Ep. 82: Ben Jackson - Do Your Company's Internal Controls Mitigate the Risk of AI?

Ben Jackson, MBA, CSOE, is a John Maxwell Certified Coach and serves as an accounting consultant for business and leadership development. He has extensive industry experience in technical accounting, system implementation, and various business processes. In this episode of Count Me In, Ben talks about internal controls and the new policies and procedures that need to be implemented in order to mitigate the risks of emerging technologies, like AI and RPA. Now, with the added risk of remote work, internal controls are more crucial than ever. And, in this conversation, Ben explains how to overcome some of these new risks and obstacles to ensure your company's communication remains open and compliant.
Contact Ben Jackson: https://www.linkedin.com/in/bmgjmba/

FULL EPISODE TRANSCRIPT
Mitch: (00:00)
 Welcome back for episode 82 of Count Me In. I'm your host, Mitch Roshong, and I'm here to bring you another conversation about all things affecting the accounting and finance world. Today's guest is Ben Jackson. Ben is a Certified Coach, Speaker, teacher, and trainer, and he's also the managing partner of Ben Stu LLC, a business and leadership consulting company. Ben joined Adam to talk about the importance of internal controls, and having the proper policies in place to manage the emergence of AI and RPA in the accounting world. He addresses some of the risks presented, particularly with the recent remote work environment and how to overcome additional challenges when looking to lead the finance and accounting function. Let's go ahead and listen to their conversation now.

Adam: (00:58)
So with the advancements of technology, such as AI and RPA across the accounting space, can you discuss your thoughts on internal controls and the new policies and procedures that should be implemented because of these new technologies?

Ben: (01:13)
Well, you know, with the new technology that's going on, I don't really think that the internal controls really need to change. What I think they need is they need to be updated. See one of the things that we talk about with internal controls is who's responsible. When you have AI and you have, you know, the automatic accounting processes that are working, you need to establish who is that responsible person to make sure that they're working in the best way. So once you establish that responsibility, then you have to go back to where the next step is segregation of duties. Somebody is responsible to make sure that it's working the way it's supposed to work, as in the program. So whoever's that programmer needs to validate it. That the program is executing as expected, and then you need to add in the controller or the accountant who needs to come in and make sure that before you post an action, an action that it's reviewed. So you're really adding a couple extra steps to ensure, but you changed what goes on. So I think that you need to add some testing procedures to make sure that'd be for execution that it's there, and then also as you let these things automatically run, you need to have some spot checks and audits internally that bring forth those changes and then you'll know whether or not something is wrong.

Adam: (02:51)
So that makes sense. So you're saying that you don't need to change anything. It just needs to be maybe brought into the new age of what's happening around us. Cause internal controls aren't going to change, but we need to make sure that people, the right people are in place to make sure that the they're responsible for doing their duties in essence

Ben: (03:10)
Correct. You know, one of the things that happens is, you know, when you think about the top six things that happen with internal controls, you know, the first two are really talking about establishing the responsibility, and then segregation of duties. The next thing becomes documenting the procedure. That is a very important thing with internal controls is having a documented procedures. When you have those procedures documented, it makes it easy for somebody to take on a role. For example, if you have change in, people. People changes always make things difficult. Well, if I have AI and you know, automatic processing running, then I need to give the new person who goes and sits in those seats, what really happens and what they need to check for. So if I don't give them what the documented process is, then they're sort of stuck and they don't know that something's automated running in the background, and then they don't know how to fix it, how to look at it, if there's a problem, and who do they go and talk to. So that becomes very important, you know,  in the next step. So, you know, when you talk about AI and you talk about automated processing and letting things just run, you know, we've already established who was responsible, between a tech person and an accountant, to make sure that those two roles are responsible. We've segregated who's really responsible for whatever, and then we have that next thing, which is a documented procedures. One of the things that I like to do when I look at internal controls is to create a RACI. Who's responsible, who's accountable, who's consulted and who's informed. So that actually helps with internal controls because then you know exactly who you need to go to if something is wrong or when you noticed, things during an audit, you can go, okay, you should know who, who entered the, program for the automatic entries. Now, the problem with AI is AI is always thinking, and because it's always thinking you sort of control the parameters, that it looks at, and that control will always be a consistent review. And again, it doesn't change the fact that the internal control is there. It changes what the internal control should be.

Adam: (06:12)
Definitely. So do you have some examples maybe you can give of, maybe updating internal controls, or some of the things you've been talking about, some specific examples that you could share?

Ben: (06:24)
For updating internal controls, I recently consulted with an organization who didn't have a lot of internal controls. And, during the process, I noticed that there were open system users that had the ability to do some things that they shouldn't be doing. So we put in plan in a place where we actually created a table for what the internal control could be or should be based on their current platform. So in doing so, what you do is you sorta look at their current processes and then you assign someone in the finance group to monitor what's really going on. Because the system, the company is a small company. So a lot of people wear many hats. So locking down the system is not a great idea. The better idea is saying, okay, I know what my parameters are. How do I validate that everybody is doing things correctly? So when you do notice an error, we you bring it up to the CFO and the management team and make some decisions on what do we need to change in a process and how do we correct some things so that consistency is improved. One of the things that you do with these controls as you're growing your company, you want to make sure that they're in place so that everybody knows the rules and that it's not risked, there's no risk to the company. So in implementing this, we also identify what the potential risk is. If somebody doesn't catch it, and that becomes important for the stockholders, and when I say stockholders or the stakeholders, it's who we have to report to, because it could be on any scale of company, who you're giving these reports to. They have to know that they could be confident in the data, and that accounting is really looking at what's transactionally happening, whether through systemic processes or manual processes.

Adam: (09:05)
You mentioned that there are always risks involved with any internal control, knowing that the main risk is what if the internal control fails? Are there some pitfalls that people can look out for as they're looking to maybe update their internal controls or looking to make them more holistic?

Ben: (09:23)
Are there things that people can do to mitigate risk? Of course. One of the things that I suggest is having a quarterly review, and sort of keeping the scorecard from the review to see how many errors were caught, what were the risks? So it's like doing a risk assessment, and in doing the risk assessment and you sit there and you say, okay, did this control work? You know, how many, how many purchase orders do I have to look at? How many sales invoices would I have to look at? Do I look at bank reconciliations to ensure that cash is being recorded accurately and timely? These are some of the things that you want to make sure. So when you write down the risk, you want to be as specific and as broad as possible so that people know what to look for. And if you do a biannual review, that can be a bigger scope, where you bring in some key stakeholders. So for example, quarterly, you would review with the CFO and the controller, here are the things that happen that we caught. And then, you know, mid year and end of year, you would have a review with your management team, where you bring in your operations and your sales managers, and you sit down and say, okay, here's what we found over the quarter, and then what you hope is that by the time you get to the end of the year, a lot of those risks have been eliminated. So that this way you become comfortable with the process. Now, if you're an established company that has already had internal controls, what you tend to do is you would tend to always want to look again, and see and make sure that things are not changing and that your risks are not there. There might be new risks. So we talked about earlier, AI and automated entries, right? So since AI is constantly thinking, the risk becomes exponentially greater, because what you want to do is you want to control how that AI is thinking and what those parameters become, so there's risk in that. So, because there's an additional risk with that level, that control probably is reviewed a lot more than something else. So I would liken it to cycle count inventories, where there are controls that you look at more frequently, where, because the turns happen a lot in inventory. So those are like AI items. And so we would have a controls and those controls would be things that deal with day to day inventory postings. If they're an AI, you know, thought processes, we would think about looking at those and saying, okay, what do we need to look at in this program? What did we give the program, the ability to think, and do we need to look at those on a monthly basis? So those would be reviewed, and that would be where that control would be set. If we think about something that doesn't happen that often, and you know, that would be something like a full physical inventory. So whatever controls you would set up in place for full physical inventory, your internal controls would happen to align the same. And as you're looking at that, you're saying, okay, you know, did these controls work? And then what you want to do is you want to sit there and say for inventory, I created a list of procedures to reduce shrinkage, and in those procedures to reduce shrinkage, did they work when I did the physical inventory, because then you're looking at the variance. So if you start ed with a 10% variance, and now you're down to a 5% variance, you know, that something worked in your controls, and if 5% is your standard, then you feel good. You feel comfortable. If you want to get it down a little bit lower, then you say, okay, now we got to look at what some of those challenges were during the course of the period. And during that course of the period, you then would say, okay, here's risk, and you know, risk is sorta like a survey. You have a plus or minus error ratio, and in that you sit there and you make your determination of how deep down the rabbit hole do you go. One of the terms that some people say is the juice worth, the squeeze? And what that means is how close to perfect do I want to get? And is if 5% is close enough, let's see what happens the next time, or do I really have to do deep dives when that 5% and leave some other things on the table? Cause there could be other risk that I'm not going to pay attention to, to get this better.

Adam: (15:23)
You know, shifting gears a little bit because of COVID-19, a lot of companies are moving to work from home. I have been working from home and for the foreseeable future, they will be working from home or some sort of hybrid office home setup. What are the added risks and obstacles that companies face, especially the accounting team faces as everybody's in a different location?

Ben: (15:44)
Well, there's pros and cons to it. One of the biggest cons is communication, because you're remote having meetings is now a virtual thing and you probably have more meetings. So it makes doing a couple of things a little bit harder. As I currently work remotely, it's closing the books becomes difficult, because where you were in the office and you had a question, you can immediately go to somebody and ask that question. Now it's an IM, it's a phone call, it's an email, and you're waiting. And so timeliness becomes hard. So now you have something that you had a tighter timeline on that okay, you know, I'm waiting for somebody to respond and it depends on where they are. So it becomes a little bit more challenging. The other thing that becomes challenging is, as I said timeliness is there. So what is my timeframe? So where I could check something in an office full of people quickly, and be able to get my timelines down and have things sent out, and be able to hold meetings quickly. Now you don't have that luxury. And a lot of people are getting pulled in different directions. So your internal controls don't suffer, they become more time sensitive and communication sensitive. One of the other things that I see with COVID is  it does create better focus. So there's a pros and cons to the communication and timeliness. The con is I can't get a quick response. The pro becomes I can focus, because I don't have a lot of people in my face. So it's like that double edged sword where you think about it, and when you're in the office, you get what we call drive-bys where somebody needs something and they just pop in, and you're like in the middle of doing something and you're sitting there like, Oh man, like you just wrecked my concentration. So one of the things I've said to somebody is when somebody interrupts you, it's a least a half hour of disconnecting, which gets you unfocused. So if you take up five minutes of my time, there's another 20 minutes, to 25 minutes that I have to use to get refocused, because I could have been in the middle of something and in a thought process, and now I gotta go find it. And so what do most people do? They get up, they walk around to clear their head because this conversation just distracted them. Right? So, but working from home, you find that you can be a little bit more focused. Now we're going to flip the script a little bit with that. It depends on if you have small kids or not. Small kids could be challenging depending on what your house is like. So the focus could be a little bit different. The focus does become, I know when I need to work and I know what I need to do. So, you know, when you have to do those things you plan your time accordingly. What could also be a challenge when we go back to time is when does something get done? We talked about the family and having, you know, small kids at home. Well, if I have to take care of them for a period of time, then I'm not focused on my work, and so something that might be expected to be done by 10, 11 o'clock in the morning, sort of takes a back seat because you're coming on later, you're showing up later. So those types of things that happen from home need to be in place. As it relates to the internal controls, it's again, not really an impact to it because we already know who's doing what.

Adam: (20:42)
So what are some ways to overcome that time issue? Because as you mentioned, time takes a different route. Like if you have small kids, you need to take care of them, you need to feed them, you need to do different things or whatever your home situation is. How do you try to overcome that timeliness? Do the internal controls change as far as like when the things need to get done or is it like, Hey, it doesn't have to be done by 5:000 PM, you can finish it by 11:00 PM after the kids are in bed, you know, how do you overcome that challenge?

Ben: (21:10)
While communication is a bad thing, but communication becomes a good thing, right? So the way that I would proceed is during close process, that's when you would probably have a daily meeting, to talk about what needs to happen for the day. And it's basically like a check in, and if something needs to get done by after five o'clock, you've made the team aware and everybody sort of understands that impact. So if you're constant communication with your team, and you have a check-in daily check-in during the close, those types of things are mitigated. And those aren't really part of internal controls, but those become things that we put into place to ensure accuracy of reporting. So if I have a deadline and I understand the deadline, so in a company that I worked for, the deadline was three days. If it was in this situation where the deadlines in three days, when we had our close meeting, I would say, okay, we're going to have a daily check in to see where everybody is and know that our deadline is still three days. So who has to work later and who has to work earlier to make those changes and live up to the commitment we have to hold people accountable, and so in the control, we need to accurately state the finances. If there's something that comes up, we then have to know who who's the backup to the person who can't do it. So it's putting things into place before COVID that are still going to  be there. So if you had backups before, you're going to have backups  now , and once you have a documented procedure, it's easier for somebody to take on that, that role and at least follow the procedure, right? A lot of what you also do is you do cross training. So this way, you know, if something goes south, you have a documented procedure and somebody else can pick up the slack for that. Because if you think about it, anything could happen to somebody. So you need to have those controls in place to say the, what if scenario, somebody got sick? What if somebody went on vacation and there was a problem, you know? who could troubleshoot and who could do these things? So that's why key to 90% of everything is going to be document, document, document.

Closing: (24:13)
This has been Count Me In, IMA's podcast, providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard, and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.

Creators and Guests

Adam Larson
Producer
Adam Larson
Producer and co-host of the Count Me In podcast
©Copyright 2019-2024 Institute of Management Accountants. All rights reserved.