Process automation enables treasury departments to improve and standardize their control procedures across the enterprise. In addition, inherent treasury system functionality eliminates the need for costly manual reconciliations, validations or other compensating controls. It also provides CFOs, treasurers and management with real-time visibility into key online metrics and reports, measuring the ongoing performance of treasury operations and enabling timely detection of potential risks for proper remediation.

After two years of Sarbanes-Oxley (SOX) implementation (larger public companies had to meet the new financial reporting and certification mandates for end-of-year financial statements filed after 15 November 2004), treasury professionals are becoming smarter about their compliance process and are looking to embed more controls into their financial systems to eliminate inefficiencies and reduce risks.

Impact of SOX on Corporate Treasury

Treasury departments of publicly traded organizations subject to the SOX Act of 2002 (see box at end) have been impacted at both business process and IT levels.

At the business process level, treasury has inherited responsibility for documenting, assessing and improving key internal controls relating to all processes affecting the accuracy and dynamics of financial reporting. Examples of treasury controls affecting financial reporting include:

• Cash management controls, e.g. bank reconciliations.
• Investments-related controls, e.g. accuracy of interests, dividend income, accruals and fair values (mark-to-market).
• Debt-related controls, e.g. accuracy and completeness of amortization and interest expense, appropriate estimation, recording and disclosure of exposures (e.g. foreign exchange risk, interest risk and operational risk).

Within the IT department, alongside treasury, the range of responsibility includes documenting, assessing and improving IT controls related to significant information systems that support the treasury process, such as spreadsheets, bank websites and treasury management systems. There are two types of IT controls - general controls and application controls.

IT general controls ensure compliance with corporate IT governance standards as they relate to treasury applications and their underlying infrastructure (operating systems, relational database management systems, communications and interfacing utilities). Examples of IT general controls affecting treasury applications include:

• Access controls, e.g. password policies (rotation and strong requirements).
• Data management controls, e.g. data backups, including onsite and offsite data storage.
• Security controls, e.g. protection of treasury data via anti-virus software, firewalls, intrusion detection systems and data encryption as well as physical server security.
• Change controls, e.g. authorization, approval and testing of system upgrades and patches.

Application controls are specific as the adequacy of user access to the application and the proper segregation of roles prevent, for example, the same person from initiating and approving a transaction. They also include automated controls that ensure the accuracy of computations and reporting.

Streamlining SOX Compliance

A survey from the Financial Executives Institute indicates that the annual cost of compliance with SOX averages $3m for publicly traded companies required to comply. For companies with revenues in excess of $5bn, the annual cost of SOX compliance averages $8m. According to AMR research, every $1bn in revenue requires $1m in compliance costs. Looking forward, AMR predicts that internal costs devoted to SOX will decrease in 2006, while technology spending will increase, and external consulting costs will hold steady.

Indeed, learning from their first two years of experience, organizations are now looking for ways to rationalize and optimize their SOX compliance process to reduce ongoing costs. Companies are also looking beyond SOX to improve business processes and cut back on transaction costs.

Embedding Controls into Treasury Systems

Automation enables treasury departments to improve the effectiveness of their internal controls and to streamline compliance efforts by eliminating highly manual and labour-intensive control procedures that are the sources of many errors, omissions or fraud risks.

Manual control procedures or semi-manual processes, such as the use of spreadsheets, also require more extensive audit efforts. Indeed, organizations relying on these manual or semi-manual controls face higher internal and external audit costs. Companies can reduce the cost of their audit and compliance process through increased process automation.

Benefits of treasury process automation from a SOX perspective are twofold. First, it provides more automated controls that replace labour-intensive processes and manual controls. Second, it improves information security and governance.

Automated Controls

Treasury systems can be used to turn many manual controls into automated controls. In the cash management area, the system will perform automated bank reconciliations and accounting entries, significantly reducing risks of errors or fraud. The system will also provide complete automation of the approval workflow for payment requests and fund transfers. Segregation of duties will be set up automatically so that no initiator of a transaction can also approve a transaction. The format will also ensure that management has approved any changes made to the access rights.

More sophisticated workflows will involve several approval levels based on different types of transactions and amount thresholds. Automated workflows will enable organizations to strengthen and harmonize their control design across the enterprise. Automated workflows will also improve the effectiveness of these controls by providing greater assurance that corporate policies are followed (i.e. that controls are operating as designed).

In the investment management space, the system will enable treasury to manage its corporate investment policy across business units and subsidiaries while ensuring that transactions performed or requested by these entities comply with the corporate investment policy. The system will also provide an automated approval workflow for investment transactions as well as automated mark-to-market functions for derivative instruments. Reconciliations will be performed automatically and the system will track interest, dividend income, accruals and investment-related amortizations. Finally, risk exposures and derivative income will be computed and tracked automatically using various methods.

On the debt management side, the system will provide similar controls, including loan register, automated bank reconciliations, approval of workflow for financial commitments, and tracking of amortization, interest expense and debt-related risk exposures.

Information Security and Governance

Treasury systems can also help treasury to meet new SOX information security and governance standards. For example, it can provide increased integration among applications and straight-through processing will limit the risk of errors or fraud while encrypting data and securing communications with banking partners.

In addition, increased automation of treasury processes enables the elimination of spreadsheets, which present many risks in the context of SOX. Errors in computations are frequent in a spreadsheet environment. Sources of errors include input mistakes, incorrect or missing formulas, and improperly linked worksheets or spreadsheets. Spreadsheet data can also easily be lost or damaged due to uncontrolled or unauthorized access.

Conclusion

Companies faced with SOX compliance requirements are now focusing on streamlining their overall compliance process and gaining better visibility and control over their treasury operations.

As part of their ongoing SOX process, treasury departments are looking for ways to leverage technology to improve controls by increasing automation and implementing best practices across the enterprise. Increasing process automation enables treasury departments to improve their operations in the two fundamental control areas that are relevant to auditors: design and operation.

Indeed, automation allows treasury teams to improve control design effectiveness by creating key controls that would be difficult or impractical to implement in a manual environment (e.g. sophisticated payment workflows, interfaced applications and data encryption).

In addition, automation enables treasury teams to improve operating control effectiveness by ensuring that the controls in place are operating as designed. For example, the system would prevent a user from processing a transaction that has not been adequately approved by other stakeholders.

In this context, treasury systems provide tools that financial professionals can use to embed the controls that are right for their organizations. The net effect of automating controls eliminates the need for labour-intensive, manual controls such as paper forms, physical signatures, or data re-entry and manual reconciliations. It also facilitates the work of auditors by providing more assurance about the accuracy and completeness of financial reporting. Simpler auditing can also be performed with fully visible audit trails as well security logs and backup logs.

Sarbanes Oxley Act

In 2002, the US Congress passed the Sarbanes Oxley Act (SOX), to improve reliability of public companies' financial information, prevent fraud, and restore investor confidence. The Act was signed into US law on 30 July 2002.

SOX mandates that companies should assess their internal controls ensuring accuracy and reliability of financial information. It covers a vast range of topics, but three sections, in particular, directly impact treasury operations: sections 302, 404 and 409.

Article by John Alarcon , CTP, CPA, General Manager North American Operations, XRT - John is a leading international authority on information technology and financial services. Throughout his career he has delivered financial IT advice to the global marketplace. Alarcon has served as senior vice president and general manager of META Group (now part of Gartner Group), an information technology firm with operations in more than 30 countries. He was also the founder of SPEX, the leading enterprise software evaluation firm that META Group acquired in 2000. He holds an advanced degree from the University of Paris Dauphine (France), a Master's of Business Administration from the University of South Florida, graduated from the Columbia University Senior Executive Program, and is a Certified Treasury Professional and Certified Public Accountant. He regularly writes to various International magazines & journals