Creating Best-in-Class Risk Management in the Digital Age

Blog post

CadencyDirect® on the Now Platform® Automatically Exposes Information and Updates GRC Teams for Critical Journal Entry Controls

Cynthia Cooper is a name most corporate accountants today know quite well, though certainly not 20 years ago. Back then, Cynthia Cooper was simply the head of an internal audit department for one of the telecom giants of the day. However, that changed after Cynthia Cooper and her team discovered various signs of financial fraud – from shifting expense categories to flat-out false categorization of capital expenses. When the same personnel who enabled the fraud told her to drop it, Cynthia Cooper blew the whistle to the SEC instead.

Read on to discover more about:

The telecom giant was, of course, WorldCom. The resulting SEC investigation uncovered $11 Billion in overstated assets, stemming from the $3.9 Billion Cooper’s team uncovered, becoming at that time the largest case of corporate accounting fraud in history. This led to the SEC charging WorldCom with civil fraud, eventually reaching a $2.25 billion settlement.

Several executives and the CEO were indicted on charges of securities fraud, conspiracy, and filing false documents with regulators. WorldCom filed for Chapter 11 bankruptcy, and what remained of the once-mighty corporation was eventually purchased by Verizon in 2006. This would also propel Cynthia Cooper to the ranks of Sherron Watkins, of Enron, and others in accounting fame. Named one of Time Magazine’s Persons of the Year in 2002, Cynthia Cooper became a beacon of responsible accountancy.

I’m not a hero. I’m just doing my job. – Cynthia Cooper

Cooper’s brave actions, and those of many others, in the wake of increasing accountancy fraud in the early 2000s (Enron, WorldCom, Tyco International, and more) was the tipping point in the creation of the Sarbanes-Oxley Act (SOX), which has guided financial controls for the last two decades. Among its many provisions, SOX compliance requirements set the standard for auditor independence and financial disclosures.

Lessons Learned – Managing Journal Entry Risk through Testing

Twenty years and multiple massive financial reforms later, one might ask the question: how did Cooper’s team discover and validate the issue in the first place? One of the biggest red flags was the discovery of a round $500 Million debit to a PP&E account that set off an audit & exploration chain that would eventually lay the fraud bare. But this initial discovery would not have been made without the use of consolidation digital tools, which were not as common 20 years ago as they are today.

Gene Morse was a key member of Cynthia Cooper’s team, and the person who initially discovered the red flag debit. But how?  Morse was an auditor with a knack and fondness for technology, which he realized he’d need to use to dive into problem identification and patterns. Years after the WorldCom scandal, Morse laid out his story to the Journal of Accountancy – but even more importantly, what today’s accountants and auditors can learn from it. Ultimately, Morse says, it’s about information access.

Morse had to fight to get access to the information across the enterprise, on both sides of the transaction, and was forced to use home-grown tools and late nights running massive queries: all intensive manual efforts, prone to manual error, and requiring intense time commitments to see through.

Information is power. It’s ridiculous for the auditor … to not have complete access to the raw data. – Gene Morse

While praising the benefits of technology used in his discovery, Morse also lamented the desire for stronger computer-assisted audit tools (CAATs) to take the effort and error out of the audit process. From his perspective, discovering high-risk Journal Entries and patterns is a challenge, one that digital tools can alleviate. In the end – it comes down to testing.

The governance for fraud examination in financial statements, outlined in SAS no. 99, stresses the importance of complete understanding and testing of journal entries and adjustments, as this is a principal shelter for financial fraud. SAS no. 99 was followed by AICPA Practice Alert 2003-02, which delved deeply into how best to implement these guidelines. But more importantly, this practice alert provided actual tests to be completed and a specific encouragement of the use of computer-assisted audit tools (CAATs) to improve test effectiveness.

Richard B Lanza and Scott Gilbert note the need for journal entry testing and data analysis based on SAS no. 99 and AICPA Practice Alert 2003-02. But also, such testing should consider three primary things:

  • The top-side journal entry is the most susceptible to fraud by management override.
  • The most frequent types of management fraud involve fictitious or premature revenue recognition.
  • Automated testing cannot replace a skilled auditor or fraud examiner knowledgeable of SOX compliance requirements. But what it can do well is direct the auditor to focus his or her energies on the highest-risk journal entries culled from the full data, rather than a random sample.

Detection and Prevention of Frauds in Auditing is Far More Difficult with Manual Processes in Place

Identifying Risk – Making Journal Entry Testing Efficient and Accurate

While it’s true that auditors and fraud examiners could use manual means to review the general ledger, this generally proves quite ineffective given the breadth of the ledger and the limitations of manual analysis – as Gene Morse might well attest. This is not to say that manual means are ineffective, because a person’s judgment when reviewing entries is still very valuable; but relying heavily on manual means is simply not the most effective approach.

As highlighted in Practice Alert 2003-02, “Journal Entries and other adjustments oftentimes exist only in electronic form, which requires extraction of the desired data for any quality analysis. In an IT environment, it may be necessary for the auditor to employ CAATs … to identify the journal entries and other adjustments to be tested.” In other words, automated and digital tools are at their best when identifying and calling out potentially risky transactions and journals – and then relying on the practiced eye of the auditor to review them.

Focusing the auditor’s time where it needs to be – instead of “everywhere all at once” – is where digital tools in the Financial Close process shine. Such automation leads to faster and more accurate Financial Reports, which are critical to a business’s success and risk management. Automate what you can, and use the same automation capability that is streamlining your overall Financial Close to also focus and highlight those areas of risk that require manual scrutiny.

With SOX compliance requirements at the forefront of most major companies’ auditing concerns, the reporting and accountability incumbent on the Office of Finance is greater than ever. Declan Tyrrell of Oracle notes the criticality of automation in the close, but also the intensive time the Office of Finance continues to spend simply managing data and getting it out for reporting. Ultimately, this means that the same impartially managed (and auditable) automated system of controls that helps ensure accurate reports also ensures the right testing is occurring when it needs to.

So, we know we need to automate. And we know that various digital tools can serve as CAATs to help focus on top-side journals and entries with unusual risk patterns. Reports are a must. But does that testing need to continue to rely on the reports, first? Does the complex financial close data that is consolidated and made available to the Risk and Compliance teams need to happen at the end of the period? Or could Gene Morse and the rest of Cynthia Cooper’s team have discovered risky journals the moment they posted?

CadencyDirect is An Automated Solution for the Detection and Prevention of Frauds in Auditing

Real-Time Risk Identification – Automatic Risk Analysis and Audit at the Source

CadencyDirect® by Trintech, available on the ServiceNow® platform, leverages the power of ServiceNow® to link the Journal Entry process to the broader enterprise. Teams like Governance, Risk, and Compliance (GRC) can make use of automated workflows based on the creation or posting of high-risk journal entries the moment they happen, not when the period-end reporting is complete.

Journal Entries processed by Office of Finance users in CadencyDirect’s system of SMART Automation with Risk-Intelligent RPA can directly trigger GRC workflows within ServiceNow. For example, a top-side Journal Entry has just posted, with a dollar amount well above the risk threshold for the expense category. As the Office of Finance works through that Journal Entry and any corresponding Close Tasks, ServiceNow immediately registers the specific Journal Entry in real-time, and automatically creates a workflow notification to GRC to begin manual review of the top-side entry from the practiced eye of the risk specialist.

Within the Now Platform®, CadencyDirect allows risk managers and SOX compliance requirements SMEs in the enterprise to configure their own test parameters for Journal Entries, able to be modified or adjusted ad-hoc to accommodate new directives or evolving practices. Without risking the system of controls, or waiting on period-end reports, GRC teams can configure instant notification of risky transactions with the full details of the Journal Entry securely transmitted to them via the Now Platform®.

Driving best-practice processes for managing your financial risk in a standardized platform that is shared across all other departments in the enterprise that also leverage ServiceNow® for workflows reduces training time and consolidates GRC efforts to both financial and non-financial concerns.

As the only native Built on Now® app for the financial close, CadencyDirect enables ServiceNow® customers to leverage the same process management capabilities they’ve come to trust in the industry leader for workflow. With CadencyDirect on the Now Platform®, your company can achieve the increased efficiency, reduced cost, and reduced risk of a true enterprise-level automated financial close solution.

To learn more about CadencyDirect — whether you are a current ServiceNow® user focusing on finance function transformation or are just beginning your digital transformation journey — download the solution brief.

Written by: Christopher Witt, Director of Product Management for CadencyDirect