Reengineering Internal Controls
Designing internal control systems for reengineered processes
by Matthew Leitch, April 1996.
Why internal controls must be reengineered
Rethinking risk analysis
Rethinking control objectives
Rethinking internal controls
The role of the controls design specialist
"Reengineering is the fundamental rethinking and radical redesign of business processes
to achieve dramatic improvements in critical contemporary measures of performance,
such as cost, quality, service, and speed."
From "Reengineering the Corporation" by Michael Hammer and James Champy 1993
The case studies featured in the book from which this definition is taken propelled
Business Process Reengineering (BPR) to management theory superstardom. Offered
by most management consultants as something radically new, scorned by many
accountants as just another buzz phrase for good management, BPR has been
controversial from the beginning.
However, from the case studies it is clear that at least some organisations have made
major changes to the way they do their work, and at least some have benefited greatly
from doing so. For the foreseeable future we can expect organisations to try to learn
from the success stories and be successful themselves in achieving breakthroughs in
Hammer and Champy's main contribution was to collate successful examples and
suggest common factors. What should worry accountants and, in particular, auditors is
that the common factors identified by Hammer and Champy appear to contradict
directly the advice which auditors have been giving their clients about internal
controls for decades.
This paper highlights the apparent contradictions but then suggests how internal
control systems need to be reengineered to match reengineered processes.
BPR versus the auditors
For decades the bulk of advice given by auditors to their clients in letters to
management concerned weaknesses in internal control systems and recommended
stronger controls. The drive towards ever increasing levels of internal control and
better "corporate governance" has gathered pace in recent years after some spectacular
cases of corporate fraud .
Much of this advice is based on thinking that appears contrary to the principles of
BPR as distilled by Hammer and Champy. Some might argue that in the process of
improving internal controls most organisations have reduced their effectiveness and
The following table shows how Hammer and Champy's recurring themes in BPR
often appear to conflict with the traditional advice of auditors.
Hammer & Champy BPR Traditional auditor's advice
Several jobs are combined into one. Segregation of duties is needed.
Workers make decisions. All transactions should be authorised
before they occur.
The steps in the process are It is normally assumed that work
performed in a natural order (i.e. not passes through a series of stages,
necessarily one after the other). obtaining sign offs and authorization to
proceed after each stage.
Processes have multiple versions It is normally assumed that there is
(e.g. simple version for simple cases, only one procedure for doing a job. It is
complex version for complex cases, usual to recommend that controls are
with early split of cases). applied to all items.
Work is performed where it makes Generally discourage book keeping
most sense (and by the people who outside the accounts department
sensibly should do it). because it tends to be done less well.
Checks and controls are reduced. Controls should be increased.
Reconciliation is minimized. Everything should be reconciled if
A case manager provides a single Segregation of duties is needed.
point of contact.
Hybrid centralized/ decentralized Generally prefer the supervisory
operations are prevalent. control that comes from having book
keeping done centrally.
Information technology is used Auditors do not oppose the use of
heavily. information technology but have
always been worried by its use, fearing
computer fraud and systematic errors.
Note: The final point about use of information technology is not included in Hammer & Champy's list
of principles, but they give a whole chapter to it in their book.
Auditors' recommendations have steered organisations towards splitting work
between different people, with plenty of checks and reconciliations, and ensuring that
all items are processed with equal rigour.
BPR suggests the opposite: work should not be split up, people should be empowered
(with minimum checks and reconciliations), and different procedures can be used as
Why internal controls must be reengineered
BPR is just not compatible with conventional control methods and preferences.
BPR practitioners need methods of exerting control that do not contradict BPR, or at
least which minimise the loss of efficiency caused by adding controls to a
But before these control techniques are introduced into a reengineered process we
need to appraise the risks of the process and set appropriate control objectives.
Rethinking risk analysis
Although reengineered processes tend to have less segregation of duties and be more
reliant on computer systems (with all their associated control risks) there is a positive
side to most reengineering principles that should be considered before deciding what
controls, if any, may be needed.
The effects of BPR principles on inherent risks are suggested in the following table.
Hammer & Champy BPR Effect on inherent risk
Several jobs are combined into Personal accountability is increased and
one. there are fewer opportunities for errors from
misunderstandings, lost documents, etc.
Workers make decisions. This should be achieved by providing
workers with more information and with
programmed advice, so the chances of a
bad decision by the worker are less.
The steps in the process are Later processing may reveal problems so
performed in a natural order (i.e. the sooner it is done the better and the
not necessarily one after the faster turnaround means there is less risk of
other). a decision being based on facts which are
out of date.
Processes have multiple This will be based on risk so the most
versions (e.g. simple version for rigorous procedure will be followed for the
simple cases, complex version most risky items.
for complex cases, with early
split of cases).
Work is performed where it The risk of error through miscommunication
makes most sense (and by the is reduced.
people who sensibly should do
Checks and controls are Not applicable to inherent risk.
Reconciliation is minimized. Not applicable to inherent risk.
A case manager provides a Personal responsibility is enhanced and the
single point of contact. chances of error through miscommunication
Hybrid centralized/ This is usually achieved by using computer
decentralized operations are systems in ways that can extend central
prevalent. control outwards.
Information technology is used Computers tend to be more reliable than
Rethinking control objectives
The conventional approach to setting control objectives is based around checklists of
control objectives worded so that they require total completeness, accuracy, validity,
and so on. Risk analysis might be used to weight the importance of each objective,
exclude some objectives, or introduce more detail for others.
Bounded total cost
However, some examples of BPR reflect what could be called a bounded total cost
approach, and this may be more appropriate generally for reengineered processes.
Hammer and Champy give this example (p58):
"Consider the credit card-based purchasing process we just described. Compared to more
traditional processes, this one seems almost devoid of controls. Departments might use
their credit cards to go on wild spending sprees. People could run away to Brazil with the
spoils of their raids on office supply vendors. Or so feared the company's internal auditors.
But they were wrong because the reengineered purchasing process does have a point of
control; unauthorized purchases will be detected when the credit card tape is run against
the department's budget and when the departmental manager reviews the expenditures.
Given the credit limit on the cards, the process designers felt it was better to swallow the
limited exposure to abuse that the new process embodies in order to eliminate the
overhead cost associated with the traditional controls."
This approach has two steps:
1. The maximum exposure is limited to an acceptable amount using low cost
controls such as post hoc review or highly selective authorization.
2. The cost of the remaining exposure to loss is balanced against the cost of
preventing the loss by introducing further controls.
At the control objective setting stage all that is required is a statement of the
maximum loss limit and of the costs that should be considered in applying the limit.
Cost minimisation is done during controls design.
Rethinking internal controls
Established preferences for control techniques need to be revised. Preferred control
techniques should provide adequate control but should not slow down or add costs to
basic business processes.
Segregation of duties
Segregation of duties is described by the Auditor's Operational Guideline on Internal
Controls as "One of the prime means of control".
However, in a typical reengineered process the transaction and its recording are
initiated by a single person and carried out by an integrated computer system. As far
as possible all the activities needed to carry through a process from start to finish and
to record it are placed under the control of one individual or, if this is not possible, a
small team. An example is a line of checkouts in a supermarket.
Since segregation of duties is not available alternative control techniques are needed.
1. The computer system
The integrated computer system is itself a powerful control. Provided the
worker is reliant on the system to carry out actions (e.g. order stocks) and
provided the system records every action correctly and its records cannot be
altered by the worker, the records will be reliable.
At a supermarket checkout the operator can only work using the electronic till.
At modern checkouts control over incorrect pricing is provided by forcing
operators to use a barcode reader or enter product codes rather than prices
while the till displays descriptions and prices of goods to the customer to be
2. Comparison between workers
Supervisory control can also be exerted by comparing the behaviour of
individual workers with that of others doing the same work.
This is more likely to be possible in a reengineered process because of the
very reorganisation that removed segregation of duties.
For example, in a process involving three activities performed one after the
other the work might originally have been performed as if by a production line,
with each worker responsible for a particular activity, but for all items (e.g. for
all customer orders).
Activity 1 Activity 2 Activity 3
Order 1 Alan Bob Collette
Order 2 Alan Bob Collette
Order 3 Alan Bob Collette
After reengineering each worker performs all three activities but not for all items.
Activity 1 Activity 2 Activity 3
Order 1 Alan Alan Alan
Order 2 Bob Bob Bob
Order 3 Collette Collette Collette
Provided the system can distinguish between work done by each worker and perform
analytical summaries and comparisons, the actions of each worker can be compared.
If one worker's profile is unusual it can be investigated to find the reason. This
provides protection against fraud, error, and persistent incompetence while helping to
identify successful workers.
In a supermarket the checkout operator's scope for fraud can be limited to entering
incorrect product codes by hand (instead of using barcodes) and not coding some of
the products a friend has brought to the checkout. The supervisor can look for lower
than normal values passing through the till in a particular shift, lower than usual
numbers of items, and excessive use of manual product code entry.
Since performance analyses of the kind needed are more usually provided for whole
processes rather than for individual activities there is a better chance that the software
will be able to do what is required in the reengineered process.
According to the Auditor's Operational Standard on Internal Controls "All
transactions should require authorization or approval by an appropriate responsible
person." Traditionally, this has meant that for every transaction a person wants to
carry out or process there should be at least one signature written by a more senior
In one particularly severe case observed by the author a credit note for ?.69 required
three signatures, two by the Sales Director (but on different occasions!) before it
could be sent to the customer.
1. High level authorization with computer enforcement
Authorization can be easier and less obstructive if it is carried out at a high
level, with computer systems used to prevent actions outside those authorised.
For example, a spending plan covering dozens of purchases could be
authorised removing the need for any further authorizations. Stocking policies
could be worked out, authorised, and programmed, removing the need for
further authorizations until the policy needs to be changed.
2. Selective authorization
There is usually no need for every transaction to be authorised by a second
person before it takes place. Only items that are high risk because they are
complex, subject to fraud, or high value need be authorised beforehand.
The computer system should selectively raise these items for online
authorization and give workers the option of requesting an authorization for
other items if they want the reassurance of a second opinion.
The same technology allows data input to a computer system to be checked as
it is entered, not just to prevent input of data which must be wrong, but also to
raise a warning and request confirmation when an input is unusual, and
therefore probably wrong.
3. Enhanced post hoc review
Regardless of the policy for pre-transaction authorization all activities should
be reviewed post hoc. To be really effective this should be computer assisted.
This is an area where many organisations have weak controls, partly because
they think pre-transaction authorization makes post hoc review unnecessary.
(Whereas in fact it is the other way around.) In one case, an organisation's
purchasing procedure had so many signatures, forms, and delays built into it
that employees bypassed it altogether and telephoned their orders to suppliers
directly. No post hoc reviews were carried out so the extra purchases were not
Computer assistance could include reports and screen displays highlighting
large or unusual items, subtotalling items of the same type or initiated by the
same person, making comparisons with budgets, previous periods, and other
staff, searches for duplication, missing data, breaches of business policies,
items being more or less numerous than expected, items with values outside
the usual range, and variations in ratios and summary statistics.
For example, sophisticated computer assisted post hoc review is used by the
regulators of LIFFE who continually analyse patterns of trading using data
downloaded from the exchange's centralised dealing system.
The more exact the computer system's expectations for transactions the more
powerful the assistance can be. Activity based modelling and forecasting can
provide very detailed expectations by relating non-financial to financial
information. Such techniques can be used to analyse actual results for items
which may represent errors or fraud.
Even if specific rules for detecting incorrect items are not known the quantity
of data freely available makes training neural networks quite feasible. The
network can identify the risk factors for itself.
4. Audit reviews
In preventing and detecting fraud, normal internal controls can be vulnerable.
They are mechanistic, predictable, and there are usually chinks in the armour
of regular checks, reviews, reconciliations, and so on. Once a weakness has
been found it can be exploited repeatedly with confidence.
If the purpose of a control is mainly to prevent or detect fraud (rather than
error) it may be more efficient to withdraw regular, predictable reviews and
substitute irregular, unpredictable reviews. These might involve picking small
points at random and following them up in depth.
From the fraudster's perspective the reviews should appear completely random
and unpredictable - and frighteningly thorough when they occur. It should not
be possible to predict what will be examined, how, or when. Potential
fraudsters should be sent a clear message: a review could look at anything, to
any depth, at any time.
Although many reviews should be triggered at random, others should be
triggered by risk factors picked up from post hoc reviews, from personal
contacts, from the personnel records, and so on. For example, complaints by
customers, book keepers who haven't taken a holiday for nine months,
employees known to be unhappy with their employer, teams with unusually
high or low performance, and managers close to performance bonus
Checking and inspections
Many of the comments regarding authorization apply equally to checks and
inspections. However, one feature of reengineered processes that deserves further
examination is the tendency to perform work in a natural order i.e. not necessarily in a
series of stages, each of which must be finished before the next can begin.
An example is the way software development is being reengineered from waterfall
lifecycles towards Rapid Application Development. In RAD, many documents,
reviews, iterations, meetings, etc are replaced with a few intense sessions in which
end users and developers work together to create a system. Many steps and stages are
compressed into just a few and there are far fewer "sign offs" of supposedly agreed
deliverables along the way.
RAD introduces fewer control problems than might be expected. Firstly, because it is
quicker and so more likely to deliver a system that meets current requirements.
Secondly, because pushing forward with the design in certain areas (e.g. by
prototyping) can reveal errors in early design decisions. Thirdly, because design
documentation can be organised into a waterfall structure even though the thinking
was chaotic. Indeed, using a suitable computerised tool the team can attack the
problem at any point, backtracking and jumping ahead freely, but store their decisions
in a logical structure as if they had derived their design in a logical, step by step way.
The main controls required include:
a small number of detailed quality control inspections at carefully selected
points, usually before significant expenditure is committed
a design database to store work in a logical structure and enforce consistency
rules in real time
participation of appropriately skilled and motivated people
Global reconciliations and control totals are powerful accounting controls that usually
do not hinder business processes.
The reconciliations Hammer and Champy particularly have in mind are detailed
reconciliations between the accounting records of one enterprise and the accounting
records of another. For example, between cash on bank statements and cash in the
cash book, or between invoices expected (based on agreed prices and recorded
deliveries) and invoices actually received.
Shift the burden
The main example of reengineering affecting reconciliations in "Reengineering the
Corporation" is a poor one since the amount of reconciling was not reduced.
Ford used to reconcile invoices received to records of deliveries and agreed prices.
Now, under Ford's Evaluated Receipts Scheme (ERS), it is the supplier who is forced
to carry out the reconciliation. Ford's computers calculate the amount Ford should pay
and any difference between that and what the supplier was expecting to receive is up
to the supplier to challenge. This is reengineering but the amount of work done has
not changed, only the enterprise that has to do the work.
For organisations with less power than Ford this is not a viable option. Reconciliation
between the accounting records of trading enterprises is a valuable defence against the
errors and dishonesty of others and also uncovers one's own errors.
However, the cost of reconciliations can be reduced by Electronic Data Interchange
and automatic matching of items.
Shared electronic markets such as those used for trading securities, provided they are
regarded as accurate and reliable, can provide an alternative to detailed reconciliations.
A trusted third party carries out data processing that otherwise would have to be
duplicated and reconciled between the trading parties.
Perhaps in future companies will put their products "on the market" by having them
listed on independently run Internet markets covering vast ranges of products and
services. Customers will buy the products by placing orders in the same markets. Both
parties will receive electronic statements of purchases and sales which will be
regarded as definitive and not checked in detail.
The role of the controls design specialist
A specialist in controls design, using ideas such as those presented above, can
contribute to the BPR effort in a number of ways:
helping people overcome the fear that a new process design will fail because it
can't be controlled, or is vulnerable to abuse
reconciling the views of creative BPR enthusiasts with the concerns of their
control oriented colleagues - overcoming the apparent conflict between
corporate governance and corporate competitiveness using imaginative control
uncovering hidden assumptions about risks and necessary control mechanisms,
and challenging them by presenting modern alternatives. (Where control is
especially important in a process, reengineering the controls can be the first
stage in reengineering the whole process.)
providing advice on control requirements and methods when new technology
is to be implemented, such as EDI and workflow systems
Traditional internal controls can introduce significant delays and costs to processes
that have been reengineered. Unless suitable risk analysis, control objectives, and
control techniques are used controls can be like a ball and chain around the ankle of a
process designed for speed.
BPR practitioners should ensure they have designed control into their processes to
avoid having brilliantly reengineered processes cramped by inappropriate controls
demanded by auditors. This is particularly important where controls can be built into
the software used to support the process.
Auditors should be more sensitive to the cost implications of their control
recommendations and suggest a range of controls including more sophisticated post
hoc review techniques.
"Reengineering the Corporation" by Michael Hammer and James Champy 1993
"Design Methods" by J Christopher Jones 1980
"Internal Controls" issued by the Auditing Practices Committee 1980