across theirdesk in one form or another that could alert them to a problem intreasury?

MC: Companies may want to give financeand treasury staff direction on what types of things to look for.If the treasury department is involved in accounts payable, forexample, staff can look for duplicate payments, or they can payclose attention if a vendor changes the routing instructions. Thisis a pretty common fraud scenario: Someone creates a fictitious vendor and thenmakes a payment to them, and the money's gone. Treasury can alsostart to be more vigilant around any small transactions on the bankstatement that aren't explained when they're doing reconciliations.Many skimming schemes are established by people that know that ifthe amount is under, say, $100, no one's going to investigate itbecause it's not worth their time. Taking out just under $100 everyday adds up over years and years.

Treasury managers need to run a tight ship and have a skepticalmindset, rather than just a compliance mindset. They need to think,'We push out so much money, and it's so easy for us to push out.What are the things that could really go wrong? Do we have theright number of people? Do we have the right segregation of duties?Do we have the right reviews, and are we making people takevacations? Are we doing everything we can to uncover fraud?'

Control mechanisms that are very well-established in the bankingindustry are oftentimes not in place in multinational corporations.Perhaps they should be, even if it costs a little more for thecompany to have this type of infrastructure in place. Because,frankly, treasuries may be dealing with billions of dollars, and itdoesn't take a lot of extra budget to add a couple people to thetreasury department to improve the robustness of the controlsenvironment.