Hard-Boiled Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

There’s a big trend in the industry today around control convergence. In a nutshell, control convergence is an attempt to reduce the number of controls in a system, while still keeping things effectively under control.  If you’ve been following me so far, you have a lot of tools for modeling the different kinds of controls that you might find in your company. So in this article, I wanted to walk you through an example that will not only help cement in some of the concepts discussed previously, but also give you a solid foundation for properly supporting a control convergence effort, from a data systems standpoint.

Meet XYZ Healthcare Company

In our example the global finance manager at XYZ Healthcare Company needs to control their accounts receivable process. Strategically, they need to reduce the accounts receivable collection period from 95 days to less than 45 days. This affects the collection process, in which they can receive payments by either check or credit card.

The old process was to just send an invoice, and wait for the customer to pay sending standard letters at the 30, 60, and 90 day late marks. After some brainstorming, XYZ Healthcare revised its collection policy to look something like this.

• Once the payment term has expired, collectors shall call the customer on a regular basis until payment arrangements have been made.
• For customers who wish to pay by credit card, payments shall be processed immediately over the phone.
• For customers who wish to pay by check, sales reps shall make a customer site visit within 2 days of the agreed payment arrangement, to collect the check.

Organic Compliance Growth

Shortly thereafter, PCI compliance became a concern, so to control the risk that sensitive credit card information will fall into the wrong hands they added the following policy points:

• No credit card data will be recorded in the computer systems by the collectors. The collector records all necessary payment information on a special form, which is then passed to a credit card terminal operator for processing.
• Once credit card payments are confirmed in the credit card terminal, credit card forms shall be passed to a supervisor, who shall shred the forms.

Then, the HIPPA ( privacy ) police came along, and noticed that to validate the customer on the phone the collectors were using customer files which contained sensitive data that could be mishandled. So, to control the risk that personal customer data (i.e. social security numbers) will fall into the wrong hands, the following policy point was added:

• At the beginning of each day, the collector shall receive a list of all the customers they will be collecting on, with sensitive customer data for validation. At the end of each day, the collector shall surrender the collection list to the supervisor, who shall shred the collection sheet.

Finally, in the last SOX audit this process was tagged again for control remediation. So, to control the risk that inexperienced collectors will record inaccurate receipts, the following policy points were added:

• The credit card receipts recorded by the collectors shall be reconciled to the amounts processed by the credit card processor.
• The check receipts recorded by the collectors shall be reconciled to the checks collected by the sales reps and further reconciled to the amounts deposited by the supervisor.

And, to control the risk that fraud will occur with checks that are received, the following policy point was added:

• A separation of duties shall be enforced, such that the person collecting the checks is not the same person depositing the checks.

Control Convergence Team to the Rescue

At this point XYZ Healthcare has installed 6 different controls on the same process to cover 4 different compliance concerns ( of course, this is an simplified example – in the real world there could be hundreds of controls around this process at this point). This is okay, but the ongoing cost of compliance is directly related to the number of controls that need to be tested, so they chartered a project team to converge controls, and you’ve been recruited to support the effort from a data systems standpoint.

Converging Controls: Step 1 – Build a Testing Harness

The team will be anxious at this point to jump straight into building a solution. It’s a natural human tendency. You may even see some areas where you could immediately improve their situation by leveraging technology. You and your team must resist this urge, and first fortify your process with a testing system.

Determine the metrics that are important to this process; both from a strategic and compliance perspective. Here what I came up with:

• Collection Period –after all, this is the strategic metric that we’re trying to reduce
• Collection Forms Not Shredded – PCI control violation
• Customer Collection Lists Not Shredded – HIPPA control violation
• Failed Reconciliations – SOX control violation
• Separation of Duties Violations – SOX control violation
• Number of Controls – Your team is making progress if this number is going down

First and foremost, you need to build a data system that will collect and store this data. Then, baseline your current process to see where you are today. If you don’t baseline today, you won’t know if you’re improving anything.

Converging Controls: Step 2 – Make Sure You Can Undo

You need to build a safety net before the innovation process happens. If your “improvement” effort actually causes you to go backwards ( based on your collected metrics ), then you need to make sure you can at least get back to where you were before. From a data systems point of view, think seriously about such issues as a version control system, and a configuration management system. Do a brainstorm – if you had to get back to the old version, how would you do it? From a policy and process point of view, help your business users by building a repository where this can all be stored, with strong change data capture architecture in place.

Converging Controls: Step 3 – Make an Improvement

Now, and only now, start thinking about ways to converge the controls. Here are the ideas I came up with:

• Create a combined credit card / personal information form for processing which can be shredded all at once.
• Automate the reconciliation pieces. This not only reduces the number of controls to test ( two reconciliations can be tested as one reconciliation process ), but it increases reliability and reduces personnel workload.
• Install a policy that only supervisors can deposit checks. Since supervisors cannot be sales reps and vice versa, there is a built in separation of duties control. Now create a daily supervisor assessment form which records amounts deposited, and forms shredded. Between the automated reconciliation and this daily practice, only one control test should be needed that ensures that the assessment process is being executed properly.

Converging Controls: Step 4 – Test the Improvement

Now before you declare victory, gather your metrics again using the testing harness you created in step 1. We know for sure that control points have been reduced from 6 to 3. That’s a pretty good start! But, what happened to the other metrics? Did any control violations increase? If so, you need to undo ( Step 2 ), and try again ( Step 3 ). And what about the collection period? Did it actually increase as a result of your “improvement?” If so, back to the drawing board!

Let’s hope however that your efforts were not in vain. Even if everything else stayed the same, the fact that your controls are cut it half is a reason to declare victory. And if you’re seeing even lower control violations and a shorter collection period – pop open the champagne, you did real good!

...read the article on ToadWorld