Controls in Corporate Performance Management

Drive value in Corporate Performance Management with business controls

Wikipedia defines control objectives at the organisational level as: "objectives that relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations".

We know that Corporate Performance Management is about faster and more accurate reporting. We know that CPM relates to the successful execution of strategy linking strategic goals to performance measures. We also know that CPM relates to external stakeholders and accountability bringing compliancy into the game. Hence, controls are an important part of effective Corporate Performance Management!

This blog is about setting up flexible process and application controls in Close, Consolidate and Reporting projects. Flexible in the way that your process and application controls can grow with new requirements and application developments. Findings are based on our real-time experiences as CPM consultants with numerous multinationals over the years. It shows how incorporating the right controls help organisations to improve data integrity, shorten the close cycle and streamline compliance.

Here are some of the key lessons we’ve learned along the way:

1. Start thinking about data integrity from the start

Corporate Performance Management should be about analyzing data for added value and not validating data. Reliable data is the critical success factor for any CPM application. The design of the application should harvest data integrity from the start by categorizing all data input in unique classifications.

Collect data input from source systems in a unique data source. Build in automated or manual controls to validate this input with the source systems. Classify specifications and adjustments in the application in unique data sources. Set up the application to append data and never overwrite data. Build in comment fields to know not only who and when a user made an adjustment, but also why!
A logical audit trail of data enrichments will reduce the amount of time organisations spend trying to identify whether or not their data is reliable.

2. Not only describe, but realize segregation of duties

Segregation of duties is an important requirement of many control frameworks. It is important to distinguish the responsibilities forthcoming from system and functional maintenance of CPM applications from the end users, mostly being employees from Finance departments. The segregation from the IT function (system administrators) is in most organisations not an issue. Issues mostly occur in separating the functional adminstration of the application from the Finance function. This is to be explained firstly by the fact that mostly Finance employees are involved during the implementation of the application, as owners of the business case. After Go-Live these employees are most qualified to fulfill the administrator function while having their Finance responsibilities. Secondly convenience and flexibility has a big part in it. If an incident or change request occurs it is the functional administrator with a Finance background who can most easily combine knowledge of the functional requirement with the application parameters.

Realize from the start that implementing a CPM application requires a unique administrator function. Involve this person(s) from the start in the development of the application and make sure that no conflict of interest can occur along the way. Realize that the administration of a CPM application is not something to do aside, but is an integral part of effective Corporate Performance Management.

3. Set up and manage application- and process controls

Table 3.1 presents an overview of some best - practice application- and process controls in Close, Consolidate and Reporting implementations. Please contact CPMview for more information.



Table 3.1: Application- and Process controls

4. Describe and manage the Change Management Process

In order to ensure the continuous and reliable operation of the CPM application after Go-Live, maintenance processes must be defined and implemented prior to the transition to the business. These processes, combined with appropriate training, must enable organisations to seamlessly take over the responsibility for the maintenance and support of the CPM application and configuration. Moreover, these processes must enable organisations to comply with the accountants’ compliancy and control demands regarding the segregation of duties and management of application changes.

Describe the change management process taking into account change-, incidents-, security-, service level- and configuration management.

5. Think about effective administration

Keep an administration of Request for Changes, Maintenance Orders and Application Users. Make sure that these forms are timely approved by the owner of the application or the Change Advisory Board and enclosed by supporting documentation.

6. Authorize and document duties and responsibilities

Make sure to describe and document all functions and responsibilities regarding the CPM application.

7. Set up an Audit trail

Initiate activity and data audit in your CPM application to record transactions or communications related to a person, period, account or entity.

8. Manage your IT environment

Set up your server park to include a development server, test server, acceptance server and production server. Make sure that decent back up and fallback scenarios are in place. Provide single global web based login capabilities taking into account adequate authorization and security controls.

That "being in control" is not always easy to accomplish is demonstrated in this week’s pick from YouTube. Enjoy and please be sure to give your comments on this blog!