Shift from pre to post

There are no subsidiary control patterns to this one in this book.

54 Shift from pre to post

Example: Organizations that empower their people to make more decisions for themselves often remove requirements for authorization of actions before they take place but can compensate to some extent by reviewing actions afterwards, effectively authorizing them post hoc.

SHIFT FROM PRE TO POST-authorization is relevant to any situation where authorizations are required, even when completely eliminating pre-event authorization is not possible.

™™™

Sometimes authorization is just as effective, and much more convenient, after the event.

A very traditional internal control in organizations is for actions (e.g. purchases, bids, sales contracts) to be authorized by someone before another person carries them out. This is a control mechanism that is often needed and can be very useful.

However, it does have some drawbacks and there are re nements that should always be considered when authorization is being designed.

The drawbacks relate to speed and rigour. Many years ago when I was a trainee auditor I performed an audit at a glass factory in the north of England which had the least ef cient internal controls I have ever seen. Two of its worst designed controls illustrate, in extreme, the problems of pre-authorizations.

Delays are illustrated by the case of credit notes. From time to time customers would dispute an invoice and usually refused to pay until correction was made.

The glass factory had a clear procedure for issuing credit notes to correct bills and this required signatures from some senior people in the company in a speci c order, sometimes more than once. Unfortunately, these people worked at different premises in the same city. A draft credit note would collect a signature, be driven to another of ce, collect another signature, go back to the  rst of ce for a third signature and so on. I estimated that credit notes travelled more than 300 miles before they could be sent to a customer.

In addition, because senior people were involved, they often took some days each to get round to giving their signatures. All this time the much larger bill the customer should have paid was unpaid. Very often the credit note amounts were tiny, though the procedure applied to all credit notes regardless of value.

Clearly this was a stupid procedure but even in less extreme cases pre-authorization tends to introduce delays and when speed is important even small delays may be crucial.

The second example illustrates the potential problem of incompleteness. The glass factory had an elaborate purchasing procedure with many forms and stages that involved the usual, ultra-cautious pre-authorization signatures.

In fact the procedure was so slow that people began to bypass it. They made a purchase and then, usually, put the paperwork through the system to obtain permission to do something that in fact they had already done. Nobody reviewed purchases that came through to see if there were items that had not been pre-authorized.

To illustrate a third potential problem with pre-authorization here is an example from an entirely different business. The problem is lack of rigour and the example comes from an insurance broking  rm in London. The  nance director of the broker was determined to overcome internal control problems with accounting that had led to long delays in  nalizing the annual accounts in previous years. One of his ideas was to insist that all journal vouchers were presented to him, with supporting documentation, for his authorization before the journal was posted.

It is true that journals are important. They include adjustments and corrections, occasionally of high value, as well as many routine inputs of data to the accounting system.

The problem was that scores of journals were created every day and he did not have time to study each one rigorously without causing delays.

This control idea, like others he had introduced, did not solve their accounting problems and the board of directors, fed up with his slowness, sacked him.

So, although pre-authorization has the advantage of preventing some badly chosen actions from being taken it usually introduces delays and on its own is not a complete or rigorous control mechanism.

One way to address these weaknesses is to shift the emphasis from pre-authorization to post-hoc pre-authorization.

In the general case there is a stream of decisions to be taken each of which has some kind of value or size. There is a person who can take those decisions provided the value is not above their personal authorization limit. If it is, then the decision has to be passed on to someone else more senior within the hierarchy of the organization, or at least independent of the  rst person. That second person either takes the decision or con rms the decision made by the  rst person.

Shifting the emphasis towards post-hoc control involves:

raising the authorization limit of the  rst person so that they are empowered to

•

make decisions alone more often;

providing them with the option of raising a decision to a higher level even if

•

it is within their maximum authorization limit (e.g. because the decision is a dif cult one or might link to other decisions);

adding a rigorous post-hoc review that examines every decision once it has

•

been taken and acted on; and

making it clear that the post-hoc review is important and mistaken or dishonest

•

decisions will be taken very seriously.

In this approach the  rst person cannot simply  ll in forms and mindlessly pass them on for someone else to worry about. The person has to use his or her own intelligence and learn the job properly.

For the deterrent effect to be fully effective it is important that computer systems and/or paper records reliably record who did what.

In summary, this shift of focus reduces costs and delays, and helps people learn to make decisions competently themselves. Therefore:

Look for ways to shift the emphasis from authorizations before events take place to authorizations afterwards.

™™™

The authorizations might be easier with COMPUTER SUPPORTED AUTHORIZATIONS, perhaps using DISCREPANCY SEARCHING and/or ANOMALY SEARCHING to highlight potential problems.