Internal auditors are used to walking fine lines, but championing a “continuous controls monitoring” program requires extra balancing skill. That’s because designing controls, such as those aimed at preventing financial fraud, is typically defined as an activity performed by company management or business units. And under internal auditing standards, internal audit departments must be independent from management.
But that doesn’t mean internal auditors can’t have any role in CCM, an automated process of examining 100% of transactions that are subject to any particular control being tested. “We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it,” says Mary Ann Tourney, director of internal audit for Talecris Biotherapeutics, a $1.4 billion provider of injectionable medical treatments. “We don’t troubleshoot what goes wrong; we send them a note saying, here’s what came out of testing, can you please explain it?”
Tourney has been providing a lot of that help, using off-the-shelf tools from ACL Services, one of the largest vendors of audit, finance, and compliance technology. The Talecris CCM program — the subject of a recent case study by the Center for Continuous Auditing at Rutgers University Business School — was launched in 2007 as the company got going on an effort to do an initial public offering. The need for strong internal controls is heightened at public companies, of course, because of the Sarbanes-Oxley requirement that external auditors attest to the soundness of the controls.
The IPO finally happened just over a month ago, on October 1, four and a half years after the company was founded when private investors purchased the plasma business of Bayer Biological Products, a unit of Bayer Health Care. By then Talecris had implemented five of ACL’s six CCM modules: Purchase to Payment, Purchasing Card, Travel and Entertainment, General Ledger, and Payroll. Installation of the final module, Order to Pay (for monitoring controls over receivables), was at press time slated to be completed soon.
It was Tourney, who was familiar with ACL from prior jobs, who selected the technology for continuous auditing and also recommended it to management for continuous controls monitoring. Those two processes observe essentially the same data sets; the difference between “monitoring” and “auditing” is subtle and lies mostly in who has ownership of the process and its purpose, she notes.
In the former case, management designs controls in order to fulfill a fiduciary and regulatory obligation and win an attestation to the effectiveness of the controls from its external auditors. Internal audit departments, meanwhile, conduct their audits to actually root out fraud and error in high-risk transactional areas. “Our technology tool is powerful enough to kill the two birds with one stone,” says Tourney. “But we control the program in internal audit so the parameters of the tests don’t get changed without our knowledge.”
All Together Now
Miklos Vasarhelyi, a Rutgers professor and co-author of the case study, says he became interested in the Talecris program because he wanted to see how a CCM program worked using prepackaged software tools. The school’s Center for Continuous Auditing had previously written code tailored for continuous auditing and monitoring programs at specific companies it worked with, including Siemens Financial Services, HCA Corp., and MetLife.
But as Vasarhelyi observed the program in action, he also became very interested in what he saw as a high degree of end-user involvement in the software implementation. It’s not surprising, he says, that an internal audit department would drive the use of tools to improve auditing and controls monitoring. But at Talecris, people from organizations across the company displayed an “impressive” level of ownership over the application. “I don’t know if that was just Talecris, or whether any company might do that, but I want to study it further,” the professor says.
Tourney says the results of the business units’ close involvement in the program have been “a greater focus by management on controls, an increase in dialogue on controls, and internal audit being treated more as a business partner and less as a police force.”
Both those and other benefits of the program are either purely qualitative or their impact on the bottom line cannot be quantified, according to both Tourney and Vasarhelyi. Those benefits include, for example, elimination of 88,000 inactive vendors from the company’s vendor database, new limits on the use of procurement cards, and recording with purchase orders $12 million worth of purchases that previously had not been recorded as such.
“My difficulty in giving [bottom-line] numbers is that there were so many moving parts,” says Tourney. “There were a lot of people, not just internal audit, working on a lot of projects concurrently.” She also declines to say how much Talecris has spent on the software.
For his part, Vasarhelyi says that what can be expected to result from a continuous monitoring or auditing program is “basically a lot of quality improvement that will eventually make for better client service and give you more reliable numbers and fewer errors. But those things are very difficult to quantify, and I find it a bit flaky to try to do too much quantification.”
He notes disapprovingly that a couple of the internal audit departments Rutgers has worked with reacted to new efficiencies provided by continuous auditing or monitoring programs by getting rid of a few auditors. The staff savings are a pittance compared with substantial operational improvements, he says, and anyway, “the moment you audit deeper, more audit issues will come up.”
Tourney says Talecris has actually added internal audit staff to address the company’s growth and prepare for going public, but that the increase would have been far greater were it not for the continuous monitoring program.
One of the biggest issues for Tourney was that the company had two operating divisions with very different cultures for which different CCM processes were required. Talecris Biotherapeutics, the entity acquired from Bayer in 2005, had a long-established system of using purchase orders and was running the SAP enterprise resource planning system. The goal there was to “keep the thumb on the pulse” and tighten things up.
For Talecris Biotherapeutics, the internal audit department used its technology tool to spot, for example, payments not made according to the terms of purchase orders, the use of purchasing and T&E cards for unauthorized purposes, vendors in the database without all required fields populated, and instances of failure to receive the proper invoice credit for the return of defective supplies. Automating these processes “raised visibility,” says Tourney. “Before we started the project, a lot of these things were paper trails.”
The other operating unit, Talecris Plasma Resources, consists of facilities that collect the plasma Talecris Biotherapeutics uses to produce its injectionable treatments. It was purchased in late 2006, when it was still “very young,” Tourney says. It had no ERP system and generally did not document its procurement of supplies with purchase orders. Further, it handled large amounts of cash used to pay plasma donors — as much as $2 million per week — which created significant fraud potential. Adding to the difficulty factor: the number of donor facilities has grown from just a handful three years ago to 69 today.
An important aspect of the procurement problem was that there was no structured process for recording where supplies were sent after being received at the loading dock. And because there were no purchase orders, there could be no “three-way match” between shipment packing lists, invoices, and what was authorized to be purchased. “They literally just paid whatever the invoice said without knowing if a different price had been negotiated, which left them vulnerable to dishonesty by vendors,” says Tourney.
These issues were cured by putting the plasma collection division on SAP — which was not accomplished until mid-2008 — and creating new documentation procedures. Then ACL was ready to begin monitoring the receiving process. The technology also detects purchases for which there are no purchase orders and tracks the reasons given for not using one. As a result, the number of purchases without purchase orders has dropped from 80% to 40% of the total.
Controls addressing the risk of fraud pertaining to the cash distributed to donors required a different approach. Talecris implemented procedures whereby third parties deposit cash into ATMs at the collection centers that dispense cash to donors. Thus, the employees never touch the cash. Then the company installed a donor-management system that allows headquarters to track incoming donors and allows the CCM system to monitor cash controls.
Taken together, the results of Talecris’s implementation of continuous controls monitoring were impressive, according to the Rutgers case study. “Talecris has seen enormous benefits as a result of this project,” the report said.