Signs of Treasury Control Problems
Slow Monthly or Quarterly Close
Closing your books quickly and accurately is often a sign that your organization has clean and automated processes. The less automated things are, the harder they are to close quickly and accurately. And, while treasury only provides information for part of the close, if they trigger the delay, they must look at the root cause of the problem. Here are some examples:
- Manually Generated Accounting Entries. Every item that flows through a bank account will end up being part of an accounting entry. If treasury is manually creating theses entries — for all but the smallest of organizations– this represents a problem. Inefficiency and inaccuracy are the natural outcome of manual processes. The same could be said about accounting transactions that arise from debt, investment or hedge accounting activity. Automation should be fast and accurate. Manual processes are slow, inaccurate and add to the critical path in the close process and delay things.
- No Feed of Banking Data. If you haven’t set up an electronic feed of banking data into your treasury system or accounting system, everything else in the process is manual. And, all information needs to be checked or double checked for accuracy.
- Monthly or Daily Processes. Let’s start with whether your process is daily or weekly. If you’ve automated the process, it may make sense to remove the element of human error and let the system operate for you. Whether you have a manual process or an automated process that is run monthly, problems or errors may have happened throughout the month. If they are identified as they occur, they are easier to resolve when everything is fresh. If you unearth 50 errors just after the month ends and they all need to be resolved before you can close your cash books or other sub-ledger, you have impacted the close process.
There can be a variety of issues that contribute to a slow closing process. Most of them indicate an underlying efficiency challenge and probably indicate a control weakness or exposure.
Difficulty in Closing Cash Accounts
During presentations, we regularly ask participants about finding bank accounts. Most organizations find unexpected bank accounts and freely admit it. Others mention that a lot of banks fail to close bank accounts despite a letter telling them to do so—also true.
“Every bank account represents a point of exposure and a point of expense. Bank accounts thought to be closed are a particularly challenging control issue.”
Difficulty in closing cash accounts can be rectified by having a thorough process for closing accounts and rigorously following that process. That sounds too easy. Let me explain some of the steps first.
To fully close a bank account requires the following:
- Bank account is emptied of money
- Bank account is closed at the bank
- The GL Cash Account for that bank account needs to be reconciled and brought to zero
- The GL Cash Account is closed
- The Bank Account is closed on the bank account management system or tracking documents
There are a few more steps involved than you might have anticipated initially, but that doesn’t make the process complicated. The need to engage various members of the treasury and AP team as well as time factors can complicate matters, however.
Here are a few examples of common complications:
- Bank Balance. A letter is sent to the bank to close the account; there is $282 left in the account. The person trying to close the account at the bank notices this, can’t close it and asks what they are supposed to do with the money which must be removed before the account can be closed. They ask verbally inside the bank. A response will be provided in a few days. The request is forgotten and the account remains open. Summer, winter, summer, winter pass and the result is: “Why isn’t this bank account closed? We sent a letter two years ago.”
- Services Remain Open. Similarly, the bank may run into an issue because they are unable to close the account due to its active services. Questions are asked and ignored. The account remains open. Summer, winter, summer, winter…
- Unreconciled Status. Accounting was instructed to close the account, but they are waiting until the final bank reconciliation is complete. Additional transactions flow through the account without an accompanying entry. The account remains open because it is out of balance. The balance is only $42.30. It doesn’t surface on anyone’s ‘material issue’ list and remains there through the summer and winter. And, again.
This list could go on for a couple of pages. Given the fact that closing an account requires involvement of multiple people at your company and at the bank, the process of closing an account can drag on. Add to the fact that bank account management is usually delegated down in the treasury organization to the newest and most junior person, it isn’t surprising that there are control issues here. The bank account closure process need to be well defined. Follow-through must occur and be regularly reviewed by a more senior person who is held accountable.
Issues with Bank Reconciliations
I love car dealership commercials which invite everyone to come and shop, “whether you have no credit or slow credit! Come on down!” Everyone understands a ‘no credit’ situation – a college student. But, ‘slow credit’ must mean you pay really late—but it’s a nicer way of phrasing it.
“Calling something reconciled when there are groups of plug numbers entered to make book and bank match is a type of language deconstruction and dangerous.”
When an organization has ‘no bank reconciliations or slow bank reconciliations,’ it indicates a problem. The permissive attitude should be left for the car dealers, not for treasury departments. Other symptoms which should cause you to question your process include:
- No reconciliations. No formal reconciliation.
- Slow reconciliations. Delivered substantially after their due date. Completed more than 30 days after the month is over.
- Overqualified. We have three CPAs working on our bank reconciliations. Processes are so convoluted it makes reconciliation nearly impossible.
- Plug Numbers. Our accounts are ‘reconciled’ because we have plug numbers. Some even have plug categories to group the various items.
- No Formal Policy. We don’t have a formal definition of “reconciled,” so we declare things “reconciled” when they are not.
If bank reconciliations require senior finance people to do that work, there is almost certainly an underlying process problem. Perhaps Treasury has implemented a new process and decided that they didn’t need to involve accounting since they could ‘tell accounting about the new process sometime during the month of go-live since they don’t have to do reconciliations until after the month is over.” Besides being rude from a communication perspective, it also eliminates the needed input from an area that serves as a control function.
Calling something reconciled when there are groups of plug numbers entered to make book and bank match is a type of language deconstruction and dangerous. We’ve seen many examples of this, coupled with assurances that ‘there aren’t any problems; we just have to match things.’ In one situation, we easily found missing credit card deposits, too old to recover, which eventually WAS recognized as a problem.
Issues with Bank Reconciliations almost ALWAYS means that there is an underlying problem that needs to be solved. Whether it is a process problem, resource shortage, or data problem – there is a problem. If Treasury owns cash and must protect that asset, they need to make sure bank reconciliations are done properly and on time, even if someone else is charged with doing the reconciliation work.
Creative Bank Reconciliation Definitions
One summer I had the good fortune of being able to work near my father’s job and was able to commute with him. That was fun. I learned a lot from our conversations and also from some of the songs he would sing. One of his favorite made up songs for a traffic jam was “Creative Delay.” The lyrics were simple—you can join in if you like—“We’ve got a creative delay / we don’t know why / we don’t know where / but we’ve got a creative delay.” This was followed by a series of staccato “da da da,” and then like all good pop hits, he would repeat the lyrical sequence ten to twenty more times. The creative part was that we’d hit some major slow down, sit for a long time and then suddenly it would free up. Most often there would be nary a sign as to what caused the slow down. No accident. No police car ticketing some poor soul. The radio announcer would mention a slowdown or rubber necking – but might not mention what it was that everyone was trying to look at.
“We’ve got a creative delay / we don’t know why / we don’t know where / but we’ve got a creative delay.”
Sometimes it is hard to tell what people are looking at or thinking about, when they call something reconciled. We posit that the following represents some of the key elements of a reconciled account:
- All items are either:
- Matched (book to bank)
- Identified as clearing during the next period (and indicating the voucher number or clearing data)
- The two sides (book and bank):
- Are in balance
- The reconciliation shows:
- Bank and book details are included and in balance
- All cleared items noted with sufficient detail
- The date when the reconciliation was completed and reviewed
- Who did the reconciliation and who approved it
We previously mentioned some of the problems which fall under this idea of ‘creative definitions.’ Having a plug figure to make the numbers balance is nothing more than fiction if you call it reconciled. Not having any record of who did the reconciliation or clear identification of when it was reconciled and approved leaves people guessing as to whether the account was really reconciled. Or, if it was performed in a timely manner. Having a clear definition of bank reconciliations is a vital function to control your organization’s cash.
Lack of a Bank Account Policy
The above addressed creative bank reconciliation definitions—that is, saying something represented a clean reconciliation when it really didn’t. Common themes for the creative definitions are informality and carelessness.
I will now focus on the frequent lack of a policy for bank accounts. A lack means that something is missing or absent, and that is certainly the case for corporations who have no written bank account policy (i.e. a formal and adopted policy).
“… formality here will help the organization and protect the treasury practitioner. If you don’t have a bank account policy, it is time to start drafting it.”
Now, corporate resolutions often have some delegation of authority about who can open and close bank accounts (from the board, to the CFO, who then designates the Treasurer). While that may be operationally functional for a time, that doesn’t really count as a bank account policy. A bank account policy should contain certain elements to provide an adequate level of control.
Here is a short list.
- Authority to open and close accounts.
- Timeframes and processes for removing or adjusting signers when they leave the company or change job functions within the organization.
- Components about bank account closure and service discontinuation.
- Standards for visibility. For example, every operating bank account must have, at a minimum, daily balance information reporting.
- A standard for capturing bank accounts on the general ledger(s). For example: “Every bank account will have a separate GL code.”
- References made to a bank relationship policy or strategy. This may also include elements of counterparty credit quality or risk levels.
- Either incorporate the definitions and standards of bank reconciliation or refer to a specific bank reconciliation policy.
- Identify major controls and security measures that are to be incorporated. This would include controls driven by banking structure—account level controls and transaction level controls.
Too often we treasury professionals assume that there is one right way to do something and assume that everyone thinks the same way…so we can be informal. The formality here will help the organization and protect the treasury practitioner. If you don’t have a bank account policy, it is time to start drafting it.
Regular Discovery of Unknown Bank Accounts
A few months back I pulled out a suit I hadn’t worn in a while. Perhaps I had gained some weight and then lost it and now wondered if I could fit back in? No one can relate, I’m sure. Well, the jacket fit and that made me happy. I instinctively stuck my hands in the pockets and found, to my great pleasure, a $20 bill. Unexpectedly finding money that day was at least as pleasing as getting back into a favorite suit.
“Every account represents a cost and a point of exposure.”
Finding bank accounts again and again as a corporate should not bring the same reaction. Every account represents a cost and a point of exposure. Not knowing about all of them means something has broken down. It most likely indicates that:
- Your bank account inventory is incomplete
- The one-to-one ratio of bank accounts to GL cash codes isn’t in your bank account policy or the policy isn’t being followed
- Other people have been opening up bank accounts and not reporting or recording them centrally
- Your last treasury-run bank account audit was done when Ford was president
- You can’t rely on internal audit to resolve these types of items
- Those found accounts probably aren’t reconciled
- The authority to open bank accounts is too broad-based or there have been violations
With one organization we were assisting, we found an account that wasn’t connected to the overall banking structure. This account was originally set up to receive unique, low-value deposits. Recording the transactions was done on a list and not reported into the general ledger (GL). This account had nearly a quarter of a million dollars in it, as the account just kept growing over time in fits and starts. While the ‘found’ money was helpful in one way, the fact that this discovery indicated a glaring weakness was more sobering. Is it time to run an internal bank account audit?
Logs Used to Assign Blame…I Mean to Control Handoffs
My mother used to make some really great Christmas cookies (3 out of 4 types were really good…the ones that were like a fruit cake were always eaten last). She was also the most ecological person you could imagine way before it was in vogue. This means she would keep the cookie tins in the garage where it was cold as we lived in the frozen north. My brother Scott really got into the crescent cookies one year and very nearly finished off a giant tin of them. When only a few cookies were left, he showed them to me secretly and said, “Let’s eat these crescent cookies!” Wow. They looked good, and soon, we’d both consumed our two small crescent cookies, enjoying the delight of some sweets eaten in secret.
Several days later, Mom went to the garage to retrieve the giant tin of crescent cookies. She came into the house holding the tin open and exclaimed (in her ‘I’m very disappointed voice’) “WHO ATE THE COOKIES?” Quick as lightning Scott confessed, “Craig and I did.” It seems to me that I should have eaten more than TWO little cookies for the amount of blame I shared in the incident. My brother, the clever one, ensured he would have the ability to share the blame for his 98% fault.
“Fill this in to show when you dropped off the wire form…and oh, yeah, plug in all of this information and have someone in our group initial receipt.”
Segueing back to treasury topics, we see the blame game being played with ‘logs’ instead of cookie tins. Logs happen between areas when there 1) are manual processes and 2) there has been a breakdown of the process in the past. When automation isn’t put in place to remove the points of exposure and failure caused by handoffs, someone either looks to fix the process manually or they look to protect themselves (they aren’t going to get in trouble for two crescent cookies being consumed). Thus, logs are created. “Fill this in to show when you dropped off the wire form…and oh, yeah, plug in all of this information and have someone in our group initial receipt.”
When we see logs, it is fun to determine if it is useful or meant to assign blame. Either way, a log usually represents an opportunity for a better process or automation. When I find someone offering me a cookie, I often think about how good those cookies were and how I won’t fall for that kind of trick again.
Employees Who Think Only about Their Function
“am a rock. I am an island” – Simon & Garfunkel
That may be a familiar song to most of you. Perhaps the phrase “…and a rock feels no pain” is the theme song for one of your friends.
We find that when employees take the ‘disconnected’ route, that is an indication of a serious issue. In finance, there is almost always someone upstream and downstream in every processes. To understand their part in the system, a person must understand more about the entire process. If they don’t, they will run into situations they may not expect and will not have sufficient information to make decisions. This will make them less likely to identify fraud or other control issues and it renders them incapable of optimizing the entire process, since optimizing one part of the process sub-optimizes the whole (Deming).
As you build out your team, intentionally hire people who think globally. They need to be intellectually curious and eager to find out what lies up and downstream from their function, why this matters, and how it impacts their team. They involve others when making process changes even if their initial thoughts are, “They don’t need to know that; they won’t need to do reconciliation until after this month closes.”
Treasury Staff That Thinks Accounting Handles all Sarbanes-Oxley Compliance Issues
Sarbox (or SOX) has been out for more than a decade. It seems we don’t have to focus on this as much as we did in the early days of the law and regulation demands.
Two of the most important sections of SOX for treasury are:
- Section 302 – Disclosure Controls. Disclosure controls are distinct from internal controls over financial reporting. Basically, and I do mean basically, the issue is that the organization must affirm that the controls they have in place will ensure that material information (or issues) will be detected by these controls. Are your controls adequate? For treasury, it is common that audit teams assign the most junior people to audit treasury. And, they very rarely know anything about treasury or how to approach it. They look at the past year’s work papers and try to replicate it. Treasury professional, you know this is not adequate. You know that your team is responsible for identifying the proper controls (along with information and systems necessary to accomplish this). You can’t rely on Accounting, or internal audit to show you the six page chart that has detective and preventative controls marked in their special coding and believe that is enough.
- Section 404 – Assessment of Internal Control. This is no mere affirmation that the controls are in place. It directs management and the external auditor to report just how adequate the company’s internal controls on financial reporting are. This requires the adoption of an internal control framework and evaluating/assessing various controls and fraud risks. These would include:
- Fraud Risk Assessment. Treasury can and should get help for treasury related activities.
- Evaluate Controls. The ability of management to override controls is a serious concern for treasury due to the magnitude of transactions and finality of some payment types (wire transfers). Given that over 70% of firms were subject to man-in-the-email/imposter fraud attempts and 10% of those attempts were successful (8% of entire population) this is not an area to gloss over.*
- Bank Account Management. What processes are in place to ensure that bank accounts scheduled to close are actually closed on the book and at the bank? What is the timeframe for this? When a signer leaves the organization how soon are they locked out of systems that allow them to execute funds transfers and trades? How quickly are they removed from the bank documentation?
Treasury has a unique role in an organization as they are heavily focused on preventative controls. Internal and external auditors, though they usually have a minimal understanding of treasury, are of no help or use if your goal is to find control gaps and close them. Treasury needs to take a leadership role in systematically and regularly examining the assessment and evaluation with people who know how treasury works. Making the extra effort to ensure they are well-controlled is one way that treasury protects the organization. Treasury cannot abdicate this duty and leave it all to accounting.
*2016 Strategic Treasurer & Bottomline Technologies Global Treasury Fraud & Controls Survey
A Treasury with a Poor Reputation within the Organization
Treasury can have a poor reputation within the organization for several reasons. Perhaps they view themselves as a vendor and not a partner with their business colleagues. They’ll take an order for services or secure the needed capital, but that is the extent of their interactions. They mainly just want to track the markets and deal with the bankers since they understand what treasury is all about.
Treasury can and should provide analytical, strategic and operational advice and support to help other business areas succeed.
So, how could a poor reputation indicate potential control problems within Treasury? Let me give a few examples that could indicate a poor reputation and why that may contribute to control issues:
- Failure to Engage. If treasury isn’t out and about, there are two issues. First, no one knows what they are doing or why it is important. Second, they don’t know what is going on within the business. Both of these impact their awareness of company operations and issues and their ability to influence what the company does to prepare. Not knowing company plans makes it difficult for treasury to ensure that the balance sheet and services are aligned to the organizational need.
- Failure to Communicate. Treasury groups tend to be small and sometimes insular. Nearly all business processes cut across departments – which means one area impacts others downstream. If treasury pushes changes through without connecting other areas to determine the impact — and ensure the necessary planning and changes are managed — problems erupt. Accounting is screaming since they don’t have the information needed to post or perform reconciliation activities. This leads to a poor view of treasury and this insular view can lead to process problems and control issues in other areas.
We could go on with the issues that lead to a poor reputation that also contribute to control challenges, but hopefully you get the point. “I’m from treasury. We’d like to help. What are your challenges?” may seem like a completely foreign language to some. However, treasury can and should provide analytical, strategic and operational advice and support to help other business areas succeed. Success should include elements of strategy, finance, efficiency and controls. A benefit of a better reputation is that others will invite you to the table earlier in the game where you can better influence the process and outcome.
Codes, Passwords and/or Access Fobs Stored in the ‘Open’
A key hidden under a flower pot or welcome mat on the front porch may be convenient when you lock yourself out or need to let someone in. While this does not allow everyone immediate access to the house without knowledge of the hiding spot, choosing such a common spot leaves you open to intruders. It might be safer and better to use a realtor lock to avoid the unexpected house guest. Being careful with access is important for homes as well as for treasury system access.
If everyone knows it, or if anyone can easily find it, it isn’t much of a protection.
Traveling to several customer sites each year, we have the privilege of talking with many interesting people. And, we are often embedded within treasury groups off and on throughout a project. This allow us to observe things first hand from organizations. Treasury groups are often thinly staffed, and there are limited numbers of people who can back up wire transfer personnel, cash positioning activities, etc. Given these staffing levels, the backup for a particular function usually gets to perform those duties only once a quarter or so — maybe less. This makes it difficult to memorize all of the process steps and logons, whether they use a TMS or Excel plus bank portals. A common result is that the processes are documented…often with the passwords noted to help the substitute complete the task without getting locked out. If the password isn’t there, you can look for the ubiquitous yellow sticky note with the passwords on it: 1) under the keyboard 2) in the drawer 3) affixed to the monitor for all to see. 4) In the steno pad (why is that the favorite step by step recording location?).
If everyone knows it, or if anyone can easily find it, it isn’t much of a protection. These represent signs of control problems. And, yes, you really do want to make it tougher to find that information. Especially given that only 42%* of organizations perform background checks on temporary employees in finance and treasury.
*Strategic Treasurer & Bottomline Technologies Global Treasury Fraud & Controls Survey.
Finding Fraudulent ACH Items AFTER the Right of Return Has Passed
Some old jokes can teach us something related to treasury. Remember the one where the comedian says, “What is the most important thing about humor?” And, the mark starts to answer, “I don’t know–What is….” “TIMING!” the comedian responds. As with humor, timing is important for many aspects of treasury, including fraud prevention and detection.
Prevention. If you can stop certain types of fraud from hitting your bank account – or having them automatically be returned–that is a good thing. Prevention is quite desirable and pleasing but we live in a world where everything can’t be prevented. This brings us to detection.
When fraudulent ACH items have hit the organization’s bank account, a timely response is of the essence.
Detection. Timing is important. If an alarm goes off three days after a break in, the only benefit is that you have confirmation that a break-in occurred. If an alarm goes off immediately, then action can begin to stop or minimize the loss. For treasury settings, the alarm means good visibility, account and transaction level controls and rapid response (i.e. automated reconciliation with immediate follow up).
When fraudulent ACH items have hit the organization’s bank account, a timely response is of the essence. Trying to return these items after the return window has elapsed means you are depending upon the kindness and cooperation of multiple bankers. It is much better to depend upon the rules that provide you with the right to return rather than on your relationship with a banker who has no vested interested in your financial well-being. Treasury controls are about effectiveness and efficiency. This includes speed.
Craig Jeffery formed Strategic Treasurer in 2004 to provide corporate, educational, and government entities direct access to comprehensive and current assistance with their treasury and financial process needs. His 25+ years of financial and treasury experience as a practitioner, banker and as a consultant have uniquely qualified him to help organizations craft realistic goals and achieve significant benefits quickly. He is responsible for overall relationship management and ensuring total client satisfaction on all projects