A number of years ago I was working in the audit department of a major American multi-national.
Every year the department was responsible for auditing the expense accounts of the senior management of the organisation (Chairman of the Board, COO, CEO, CIO etc). This was known as The Corporate Compliance Audit.
I was assigned to this audit one year. It's a really fun piece of work because - apart from getting to go down to the airport and audit the accounts and usage of the corporate jet - I got to go and check the CEO's expense accounts.
Unsurprisingly (to me anyway, knowing the man and having worked for him for a number of years) the CEO was squeaky clean in his expenses. He even remembered to pay for the costs of taking his wife to Europe for a meeting on the corporate jet.
But as you went lower in the organisation this wasn't always the case.
One example in particular stood out to me. It involved an individual (who we'll call 'Eric' - names have been changed to protect the guilty). Eric was the head of a corporate information department and had linkages with a large number of external bodies to get that information.
One day he had invited representatives of these external bodies to a local restaurant for a meal. He had also invited a couple of members of his own department including his secretary - who we'll call 'Cindy'.
Over the course of the meal the attendees had spent almost $4000 on alcohol including 30 bottles of wine, numerous spirits and a round of after-dinner brandies at $98 a shot. The alcohol alone accounted for 48% of the total.
I rang the restaurant to see if the amount being claimed was right. They remembered the party and confirmed the approximate amount of the bill.
We checked the corporate policy regarding 'entertainment' and - whilst the amounts appeared to be excessive - nothing seemed to be out of compliance with the policy. However the policy did state clearly that the person submitting the bill had to write the names of the attendees on the back of the receipt. I checked the back of the receipt and found about nine names on it. When I did the math it appeared that the attendees had spent almost $1000 each on a meal. This seemed a bit excessive so further inquiries were made.
The story that came back to us was that there were 'considerably more' than nine attendees but for ‘security purposes’ the full names and numbers of the attendees could not be divulged.
Anyway, my next stop was to actually find out who had approved such a large entertainment bill. This is where the story got interesting (and where the link to process would eventually come in).
The policy stated that all expenses have to receive review and approval from a manager or above. We went to Eric's manager and he claimed never to have seen the invoice and would certainly have questioned it. After all if one of the attendees had driven off after drinking their share of $4000 of alcohol, had an accident and blamed the company for providing the booze we could have been in serious trouble.
So who approved the invoice?
Checking back through the paper trail it appeared that in actual fact it was Cindy who had paid for the meal (using the corporate credit card), made an expenses claim using the appropriate process and Eric - her manager - had approved it.
So what's wrong with this picture?
Well, in essence you have a duo who were gaming the system (although probably not maliciously). They stuck by the letter of the corporate policy, annotated the attendees (to a point), submitted a claim through the appropriate channels, had it approved as per the policy and voila! one HUGE night out on the company.
Leaving aside the moral questions of such a large bill for such a small number of people (it eventually turned out to be about $400 per head), what was wrong with the process?
One small thing.
In auditing there is a term known as 'segregation of duties'. it is a concept which means that different people have responsibility for different parts of any process involving money. That's why - in a well designed finance process - one person cannot create a supplier, set up the payment details, raise and approve an invoice and write a cheque. Using segregation of duties you need at least two people involved. That way it is harder to create a 'fake' vendor, a 'fake' invoice and a real payment.
By adding the corporate policy statement saying "all expenses have to receive review and approval from a manager or above" the company had attempted to implement the segregation of duties standard but had failed in one small, but key, matter.
The had failed to state that the approver cannot be a part of the event itself. In reality, because Eric was at the restaurant and had partaken of the meal and the alcohol, by getting Cindy to pay he was effectively approving his own meal. This completely removes the 'segregation of duties' part of the policy.
That's why the small thing makes a difference.
How did we close this loophole? Easy. The policy was changed to say 'senior person present must pay'. That way there can be no-one at the table who would be in the position to approve the meal they had just eaten (or alcohol they had just drunk). It would have to be elevated to someone higher who wasn't there. The submitter would then have to pass the red face test and justify the attendees, the cost per person and the overall bill. In times of plenty this is relatively easy. But once belts start to be tightened it becomes a lot harder.
So what is the process implication of this?
Next time you are looking through your own process, consider whether something simple and straightforward such as this would improve the flow of the process with a minimal overhead for the participants.
Reminder: 'The Perfect Process Project Second Edition' is now available. Don't miss the chance to get this valuable insight into how to make business processes work for you.
Click this link and follow the instructions to get this book.
All information is Copyright (C) G Comerford
See related info below