How to Identify Gaps in Your Treasury Operations: Assessments 101

Announcer 00:05

Welcome to the Treasury Update Podcast, presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Jonathan Jeffery  00:18

Welcome to the Treasury Update Podcast. I’m Jonathan, media production specialist here at Strategic Treasurer. And today we’ll be discussing the role of assessments in treasury and finance. Joining me today is Paul Galloway. Paul, welcome back to the podcast.

Paul Galloway  00:31

Hey, thanks, Jon. It’s always a pleasure to have these conversations with you.

Jonathan Jeffery  00:36

What type of assessments do you typically complete?

Paul Galloway  00:38

Yeah, it’s a great question, Jon. I’m going to break it up into kind of four broad categories. It’s driven by the client in general, and so it can be something that’s very narrow and specific in nature, or it can be much broader. It just depends on what the client’s needs are, but the typical areas we hit would be bank structure fees and bank account management will come in. We’ll take a look at what the current structure is, who their partners are, how important those relationships are to them. A lot of these bank banking partners not only provide banking services, but they’ll provide lines of credit. They may be people to help finance things, so maybe issuing senior debt or something else along the way. Letters of credit, these banking partners can be really important to them, and so part of bank structure is to understand, are they optimized in terms of services, the way that the accounts are set up, whether it’s collections accounts is controlled disbursement accounts is concentration accounts. How does all that work, and the types of services that they have in place? Do they have the services that they need, especially when it comes to payment security? Whether it’s pause pay, positive pay, match pay, whether they’re utilizing filters, things that help them protect the payments in process, or at presentation to ensure that they’re not going places they shouldn’t go. Also, their bank fees, banks are contractually obligated to charge at the rates that are agreed upon in the contract with the client. Clients a lot of times are using Excel files to manage their bank fees. They do that against what the contract says. They don’t necessarily have a view of what’s going on in the industry, that’s hard to get that information. It’s very difficult to keep this up and manage it. It takes hours to do it, so it takes time away from other activities and treasury when they’re doing that, or systems that can help them. They can automate it, they can get visibility to benchmarking, which will help them ensure not only are they being charged the proper fees per the agreement contractual obligation. How do they compare to the industry? Are they being overcharged in areas? Do they need to renegotiate their bank fees? And when it comes to bank account management, there’s a lot of bank documents that go into opening accounts and relationships with banks, multiple different kinds of documents that have to be completed. Not only that, there’s information that companies have to share with their banks, part of KYC. It’s ongoing, it gets updated over time, as well as corporate resolutions or bank resolutions, so you have authorized signers, you have authorized administrators, people who can do things to make changes to the accounts, approve payments, so there’s a lot that goes into it. We come in, we’ll look at the bank structure, fees, and bank account management holistically, another area we spend a lot of time doing assessments on is the technology stack from a treasury perspective, and so this would be, you know, do they currently, how do they manage cash, how’s it managed, what kinds of systems are placed to effectuate payments to do reconciliations to provide visibility, so that you can optimize your cash. Are they using a TMS, maybe an aggregator? Maybe it could be used under ERP, which is their accounting system. Some accounting systems have some basic cash management tools available to them, but you can go from something that is light TMS light to something that’s more like a Cadillac. It’s got all the bells and whistles, it provides a lot of capabilities, just depends on what works for the client, and then you got to look at. It in totality, do they have payable systems? We’re talking about admin systems, so these are both on to the tech stack. You have your ERP, you have admin systems, perhaps something for receivables, something for payables, got your TMS, you got ERP, and how do all those interact? Some organizations will take information stored in a data lake. It can be used for analytics, it can be used for reporting, be used for forecasting. Some of these more sophisticated treasury management systems now have advanced forecasting tools, and they’re using latest technology, machine learning, artificial intelligence, so when we look at tech stack, we look at how everything currently functions, where there’s gaps in automation, where there’s opportunities to automate, perhaps reduce hours spent on manual tasks, also will help the organization reduce the risk of a financial loss due to payment fraud. If you’re not doing certain things, not utilizing your tools properly, you could be exposed in today’s environment. What used to work doesn’t, neces doesn’t necessarily mean it’s working today. Could be gaps, you want to get to leading practices, you got to start using some of the technology out there. Not all organizations are going to be perhaps sophisticated enough or large enough to warrant a full TMS, so these more TMS light providers out there fill the gap form, or an aggregator, so the technology stack can be really important to companies. I talked about payment security briefly. This is really something that’s heated up quite a bit for us in terms of going out and doing assessments. It’s really important in today’s environment, because the fraudsters have become the criminals, have become more sophisticated. They’re utilizing machine learning and artificial intelligence against companies, whether it’s creating deep fakes, such as the one they have in Hong Kong, where they had a phishing email that led to a Zoom call. They thought they were talking to their senior managers, the CFO. It looked like them, it sounded like them. The mannerisms were like them, was 100% but was enough to fool the treasury team into sending out 25 and a half million dollars to 15 different banks. That happened about a year ago. That’s pretty scary, and AI has gotten way more sophisticated. It’s continuing to evolve, and it’s getting better. It’s getting harder for people to detect what’s real and what’s not real. So organizations really need these assessments today, and so when we go in, we’re looking at systems people processes are wanting to understand the payment flows. Who has access? Who has control? What kind of blocks are in place? What prevents a payment from going out that shouldn’t go out? How do they respond to a potential fraud? Are they fast in doing that? What kinds of systems are in place to help protect the treasurer of the organization? Can somebody come in from the outside and get it? Can somebody from the inside penetrate a system and use it for something to steal money from the company? So it’s holistically looking at what that payment security is. We also are looking at training. Are they doing training? Have they got something that’s done on a regular basis? Are they doing something intermittently as new frauds are perpetrated on companies and it’s portrayed in the media, are they taking the steps to protect themselves and make sure that their people are educated. Anybody that touches the pavement, anybody in the company that touches the pavement along the way needs to be educated. And the last piece is around penetration testing. When we say penetration testing, a lot of people say, well, our IT team, they do, they do penetration tests, it’s really cyber security they’re focused on, which is good, you got to do that, that’s needed. What we’re talking about is payment specific penetration testing, and somebody come in from the outside, get into a financial system that effectuates a payment, take control of it, and actually get one to initiate. Can they get a hold of a payment, change the instructions, and allow it to go out? So that’s from the outside. Then there’s from the inside. Where we’ll come in on the inside will be allowed inside the systems, we’ll try to get into systems that we shouldn’t be able to get into, and see if we can effectuate payment, so that that inside outside piece comes into play. When you’re looking at penetration test, this will help organizations figure out they got any gaps and shore it up, so payment security is really important in terms of priority for organizations today. The last piece that we’ll do, and this typically is part of a more broader treasury assessment, and a broader treasury assessment will incorporate the bank account management stuff I talked about earlier, the bank structure fees, the technology staff, but the other component to that, this broader assessment is looking at policies, processes, and procedures. A lot of times we find organizations have gaps along the way, sometimes things aren’t documented, it could be policies, it could be procedures, could be processes. A lot of time, though, you have companies say, well, you know, we get our auditors that are asking and requesting information and making sure we’ve documented stuff. A lot of that is geared towards SOCS compliance from an accounting perspective, it doesn’t really get into the payment side of things, and how those controls are set up. What are the policies for cash management, bank account management, all these things that are tied to Treasury, and so we’ll come in, we’ll look at that, and that you know, there’s one other P to that. So, there’s 3p’s policies, processes, procedures. The other one is around people. We’ll also look at what people are doing. Do they have dual controls? Do they have segregation of duties? What are the things that they have in place that should be in place that aren’t? Those are the four broad areas that we typically do from an assessment standpoint.

Jonathan Jeffery  12:05

Okay, yeah, that’s a pretty wide range of things to look at. Do you want to go into the importance of completing an assessment?

Paul Galloway  12:13

The glaring one is around gaps. Are there gaps that are in their processes, procedures, their systems, the way that they do things, the things that their people do or aren’t doing. Are there gaps there that could lead to a potential loss to the organization? And it could be people trying to steal money, it could be people that should be taking certain steps in a process, and they’re bypassing steps because it’s quicker to do it if they bypass it, but might not necessarily be safe or correct, and so it’s trying to find gaps in those areas, and including systems. So, when you think about systems, or the areas they’re doing manual processes, anything that’s done manually, either through spreadsheets or communication that’s being completed manually, that effectuates transactions. Are they taking the right steps to mitigate risks? There are things that you can automate, and sometimes there’s some things you just can’t automate as part of the process. We look to automate as much as we possibly can with organizations. We look for that one is efficient, but two systems have tight controls on them, and so that’s why that automation is important. Obviously, it leads to efficiencies. However, you got to understand what are the compensating controls that they have in place. We want organizations to be effectuating their treasury functions with standards of good corporate conduct. You don’t have to be the best at everything; you just need to make sure you’re at that level where you have the right controls in place, so that you’re mitigating the majority of the risks that’s out there. You might not be able to mitigate everything, and it might not be cost-effective to mitigate everything. So, there’s certain risks that could be in place that the controls, for the most part, take care of it, and what you do have in place mitigates the probability of having, you know, a financial loss. So, gaps are really, you know, the big important piece of the assessments, closing them, recognizing what they are, making recommendations to close them. The other piece is keeping current and up to date on what leading practices are, because what you do today isn’t going to be good enough tomorrow, and the day after that, and I’m being, you know, kind of a little facetious here, but the day after that it’s absolutely not good. You got to close the gap. Why I. Because technology and the way we do things is advancing at a fast pace, is going to continue to do that. We know that criminals are becoming more sophisticated, they’re looking for new opportunities to poke holes in the processes, procedures, systems, controls that organizations have in place. They’re always going to continue to do that, so what works today might not necessarily work tomorrow or the day after that. So you need to be up to date what’s going on out there and ensuring that you’re deploying those leading practices, because if you’re not, you’re putting yourself or exposing your organization to a financial loss. As a treasurer, I like to sleep good at night, so I want to make sure I’m doing everything I can. That’s the job of the treasurer and the treasurer’s team that he has in place. The other thing I talked about earlier is the ability to gain efficiencies through automation. Anytime you have those manual processes and spreadsheets, it’s opportunity for somebody to change something that shouldn’t be changed, or somebody to make a mistake. They transpose numbers, they add numbers, they do things that you know is, you know, face it, human beings, we make mistakes. You make a mistake when it’s a manual process, potentially. Doesn’t mean you always do, but it happens. I’ve done it, and that’s what happens when you’re dealing with manual processes. When you have checks and balances in place through an automated system, it leads to less errors, less chance of errors when you lock things down, and you don’t have to worry about the error potentially getting there, but gaining those efficiencies through automation allows the treasury team to focus on other things that are important to the organization. The other piece is the going through the automation and utilizing systems, your tech stack, it will allow you to gather data, synthesize data, and provide visibility and reporting on it. You know, these assessments, I think, overall really shore up some gaps for organizations. It’s really important that you know if they’re not doing it themselves, that they bring somebody from the outside in, so that they can get something going, and look at these key areas that I’ve talked about so far.

Jonathan Jeffery  17:30

Now, you may have a bunch of people that say we review these every year internally. What are the optimal times for them to have someone come in and complete an assessment?

Paul Galloway  17:40

Yeah, that’s a great question. What we see often in this, this happens in different organizations, different levels, different capacities. You know, something that could trigger an assessment is you have a change in leadership, you’re a new CFO, new treasurer, perhaps they’re looking to change things up, the organizations that come into, they’ve got systems that have been in place for a long time, perhaps bank relationships that an RFP hasn’t been done on, and it’s opportunity for them to change things up. That’s an appropriate time to execute an assessment. It could be very specific, there’s bank structure, technology, or very broad, where you incorporate those policies, procedures, processes, people. It just depends on where they fill that the gaps are. So that tends to be a good opportunity for organizations to do assessments at the point you have new leadership come in. The other area is upgrades around systems. I kind of talked about that my prior statement, but when it comes to upgrades, it may be that you’re doing an upgrade on a system that’s in the stack, but it’s not a TMS. Maybe it’s your ERP. We tend to see when organizations are looking at changing their ERP opens the door to also look down the stack or up the stack and figure out where gaps might be, or an opportunity may try to do that themselves. They may bring somebody in, like Strategic Treasurer, to help them with that tech stack assessment. That tends to be a good opportunity along the way to do an assessment, anytime you’re going to upgrade a system. Another area that we tend to find leads to assessments is something’s happened within, you know, the organization, there’s an event that occurred, and sometimes there’s change in leadership, other times it could be that there was fraud perpetrated? Somebody gained access to a system. Maybe nothing got sent out the door, but somebody gained access to the system, tried to effectuate a transaction. Maybe it’s internally, maybe it’s externally, but at point that an event happens that tends to be a area where we’ll see companies approach us on doing an assessment. It just depends on what’s occurred. The other piece is around organizational growth, because certain systems are appropriate for certain sizes of companies. Some organizations may be fast growing, perhaps not big enough yet to warrant a TMS or a TMS light. Maybe an aggregator or treasurer aggregator would work for them. Maybe they’re just curious as to what they should be doing. They want a road map, just sort of looking out five years and saying, wow, our organization could double, triple, quadruple over the next five years? Do we have the right systems, processes, and people in place to keep up with this? It’s a good time to do an assessment if you’re a growing company and figure that out. Last year we did this for a growing company, they were right in that position where they were sophisticated enough and growing fast enough that they needed something, but they didn’t need a TMS today. They could really benefit from a treasury aggregator. It will give them one connection to all their banks, two, it will give them visibility, three, they’ll be able to do cash management within the treasury system, and some basic reporting, so it gives us some visibility. The great thing about doing that, if you’re a growing company, is that with an aggregator you can easily connect to a TMS, any TMS provider that is out there, so it’s a great step for growing into something more sophisticated down the road.

Jonathan Jeffery  21:46

And from a practical standpoint, how do you complete an assessment?

Paul Galloway  21:50

When it comes to completing assessments, you know, there’s kind of some different phases along the way. We typically start with a documentation request, and when we do these documentation requests, we emphasize, and sometimes have to emphasize more than once to the client, just provide us what you have. We don’t want them creating anything, we don’t want it to be onerous on them. If there’s gaps in documentation along the way, that’s something that will be reflected in the assessment. They’ll come out in the assessment if there’s a recommendation to be made on filling a gap with documentation. A lot of times, that’s we tend to see that’s around policies, procedures, processes. Perhaps that tends to be where the biggest gap in documentation is it’s also the way that we draw schematics in terms of bank structure and tech structure and the flow and how things work. A lot of companies don’t do it to the level we do, some companies do, some don’t, but the way that we do it is also focused on treasury itself, so it’s tied back to treasury, so, so we tend to, you know, help build some documentation along the way, as well as part of the assessment, so we get documentation, we review documentation along the way, we set up interviews with key people within the various areas in the organization tied to whether it’s treasury, whether it’s payables or receivables, or accounting, or it, we talk to various people within the organizations tied to what the assessment is supposed to be about, we ask, you know, we spend a lot of time asking questions. We also spend time documenting what we’re receiving back during those sessions. Sometimes we’re having follow-up sessions to work on diagrams or validating that what we understood was true and correct. And once we’ve completed those interviews and reviewed that documentation, we’ll write up our findings. So, what we typically do is, you know, we’ll have an executive summary up front. We may have a slide that also – in this is pretty common – we have a slide that is a summary of key observations and recommendations, these are the things that would be high priority that we feel that the organization should act on. It’s not everything, it is a summary. And then we’ll have slides that will follow, although I have diagrams that we, you know, either it’s bank structure or tech structure or something else, and then slides that will show observations and recommendations, and sometimes companies like to have us prioritize. We, we’ve been doing that more often with our assessments, is with those recommendations, especially around the key recommendations, will help prioritize those, so that the company. And take action on what we’re recommending that tends to help support additional work on our end will come in and help them effectuate some of these particular recommendations along the way and so assessments tend to lead to additional work that needs to be completed, and we’re looking out for the best interest of the organization. If they do an assessment and they don’t act on the recommendations, then the assessment really is of no value in the end. You do an assessment because you intend to act on something, they intend to act on recommendations, and so sometimes what you see with organizations, whether we’re doing payment security or bank structure or technology, we’re also doing additional work to help them effectuate those changes, and you know, I think it’s really important for organizations to have people that are experts in Treasury that have done this with other organizations multiple times. It’s not the first time that we’ve done it. We’ve done this quite often. We know what we’re doing, and we can help companies be really efficient in executing on the recommendations and getting things in place that need to be in place.

Jonathan Jeffery  26:21

Okay, and now the assessment is complete. What are some of the key action items?

Paul Galloway  26:26

Yeah, I kind of alluded to this earlier. The key is, is that organizations have to take action, whether it’s internally or with a third party, they need to take action. If they don’t take any action, then they’re not going to get the value out of the recommendations that were made. Sometimes organizations take a little bit longer to act on the recommendations. Sometimes they act quite quickly. It just depends on the company and where they’re at in terms of priority. Sometimes they’re dealing with competing priorities within the organization, and they might not get the budget to do what they want to do right away, but you know, we’ll find that they come back to us at a later time if, if they deem that it’s necessary, and they’re at a point where they can do it, you know, we keep the relationship open, we make sure that they’re getting the things done that they need to do. The other piece is that you get these recommendations, you get this assessment with observations and recommendations. We feel it’s really important that they’re communicating this with key stakeholders within the organization, so when Treasury goes through this kind of assessment, they need to make sure they’re providing visibility to people within the company. It’s useful, helpful information, especially when senior managers are looking to make decisions, or you’re trying to prioritize recommendations with budget. It’s pretty common within organizations that there’s competing priorities, so making sure that they’re sharing this information will help ensure that at least they’re getting heard and gives them the opportunity to be in the pipeline from a priority standpoint and execute on recommendations. The other piece is that you know sometimes they need support from the third party. I tend to find that a lot of organizations, even with people that have, you know, years of treasury experience, or some things that they know for sure they’re good at it, and there’s areas that they’re not aware of, that’s where a third party who has steep, deep treasury experience can come in and provide, you know, fill in those gaps in those areas. So, I think it’s good to partner up with somebody that can really come alongside you and help you as you execute, you know, on those recommendations.

Jonathan Jeffery  28:59

Cool. And if this triggered any questions for any of our listeners, what should they do?

Paul Galloway  29:04

Reach out to us. I think we can. We’ve got a link that we typically provide with these podcasts. We’re more than happy to have a conversation. Maybe it leads to something else, maybe it doesn’t, but our door is always open to having a conversation and finding out, what are your needs? What are the things that are keeping you up at night? What are your pain points? We can help you think through those. We’re more than happy to have conversation around that. So don’t hesitate to reach out to us.

Announcer  29:42

You’ve reached the end of another episode of The Treasury Update Podcast, be sure to follow Strategic Treasurer on LinkedIn, just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by. Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.