If auditors are coming to look at your company's financials, have staff, before they meet with them, practice talking about your systems and processes so they're fresh in mind, a risk management consultant said in a CFO Leadership Council webinar Tuesday.
Nancy Wu, head of sales and support for SkyStem, a provider of account reconciliation and financial close applications, said finance staff, no matter how familiar they are with your systems, can leave out important details when they first sit down with auditors, and that can be interpreted as a red flag by auditors, she said.
Even if your staff know what they plan to say, they should practice ahead of time, Wu said; that initial interview is “part of the audit that auditors look at carefully.”
Finance staff should not treat the initial interview as a formality, she said, because if auditors sense staff are unprepared or unfamiliar with your processes, it can make them think the system isn't being closely monitored for risks or has lax security protections.
Risks broader than finance
Staff members need to be aware of risks beyond those based on poorly designed or monitored finance systems, Wu said.
She divided risk into two categories: environment and process. Environment risks are external to a company, such as competition, capital availability and regulations. Process risks are internal and include financials, IT systems, operations and human resources, among others.
She cited industry data indicating that top risks this year include the ability to compete with new, "born-digital" competitors that have entered their field and threaten to take market share. Finding talent also ranks as a top risk.
Because of the nature of talent, it's hard to put in place a system to attract and retain top people, but there are controls a company can design to minimize brain drain, Wu said.
Companies can institute mentoring, create an environment that fosters camaraderie, recognize good work by staff, and publicize the positive environment of the company. "This sounds fluffy and all over the place, but these things actually are not, because they're all tied to that same risk about talent," she said.
Wu provided a workflow chart for managing risk that starts with identifying what they are, designing and executing controls, assessing the controls' effectiveness, and tracking whether risks are actually mitigated.
She defined controls broadly, starting with the tone coming out of the C-suite, how well your company's code of conduct is followed, how often you reconcile your finances, whether you have finance duties properly segregated (not having the same person manage accounts payable and accounts receivable, for example), and how robust your internal audit function is, among others.
Companies can increase controls by moving operations from premise-based software to a cloud platform. Your data would be cordoned off from your operations and protected by the host company, which you can count on to specialize in data security and management and to constantly upgrade its system to stay ahead of threats.
Automation is another way to reduce risk, because by having robotic process automation and other types of software take care of manual tasks, you reduce the likelihood of human error.
The last stage of any risk management system is the external audit, because third-party auditors can validate how well you're keeping your systems safe.
When auditors come in, they're always on duty. That's why Wu recommends that staff practice before being interviewed by them. If a staff member forgets to mention a security detail you have, auditors could assume you don't have the protection in place.
And if staff meet with auditors outside of work — for dinner or drinks — they should try to remember the auditors might be off duty but "their auditor ears are still on," Wu said. "They haven't been shut off."