For the organizations seeking to improve the management of enterprise spend risk, a best practice for connecting the three lines of defense has emerged – an integrated risk strategy.
Traditionally, the three lines of defense tasked with risk mitigation – finance operations, compliance and internal audit – operated in siloes, with little connection or interaction. And, in most organizations, the assessment of spend risk is initiated when expense reports and invoices are submitted for payment. A processor reviews this information and almost always approves unless a clerical error is identified.
The Three Lines of Defense – Historically
The first line of defense often focuses on administrative reviews: Is this report accurate? Are receipts attached? Are expenses coded correctly, as lodging and meal expenses? It's low-level findings, and low-level risk identified and triaged today.
Compliance teams typically conduct ad hoc fact-finding missions six to 12 months later, reviewing a small sample of all reports in search of fraud, waste and misuse. Their time is primarily spent looking for infractions, not remediating issues.
Internal audit teams – the third line of defense – should take the most severe findings from compliance and utilize them to eliminate bad actors. But, the reality is that internal audit usually discovers the bad actors in an organization through channels other than expense processing or compliance audits. More often, internal audit teams investigate and find fraud, waste and misuse only after the red flags are raised elsewhere in an organization.
An integrated risk strategy changes that. It creates a more offensive-minded approach. A more tangible process to mitigate risk.
Single View of Risk. 100% Transaction Insights.
With Oversight, each team shares a single view of risk across the organization. The spend management platform monitors 100% of transactions in the business and across departments, utilizing AI-powered tools to identify abnormal payments, errors in reporting, coding, fraud, misuse and waste, all automatically.
Spend violations are flagged, scored and evaluated by processors, who direct flagged findings above a certain risk threshold to compliance and internal audit teams so that all risk is managed and mitigated in real-time, not months later.
The Elevated Three Lines of Defense
The three risk defense teams then develop methodologies that divide the findings among the appropriate groups. It's a fundamental change to how risk is found, managed and triaged.
With a unified view in place, all three lines of defense share the same levels of forensic analysis capabilities:
- Operations teams triage findings easily, ultimately spending less time on policy compliance and more time affecting spend optimization.
- Compliance teams take action more quickly on egregious violations and continue conducting samples to ensure the process is working effectively.
- Internal audit teams take on major fraud and oversee the process with a holistic view.
By integrating the three lines of defense, risk management in the organization becomes an AI-powered real-time effort. This effort results in fewer departmental siloes, a more significant cultural shift towards compliance, reduced lag in the identification of fraud, misuse and waste, and more team-based, high-value compliance work.
