I was talking to a finance manager in a non-telco industry the other day and the conversation turned to my life at Telstra in revenue assurance. He seemed very interested in the subject matter and, for someone new to this discipline, he asked very insightful questions about how things could go wrong and what could be put in place to prevent revenue leakage.
Finally, he asked me where the name “revenue assurance” came from in the first place because he argued, that the work I’d just described to him was rarely focussed on revenue. Nothing, he said, is revenue until it is in the financial systems, and yet much of the work I described focussed upstream around OSS and BSS – far away from the financials. This, he argued, is perhaps billing or charging related but not revenue. Next he asked me if I had provided “Assurance” in any of the work I had done. He spoke about what “assurance” means to him, which is a definition that I am more accustomed to now with my current organisation. For finance managers, “assurance” has a more specific meaning associated with the accounting and audit profession and provision of an independent opinion. RA’s more hands on role and the methodologies I’d described didn’t align to his experience of what constituted assurance and working with auditors.
Why this post? Much is discussed within telcos about taking RA to other industries. However, before we do, let’s consider carefully the language we use, as the terms “revenue” and “assurance” when put together already have a clear definition to many people, and it will probably be quite different to what we understand it to mean.
When the Finance Managers said that ‘assurance’ refers to accounting and audit profession, this is because he experienced similar activities of checking from his internal auditor department or external auditor. When auditors come in to do their job, they provide reasonable assurance which is based on the evidence and analysis that they had during their fieldwork. Besides evaluating the control effectiveness, internal auditor highlights risk that could possibly impact to the company.
I think,what RA can do differently from the job scope of auditor above is operations. We know that RA is a proactive function. It detects and highlight the leakages immediately which auditors are not doing it proactively. RA become a continuous independent monitoring function to the company.
From management perspective, is this function critical ? Well, it really depends on the management’s understanding of their internal control. If the management are not so sure or no confident, then RA would be an best choice to deploy.
My suggestion is, if RA would wanted to ‘export’ RA to other industries, try to use COSO Internal Control framework to do the assessment of the targeted industry. Then, we would be very clear of what we want to do when exporting the idea of RA to them.
Mike and Fairuz,
It’s a highly interesting discussion. This is why I really like the suggestion of Fairuz to look to a broader, industry wide definition of RA.
I found an excellent PDF at the top of my Google search of the COSO Internal Control framework.
Thank you for these insights.
I’m not convinced that citing COSO is entirely helpful. Here’s why.
Why is there a COSO, with its internal controls framework? Let’s apply the 5 Whys technique… Why number 1 = better internal controls. Unfortunately, too many people stop there, as if that’s an answer in itself. But if you stop to wonder why you want better internal controls, it stops being so obvious that you really want them. Better internal controls over paperclip usage? Better internal controls over not being burned death due to a preventable fire? Better internal controls so our companies don’t hire idiots? Better internal controls over how I do my job? Better internal controls over how you do your job? Better internal controls over how Internal Audit do their job? Better internal controls over how the CEO does his job? Better internal controls over how well the COSO framework was interpreted and implemented in practice? In summary, what exactly needs to be controlled better, and why does it need to be better controlled? The 5 Whys can quickly lead us in all sorts of directions, if we give ourselves free reign, working backwards from COSO to the assumption of an underlying purpose. Combine that with the COSO grid and you end up with an enormous number of permutations of why and how you need ‘better internal controls’.
But historically, the 5th why used to be very clear, very straightforward and very well-defined. COSO was formed because there was a specific problem that needed addressing: the implementation of internal controls designed to prevent fraudulent financial reporting. Not controls to do this-and-that or such-and-such or whatever-we-fancy. Controls to prevent fraudulent financial reporting. Full stop. Period. That’s difficult enough, so let’s stop there. They had good reason to implement better controls. It was to stop bribery. And companies going bust and leaving shareholders and employees ripped off. And political corruption. In other words, it was controls to stop really really bad and illegal stuff. The kind of bad stuff that hurts the basic functioning of a free capitalist market. So not control over paperclip usage, then.
But the private companies who run COSO didn’t stop there. Not entirely surprisingly, they’ve kept adding and adding to what COSO is meant to do. Perhaps that’s because they sell consulting. I might think that, though not everyone says that. Perhaps they’re just nice cuddly people who love us all, and they express that love by wanting better internal controls. Over everything. More importantly, I’d argue that by allowing the scope to balloon outwards, COSO has lost its focus and no longer satisfies its core goals. For example, you may have noticed that quite a few businesses have suffered from fraudulent financial reporting, in the period since COSO was first set up, and COSO adoption hasn’t seemingly turned the tide on that specific problem. In fact, COSO was so useless, that some American politicians had to pass laws which said ‘we should do something about this fraudulent financial reporting!’. Unfortunately, they didn’t know what to do, so the law ended up being interpreted as the ‘comply with COSO law’. And we’ve had quite a few problems with fraudulent financial reporting since, so the lawmakers just shrugged their shoulders and went away, after that. (Or they might as well have, for all the good they do.)
So, I’m not keen on the idea that COSO is a leading example of how to define a financial assurance goal, and then work out how to pursue that goal. Rather the opposite, I’d say.
The proposal to use COSO is because COSO provide broad guidance for us to do assessment of the company’s internal control of which we wanted to export ‘RA’ to them.
Yes, COSO become popular especially after the Enron scandal where fraudulent on the financial reporting was the main reason behind it. However,I didn’t aware that COSO has loss its focus recently.
My initial ideas is because COSO provide the view from strategic,operations,reporting and compliance. The whole objective here is how does we approach the non-telco company when we wanted to export RA. We knows that the value chain of telco are different from others. For example, in airlines industry,postal services or construction , how does we implemented RA where there is no CDR generated.
My view is to understand the company and identify the high risk area by identifying the control effectiveness that support the business objectives.
@ Fairuz, the history of COSO extends well before Enron and the scandals in the 00’s. COSO dates back to the mid 1980’s, and its mission was to address with fraudulent financial reporting back then. By the time of Enron etc, it had already lost focus.
Whilst I agree with the rest of what you say, I find the COSO internal controls framework is a burdensome and bureaucratic approach that mostly distracts people from what you’re talking about – supporting the business’ objectives.
Also, I wonder if there’s some confusion, as you mention risk, whilst we were talking about the internal control framework. The COSO Enterprise Risk Management framework is different to the COSO internal control framework. The internal control framework doesn’t helpfully support any and all types of company objective – it evidences a clear bias towards financial reporting, which reflects its historical origin. To my mind, the development of the subsequent and separate ERM framework was meant to address this issue of the generalizability of COSO’s work to that point, but the result is even further confusion about how following COSO’s models might support the objectives of a business.