Narrator: This is the ERP Advisor. Today’s episode: Internal Control Over Financial Reporting with ERP.
Juliette Welch: Hi, everyone. Thank you for joining us for today's call internal control over financial reporting with ERP. Shawn Windle is our speaker for today. Shawn is the Founder and Managing Principal of ERP Advisors Group based in Denver, Colorado. Our guest joining us today is Espen Jensen, Principal Consultant at ERP Advisors Group. Thank you guys for joining us, I appreciate you taking the time.
Shawn Windle: Absolutely.
Espen Jensen: Yeah, thank you.
Juliette: Okay well Shawn we will jump right in with you if you’re ready to go.
Shawn: Let’s do it.
Juliette: So, in the recent weeks, we've been covering a variety of different topics. So why are we talking today about ERP and internal control?
Shawn: What we’re seeing right now is that there is actually some demand in the marketplace for understanding internal controls around ERP which is great. So, our Digital Marketing Manager who is behind the camera, Shaun, said that we need to put some material together for this because people are asking about it. And we want to make sure that we can get experts — between Espen and myself we have a ton of experience, especially Espen on the practical side. So, that’s one reason that we’re talking about this.
But the real reason, when you look at ERP — and then we will bridge specifically into internal controls because it’s sort of like “why is ERP Advisors Group looking at internal controls?” because there’s other firms — lots of people I worked with at a firm that I’m sure will come up in this discussion, Anderson, went off and they just focused on internal controls work with some of these other firms out there. But, if you look at the reason ERP is in place, the ultimate reason especially from a CFO/CPA perspective is to create financial statements — to take all these transactions from across the entire business, from inventory on the balance sheet to operating expenses, everything, even leases — there’s new lease accounting requirements we were just looking at for a client — all of that accounting shows up in the financial statements for a public company, then that goes to the public who then decides if they want to invest in that company or not. That’s how it should work.
Shawn: And how do you know that those financial statements are correct?
So, like if you're working with your son and you're teaching him about financial responsibility, you have to decide, do you put your money into this company or that company? Well look at the financial statements. But what if they're wrong? What if they're materially incorrect or there's mistakes that go into creating those financial statements? That's what internal controls prevent.
And remember, most of those financial statements come out of the ERPs or other financial systems that we advise clients on. So that's sort of the bridge into the discussion today.
Juliette: So Espen, can you provide some background on the Sarbanes Oxley Act and how it led to what we are familiar with today in terms of internal controls?
Espen: Do you remember the Telecom bust back in the year 2000/2001?
Espen: Well in the aftermath of that Telecom bust, we had some big financial scandals, and some of the companies — Enron you had some items that were placed off balance sheet and they played with US generally accepted accounting rules to achieve that. Then you had another player in the market, Tyco, who had some — let’s call it misappropriated assets — one of those being a toga party. And then another one was WorldCom, and what they did was essentially reported less in expenses than what US GAPP told them to, so they capitalized more, meaning their balance sheet or their assets increased but the margins looked better.
So that was the background for a — let's call it an upheaval and some new legislation that happened in 2002 and there was a two individuals in congress, Michael Oxley, a representative from Ohio, and then Paul Sarbanes, a Senator from Maryland got together and wrote some legislation.
And so, if you combine the two names Sarbanes and Oxley, then you get “sox” so SOX for short, the SOX act of 2002.
And so there's three major sections in this legislation; it's a very lengthy legislation. The section 302 talks about the financial statement needs to fairly present the financial situation of the company. And the corporate officers need to sign off on those financial statements, and if there is any — let's say the financial statements are false — then the corporate officers can get jail time.
Juliette: They’re held responsible for that.
Shawn: Did you know that? They can go to jail.
Juliette: I did not know that. So, they are verifying that those numbers are correct?
Espen. Yeah. And then another section is 802 that has to do with destruction and falsification of records and needing to keep them for a lengthy period of time — or a certain period of time I should say. And what type of communication I need to store and so forth.
And then you have section 404 which deals with internal control which is today's topic. And so, on the internal control side, you have management and auditors that need to establish internal controls and reporting methods to ensure the adequacy of those controls. So that's a little bit of a background on the — if you picture certified public accountant, you'll have two tracks typically for the CPA tax and then audited financial statements is typically the two tracks that you have. So, the audited financial statements, the CPA on that assignment would be the auditor and the auditor — the company that's hires the auditor, they want to get an unqualified opinion, meaning the auditor is not pointing out any issues with the financial statements and that they’re giving a fair presentation of the company's financial condition.
So, the auditor is going into —they have the responsibility to understand the industry of the business and the business and also the competitive environment of this business.
So, they have industry knowledge and business knowledge and then with that, they can better assess the risk associated with this particular company. And also they need to go in and do some testing and analysis of internal controls to determine its effectiveness and so one of those things would be limits on employee authorizations, protection, and preservation of assets.
And then one key item is segregation of duties. So what does this boil down to? Well, financial statements are to be prepared according to US GAPP. And they need to be signed off by corporate officers.
Shawn: Yeah, it's a big deal.
Juliette: Better held responsible.
Shawn: Yeah, for sure. I mean, I can tell you it back in the day — with a firm I used to work with that no longer exists that was a big four, that had 70,000 employees at it — that exactly what Espen's talking about. I worked under a partner, whose picture showed up in the Wall Street Journal when all of these congressional hearings were happening, he happened to be a partner over
Telco and energy in the southwest region of the United States, which was WorldCom and Enron and Quest and yeah, this stuff is real. Like these are problems, these are responsibilities that our clients have every day. So, I think it's great to get that background.
Juliette: So, turning this to ERP which we are well versed in, what role does ERP play in following these generally accepted accounting principles? Can you speak to that?
Shawn: Yeah. When we talk about ERP like we have a lot, we talk about it as a conceptual framework. And for all of our clients. We always say, here's your business application ecosystem. And you might have a recent client — Espen and I are working on, and they have all these point of sales that all lead into accounts receivable, then lead into a general ledger, and then we have financial statements.
So, when we say what role does ERP have, we have to dig down below the surface to say it's specific modules. So, if you have a general ledger, which is an aggregator of all this summary data across the organization or transactional data and then it summarizes it, and then you push a button, hopefully — very few companies push a button and they export it out to excel and they usually do a little manipulation, but not bad manipulation — we're not into that business. But the financial statements are generated from the ERP or the financial application. So, you've got to make sure then when you're working and selecting ERPs that just — I mean, segregation of duties has to be built into the application. When you're looking at the ERPs that are going to be doing financial reporting, which most are, you've got to ask the question have you had clients that have gone live — or pardon me — have gone public on your software? “Well, you know, I don't have that requirement because I'm not going to go public, anytime soon.” Well, you don't know. And maybe you get bought by somebody who looks at your financial statements because they're going to uphold the same kinds of inventory controls requirements on your financials even if you don't go public.
So, if you have an app that companies have taken to public — that they've run on — that's a good indicator. And you want to see that.
So, the financials app, the financial reporting apps — I think we're going to talk a little bit more about that in another discussion about specific financial reporting apps — but the key thing is that if you are talking to an ERP vendor and you want to use it for financial reporting, then you better bring up internal controls and Sarbanes Oxley Compliance. And I think most of the people listening to our call with think to ask that question, but just make sure to ask it for sure because if they say — because frankly we have a client that's a smaller manufacturer lab company and they're really focused on the operational side around their new ERP, not necessarily on the financial side, it's not as critical. So, is it vital that the internal controls are built into that app? No, but if they want to get bought, if they want to go public, if they want some major liquidity event in the future where someone's going to give them a big check, they're going to expect those internal controls to be in place. So, there you go.
Juliette: To be prepared for it.
Shawn: That's right. You got it. You're like the Sage of ERP over there.
Juliette: So Espen, to give a practical example, can you provide a real world idea or example to help illustrate the proper implementation of internal controls?
Espen: Well, first I want to mention that internal control is geared toward achievement of objectives in operations reporting and compliance. So, that's the goal of internal control.
But according to conventional wisdom about 5% of revenue among companies in America is lost due to fraud and so it could be a big number. Maybe with more and more transactions going electronic maybe that is being reduced, but it's a big number.
There are basically three lines of defense and so picture the process owner or the supervisor as one defense. Another being other department owners or departments like financial planning and analysis type function where you're monitoring activity. And then the third one being an internal audit type function. So, those are three lines of defense.
One of my favorite activities is skiing, so about 20 years ago I got into mogul skiing or bump skiing and so that keeps me motivated even today to get up early in the morning to work out and get ready for the ski season. And so, what I did was one summer worked part time at a ski area at the ticket office. And it's one of the ski areas in Colorado, and so I worked at the ticket office in the summer and — picture people coming in at the ticket office. The things that you can do there would be going mountain biking, so you get a lift ticket to go up and down, up and down, up and down, and then you ride down on obstacle courses and then you go up on the lift again. Or you can bring your family, the small kids — you can do roller coasters and a bunch of different activities. So, you walk into the ticket office, and you buy your tickets, and you can pay with cash, check, or charge. So, the ticket office attendant would collect the appropriate payment — let's say it's cash — and you put that in the cash register and accumulate it over the day. And then at the end of the day, you need to settle that cash register. And so, either take it off as a tenant — I would gather up the information, total things, and then I would place all these items, pending the credit card receipts, the cash and the report into an envelope and then separately another colleague would run the report and then that would be brought to the supervisor who would check the two against each other. So, you can see that there's three different individuals involved, so you have segregation of duties.
So, one way to reduce the risk of internal control would be to no longer accept cash, so maybe that works in the coronavirus era and maybe in the aftermath of that, but it could be lost revenue for the business. So that's a consideration to make, but at the same time, it would lower the risk of assets being stolen or disappearing. So taking that another step to having incoming invoices to the business go through an ERP system where all the approvals are electronic, even the vendor setup is like is within the system with an auditable record, then you can make sure that multiple individuals are involved in setting up the vendor records so that you don't pay invalid vendors and also have each transaction having multiple approvals with thresholds for amounts and also cost centers and projects and — also maybe Joe has a bunch of vendors that he's responsible for so you can set up by vendor and have an audit of auditable record of the transactions. So that would help internal control as well — doing it electronically.
Juliette: Other sets of eyes just help keep people honest.
Shawn: Yeah. And Espen you have great practical experience from summers at ski resorts but also the organizations that you’ve worked in. It’s great.
Juliette: Yeah, so thank you guys, that’s a lot of great information. I know we just touched on this today and I’m sure it’s a lot deeper than that, but thanks for your time.
Juliette: And Espen thanks for being our guest this morning.
Espen: Thank you, Juliette.
Narrator: ERP Advisors Group is one of the country's top independent enterprise software consulting firms. Advising mid to large sized businesses on selecting and implementing business applications including ERP, CRM, HCM, business intelligence, and other enterprise applications which equate to millions of dollars in software deals each year across many industries.
This has been The ERP Advisor.