Professional Documents
Culture Documents
1002 Reducing Risk
1002 Reducing Risk
1
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for
a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
2
“Concerns over financial statement accuracy cause stock price to plummet”
“Credit ratings drop following restatement of earnings”
“CFO and Controller ousted in wake of financial misstatement fiasco”
While these example headlines are certain to grab the contribute to aggravating or mitigating financial reporting
attention of any finance executive, given the increasing risk for their organizations and determine what changes can
responsibilities of today’s finance executive, how many be implemented to reduce that risk.
have set aside time to fully understand the state of
financial reporting risk at their organizations? Financial Financial reporting can be grouped into three major
reporting risk can be pervasive anywhere in an organization components:
and can arise from an event or condition, external and • A variety of people responsible for extracting,
internal factors, and decisions and choices made by many assembling, aggregating, and analyzing data
within the company. Financial reporting risk may also arise • The processes and timelines by which this data is
from inaction. obtained and reported
• The systems that crunch the financial information and
Today’s CFO faces a heightened level of risk due to: distill it into meaningful form
3
How closely do skills align with responsibilities?
People and organization considerations Recruiting, training, and mentoring people with financial
Mini case study — I analysis and financial reporting responsibilities are critical
tasks. Organizations are dynamic entities in which
Business issue: employees transfer, get promoted, resign, or otherwise
A multi-state electric and gas utility experienced serious issues within its financial change their functional behavior. In addition, businesses
reporting unit. While no major restatements were needed, almost one third of the experience ongoing change in their processes, strategies,
senior staff were eligible for retirement. The hiring process was cumbersome and and direction. Are the right people performing in the right
time consuming. Limited career opportunities and a stressful work environment led roles? Is there ongoing training or refresher coursework
to an attrition rate approaching 30-40 percent. to help assure that your financial control professionals are
abreast of current regulatory and accounting requirements,
Organizational response and result not to mention up-to-date with current leading practices
At the advice of Deloitte consultants, the utility realigned the corporate accounting to meet those requirements? Finally, do these individuals
structure under a “steward,” “strategist,” and “operator” model. They initiated know the business and how it operates with a depth of
a portfolio of talent programs including flexible working arrangements, career understanding to raise the right questions in the face of
paths, a 360-degree feedback program, rewards and recognition, a learning and potential “red flags”? Financial reporting acuity involves
on-boarding curriculum, workplace planning tools, and critical job documentation. a great deal more than regulatory knowledge and an
academic understanding of generally accepted practices.
Rebuilding the unit in this manner improved performance dramatically while
maintaining existing staffing levels. Do you have enough people?
Are there too few doing too much? The financial reporting
side of the organization is in competition for resources with
How clearly are roles defined? the very profit centers about which it is reporting. As a
Disability insurance carriers, in working with employers to result, overworked, under-appreciated personnel may make
develop return-to-work programs, have long known that mistakes or not complete essential activities. In this same
many organizations are lax in their ability to provide job vein, formalized career paths, mentoring, rewards, and
descriptions. In the financial close and reporting process, recruiting strategies for finance should be an integral part of
poorly defined roles are typically a major red flag. There the overall people-management function of the enterprise.
may be gaps in roles and responsibilities leading to failures
to obtain, process, or analyze information. If there are What is the state of intra-organizational communication?
overlapping roles, conflicting information may arise. An The CFO defines the manner and tone, even the integrity of
aggressive and ongoing review and analysis of roles and intra-organizational communication about financial controls
procedures may identify and rectify areas of overlap and and reporting. Are there regular top-down communications
conflict. from the CFO or an executive of sufficient seniority about
the importance of financial control-related activities and
their critical role in preserving both the brand and the
public perception of the company? How well do senior
management, the board and its committees understand
the financial reporting processes of the company beyond
that which affects them directly? The CFO is typically in
a position to educate those at the highest level of the
organization about how controls over financial reporting
risk can facilitate or derail broader corporate strategy; and
be certain that this knowledge is disseminated throughout
the enterprise.
4
Communication of controls applies horizontally across In the past, financial reporting “fixes” could be cobbled
those departments or units responsible for the data to be together manually. But with rapidly evolving accounting
aggregated, analyzed, and reported. Because key business and financial reporting requirements, such ad hoc or
processes traverse departments, and business units’ point solutions may no longer work. As one financial sage
key control activities should be applied consistently and suggested around reporting regulations, “The books are
effectively across the process to facilitate the timeliness and getting thicker, the pile’s getting higher, and the text is
integrity of business results, internal training should provide getting smaller.”
an integrated view of how controls need to be performed
so overall financial expectations are realized. A review of policy and processes may yield surprising
results.
Finally, within the unit (hopefully singular) responsible
for communicating financials, how well controlled and To what degree are processes automated?
managed is the communication of financial information? At the time a reporting period closes, the clock begins
Is there a structured approach that contributes to financial ticking on a variety of time-critical tasks that must be
information being complete and accurate such as calendar executed accurately and efficiently. Automatic triggers,
milestones against which activity can be checked? Are reminders, escalations, and status reports that are
there checks against processes including closing, reviewing, generated for management in an organized, planned
classifying, and analyzing? Most importantly, is there a process may be indicators of the health of the financial
specifically identified person ultimately responsible for reporting process.
final approval?
Are standards in place across the enterprise?
When was morale last surveyed? Mergers, acquisitions, global reach, and demands
Because clear roles, responsibilities, skill, and for information both internally and externally make
communication are critical to financial reporting controls, implementation of a standardized approach to financial
answers to the questions above will be a fairly accurate reporting extremely difficult. At the same time, widely
bellwether to the state of morale within the financial dispersed centers of activity can be very difficult to bring
reporting area. Absent commitment, motivation, and under the umbrella of a centralized financial reporting
engagement, a few “close enough” journal entries can operation. Absent such standardization, however, risks
add up to “not close enough” and lead to a misstatement may be magnified exponentially in attempting to shoehorn
and disastrous result. If, however, employees are engaged, variant approaches to accounting, reconciling, analyzing,
understand the role they play in the organization, and feel and reporting.
appreciated for the responsibilities they have assumed,
reporting accuracy, timeliness, and auditability can soar. How many chefs are stirring the pot?
A number of issues may arise in financial reporting
Process and policy considerations when everything is filtered through many layers, hands,
Organizations have never before faced the complexity of committees, and approvers as they work their way up
current business models or the global reach of business the organizational ladder. The process is slowed;
operations and extended relationships. Functions routinely accountability is diluted; and communication between
handled within the organization are increasingly outsourced parties may become muddied and prone to error. Shared
to third parties around the world, whether call centers responsibility conceptually is attractive. It can also be
or payroll administrators. Mergers and acquisitions bring a synonym for responsibility denied with an attendant
disparate systems, approaches, and cultures together. And failure of effective governance. Roles at every stage from
it is the CFO who is typically expected to reconcile the aggregation to analysis, reporting, and approval should
issues as they pertain to reporting the financial results of typically be spelled out clearly. Many of these risks can be
the organization. ameliorated by creating a strong, centralized management
of financial reporting.
5
Information systems — the software and hardware
Process and policy considerations that may frustrate people and processes at every site
Mini case study — II struggling to produce financial reports leading to
chaos, misstatements, restatements, and regulatory
Business issue: non-compliance.
A large financial services firm was struggling to provide timely and controlled
financial reports. A close process that could last up to two weeks was not Both of those statements have probably resonated with
only painful, but led to numerous adjustments and corrections needing to be almost every CFO at one time or another.
posted during the “locked-down” days of the close. Finance was simply not
communicating with other parts of the organization. Hardware and software are, in and of themselves, neutral
and inert. In the environment in which businesses function
Organizational response and result today, they may be critical tools that may assure the people
A “Close Czar” was appointed to instill project management discipline during the and process components of financial reporting function
close period. Closing efforts were spread throughout the month. Non-key activities seamlessly and synchronously — or not.
such as reserve and subscription accounting were moved to the middle of the
month. Routine, planned, and standardized processes were instituted. The result A CFO, while rarely an IT or systems expert, needs to be
was a close process reduced to 6-7 days with greater transparency to financial confident that accounting functions and controls operate as
information available across the organization. Time was made available for more intended and that employees know how to use the system
value-added activities with a dramatic improvement in accuracy, morale, and, as it has been designed so results are as expected or errors
and performance. are identified in a timely fashion. Questions for a CFO to ask
are not as simple as some of those raised above for people
and process components. But there are similarities.
Where are the benchmarks, performance measures, Manual or automated? Complicated or intuitive? Manual
and documentation? controls or automated control?
Milestones, benchmarks, audit trails, and performance These are some of the exact questions asked of people
measures are not only critical to reducing risks associated and processes. This is because it is information systems
with financial reporting; they may be the best way to get a that may request, acquire, aggregate, digest, reconcile,
handle on where greater attention and diligence is needed. and report the numbers over which the CFO is attempting
Documentation is a given. The quality of documentation to exert control.
is more than regulatory compliance however; it is a tool
from which critical data can be derived and organizational If information is manually inserted into a system there may
decisions, and change, effected. The CFO typically plays a be risk. If numbers from disparate, incompatible operating
key role in determining what should be documented, and systems or applications need to be recombined into another
how automated processes can be installed to facilitate — there may be risk. Versioning issues arise. Questions
accuracy and completeness. may arise concerning accuracy. Even the objectivity of data
may come into question if it passes through too many
Systems and information considerations layers or hands.
Information systems — the software and hardware
that globally unite people and processes for financial If moving from manual to automated processes, what
reporting to a common end — accurate, timely, and controls are in place to monitor the transition, while new or
compliant disclosure. changed systems are installed?
6
Leading practices
We have discussed ways in which an organization and Systems and information considerations
particularly a CFO can assess financial reporting risk related Mini case study — III
to the people, processes, and systems of finance. Isolating
the people, processes, and systems in discussions of Business issue:
financial controls and reporting is something of an artificial A global specialty chemical manufacturer with over $6 billion in revenues
construct because they must typically work in seamless operated in more than 100 locations in 25 countries. It experienced a complex
tandem to a common end. However, within each, leading and extended close, consolidation, and reporting process with multiple systemic
practices can be identified that will go a long way to “hand-offs” resulting in a lack of controls across the organization. One insider
assuring an idealized end point; and it may be convenient reported that SOX results were “lukewarm” at best.
to address them individually.
Organizational response and result
People and organization Older, disparate legacy systems were replaced with a global package for legal
A risk-aversive CFO would probably hope to find the consolidation, financial/SEC reporting, and management reporting. This resulted
following in place organizationally: in increased workflow controls with an improved audit trail and security.
• Accountability and responsibility for financial reporting Standardizing reporting structures and reports improved data reliability and
functions is clearly defined, assigned, and executed by accuracy while substantially shortening the close cycle.
all constituencies
• A finance employee retention strategy is clearly defined to
meet business demands and match employee goals
• Employee skills and capabilities are continuously Process and policy
developed through training programs and redeployment • Processes are automated and centralized to reduce
• The company is branded as a career destination for errors and costs
finance professionals • Well documented and enforced policies and procedures
• People are hired based on their potential to achieve reduce issues of non-compliance and help finance
results, not just technical skills and previous experience execute complex transactions
• Performance management programs are designed to • SEC reporting rules, policies, and procedures are easily
effectively measure the performance of finance staff accessible to the preparers and reviewers of reports
• Key individuals from outside finance and accounting are • Pre-close reconciliations and adjustments are performed
involved in a disclosure and governance committee consistently in a standardized fashion
• A baseline of financial literacy is instilled throughout • A Close Manager approaches monthly reporting with a
the organization “project” mentality, leading planning sessions before each
close, using a full suite of project management tools and
disciplines during the close, and conducting post-mortem
review sessions after each close to discuss specific issues
that arose and develop action plans to reduce their
likelihood of recurring
• Reconciliation and analysis of balance sheet accounts is
rapid and reliant on integrated, automated information
• Risk policies consistent with the organization’s risk
tolerance are understood, managed, and updated as
necessary
7
In addition to a loss of investor confidence evidenced by an
Financial reporting risk trends
associated share price decline, an organization may face a
drop in credit ratings, and management changes may be
effected. One study has suggested restatements can destroy
# of companies issuing restatements
8
Financial close and reporting process maturity model
Stage 1 Stage 2 Stage 3 Stage 4
• Key processes in the • The key processes are informally • Processes are defined and • The core processes are defined,
organization are not defined and inconsistently defined integrated but errors are not communicated, and assigned
Organization
and are inadequate to effectively and integrated across the traceable to an owner owners across the business
carry out close activities organization • Activities are relatively • Activities are centralized and
• Business units and Corporate • Communication and centralized with strong cost effective, with a high
function independently coordination is limited between coordination between business synergy between different
business units due to dispersed units business units
geographic locations
• Finance staff acts as data • Finance staff has broad skills but • Finance staff is adequately • Staff is continuously trained,
Talent
gathers, not data analyzers requires cross functional training trained and work is evenly focuses on data analysis and
• Finance roles and responsibilities • Finance employees are distributed to address the needs proactively manages key
are not differentiated recognized by their skill sets of close and reporting activities business decisions
• Policies and processes are not • Policies and processes for • Policies and processes for • Policies and processes are
Policy and
process
well developed, informal, and preparing financial information preparing financial information integrated, automated and
ineffective are defined, but inconsistently are integrated but are not accurate
executed completely automated
• Systems and data architecture • Systems and data architecture • Reconciliation and financial • Systems are well integrated,
customizable, automated and
Systems
are not integrated and use common platforms, analysis processes are executed
automated reducing manual entry and quickly and rely upon integrated accessible through finance
adjustments and automated information portals, with on demand access
to assess performance metrics
Begin by interviewing associates and colleagues to learn Finally, develop a future state design based on the
their concerns and use this information to define a vision assessment. While this idealized future state will evolve
and target people, process, and system improvements that over time, it describes the desired characteristics of people,
may reduce financial reporting risk. process and system components of financial reporting and
• Identify, assess, and prioritize inherent and specific risk typically incorporates:
areas for your organization • A pro-forma reporting calendar describing future
• Diagram key elements of financial reporting processes, financial reporting processes and roles
highlighting handoffs, approval trails, etc. • Talent management programs to be developed
• Learn where there are gaps and overlaps • Recommended new monthly financial reporting
• Conduct interviews, workshops, and focus groups with procedures
participants whether producer, reviewer, analyst, or • Organization, process and system changes required
recipient of financial data • System enhancements and organizational improvements
• Keep an eye out for, and document “quick wins” that reduce financial reporting risk
or “low-hanging fruit” where significant risk or cost • Change management and conflict resolution processes
reductions could be achieved to be used during implementation
• Vehicles to monitor performance against objectives
• Performance measures to continually monitor the
effectiveness and efficiency of the changes effected
9
The bottom line Perhaps the most important point is that progress and
Reduction of risk in financial reporting can be similar to results may need to be analyzed, assessed, reconfigured,
many other business processes. It should be undertaken and adjusted continuously.
systematically and with clear goals that are frequently
“reality-tested” to assure processes are up-to-date and The true bottom line lies with the CFO. For the CFO is
appropriate. The entire process needs to be broken down ultimately responsible for the quality and timeliness of an
into its smallest manageable components. At the same organization’s financial reporting process. The CFO holds a
time, affected employees — from finance and information critical position — interfacing among the CEO, the board of
technologies to human resources, sales, and operations directors, investors, and regulators with respect to
should be “joined at the hip.” financial reporting information and compliance. The
CFO should champion improvement in the people, process,
Business needs drive technology solutions. This is a and system components of finance to reduce financial
message that is sometimes lost in the relentless, sometimes reporting risk while improving the effectiveness and
overwhelming emergence of technological solutions to efficiency of the financial reporting process. And the CFO
problems real and imagined. will do this for a very good reason — the CFO’s job may
very well be on the line.
10
Contacts
Bill Ribaudo
Managing Partner, Finance Operations & Controls Transformation
Deloitte & Touche LLP
617-437-3290
wribaudo@deloitte.com
John Gimpert
Partner and National Leader, Finance Transformation
Deloitte & Touche LLP
312-486-2591
jgimpert@deloitte.com
Rick Borelli
Principal and National Leader, Controls Testing
Deloitte & Touche LLP
212-436-4285
rborelli@deloitte.com
#1013
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should
it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor.
In addition, this publication contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken “as is” and
was not validated or confirmed by Deloitte.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.