Hours, days or weeks? Those are the options that confronted senior internal auditors, compliance executives and their operational colleagues as they evaluated how long it should take for business process owners to respond to potential internal controls violations. Compliance and risk issues were being identified by the company’s continuous auditing and monitoring technology, but the follow-up processes were not automated.

The enterprise, a global Fortune 100 organization, naturally opted for the swiftest response.
In addition to increasing efficiency, the company wanted to make its issue-resolution process less cumbersome for business process owners to conduct. These requirements drove the company to implement an exception management application from ACL Services that automated the process of sending and following up on exceptions, with the goal of making it easier for everyone to ensure compliance with their internal controls.

Although the exception management implementation was focused on a technology solution, part of the software’s true value resides in the risk-management behaviors it encourages among process owners, as well as, the trust in compliance processes it helps generate throughout the company. The organization achieved these outcomes by tailoring the software to support its unique business processes and responsibilities or “roles,” within those processes. The customization did not take long.

“This kind of technology makes managing large volumes of exceptions much easier,” reports ACL Services Senior Consultant Sandeep Brar, who was part of the exception management implementation team. “Our role as consultants is to quickly learn a company’s unique business rules and then adjust the analytic testing to support those parameters.”
 
The Need for Decision Support
The growing need for “exception management” capabilities among organizations of all sizes stems from a steady flow of new regulatory compliance and risk management requirements in recent years. These requirements force process owners to incorporate more rigorous compliance and risk-monitoring into their activities.

This need, combined with the evolution of business analysis requirements, has given rise to continuous auditing and continuous monitoring, particularly at companies committed to getting the most valuable bang for their internal audit buck. Rather than dedicate precious internal audit resources to monitoring internal controls within operational areas, leading companies have invested in continuous monitoring applications that enable process owners to take responsibility for monitoring and managing their own internal controls while internal audit and/or compliance teams provide higher-level guidance and oversight. These applications rely on complex analytics to pump out potential compliance and risk issues, or “exceptions,” to process owners.

Using these internal analytics to make better compliance and risk management decisions makes sense in an era where “high performance business processes are among the last remaining points of differentiation,” according to Thomas Davenport and Jeanne Harris, the co-authors of “Competing on Analytics: The New Science of Winning” (Harvard Business School Press, 2007). “Good decisions usually have systematically assembled data and analysis behind them,” explains Davenport and Harris in the same chapter of the book.

While continuous auditing and monitoring tools provide “systematically assembled data and analysis,” it remains up to process owners to take action and make decisions in response to the exceptions that they receive.

In practice, however, the decision-making and related actions occur slowly and ineffectively for a variety of reasons, including the following:

1. Deaf Ears – Messages requesting action on an internal control issue languish in e-mail in-boxes and on voice mail systems;
2. Burnout – Process owners grow weary of repeated requests to address exceptions – even as they are in the process of resolving them; and
3. Erroneous Exceptions – Communication breakdowns between internal audit teams and their operational partners result in the identification of too many “false positives” – exceptions that should not be classified as exceptions at all.

“There are examples out there where an exception notification was sent to the e-mail inbox of a person who had been fired,” notes ACL Services Project Manager Patrick Fanous. “And because there was no escalation process in place, that notification and the reminders to follow-up languished for months.”
 
From Days to Hours
While this was not the case at the Fortune 100 company mentioned above, the organization recognized it needed to improve how they managed the amount of time required to resolve an exception.

“Their existing process for dealing with exceptions was highly manual – it involved a lot of back-and-forth through e-mails, phone calls and spreadsheets. They wanted to reduce the amount of human intervention required to resolve an issue while increasing visibility into the resolution process,” reports Fanous.

The company already had in place ACL technology that identifies exceptions that occur with transaction-intensive business processes, and it chose to implement ACL’s exception management application (AX Exception). “They were interested in finding the right tool to help them communicate and follow up on exceptions more effectively, efficiently and easily,” Fanous explains.

Fanous, Brar and ACL Senior Systems Analyst Adam Lai collaborated over the course of five days with the company’s internal audit manager, vice president of control management and four business process owners.

The objective of the collaboration was to customize the software to support the company’s business processes and GRC culture as effectively as possible. The project team’s work included the following:

1. Map Current Business Processes – “First we defined the business processes and the workflow steps within each process,” Brar explains. “Our objective in this step was to understand how the company executed a process, why certain steps and responsibilities were important and why certain things were not important.”
2. Identify Risk and Control Points – Once the current business process was identified, the team identified the various risks that existed within the process, including those for fraud, error, abuse and regulatory non-compliance. The team then confirmed the controls that needed to be in place to mitigate the various risks, identifying those that were the most critical controls.
3. Establish Roles and Responsibilities – Once the business processes were defined and refined, and the risks and controls confirmed, the project team addressed questions related to responsibility:
   1. When an exception arises, who needs to be notified?
   2. What actions can that individual take in response to the exception alert?
   3. What is an acceptable time frame for response and resolution?
   4. What are the criteria and processes for escalation?
   5. Is there a need to confirm that the resolution action has occurred?

Answers to these questions enabled the project team to create roles for each business process manager with monitoring responsibility; each role typically contains two or three possible actions that managers select from when an exception alert appears in their Web-based interface. In the post-Sarbanes world when the expectation is much greater for accountability of risk management in each business process area, it makes sense that operational partners are looking for this level of detailed information to be delivered directly to their desks every day.

“These workshops really stimulate the exchange of information among internal audit, compliance and process owners,” Brar notes. “In addition, it’s valuable to get this group together in one room because they often discover new process improvement opportunities – by eliminating unnecessary steps and/or by figuring out how to reduce the number of false positives.”

In this case, the compliance and internal audit teams also decided that they should not have the ability to change any of the information about exceptions within the solution. Doing so, they reasoned, reinforced the oversight nature of their role and underscored the fact that the operations function truly owns responsibility for managing its own exceptions.

The brief, but intensely collaborative customization process ultimately produces a more effective and efficient exception management process: it prompts business process owners who receive an exception alert to respond to a small and specific slate of concrete actions. That’s a welcome change from contending with an e-mail or phone call that resembles an open-ended essay question: Something may be wrong! How should we respond? Who should respond? 

Thanks to the organization-specific escalation process that the software supports, the right individuals are notified if and when business process managers fail to take action in a timely fashion. Process owners with defined monitoring responsibilities check their exception management interface every morning and can respond in a matter of hours – not weeks – when an exception alert appears.   

“What it boils down to,” Fanous adds, “is that the exception management process takes place how and when it’s designed to.” That’s because business process owners trust the compliance and risk management information on their screens, and they behave accordingly.

Most importantly, exception management has made the company’s continuous monitoring plans a reality – increasing team efficiency and reducing the negative impact of exceptions on the business. The company has expanded this monitoring across the multiple business areas, including master data, system configuration, and transactions.

“Harnessing technology for effective exception management is really where organizations need to be going,” says Fanous. “It’s the best way to find problem areas within a process and to get corrective action where it’s needed, both to the transactions and to the processes themselves. You just cannot do this without technology.”