9
December 1992 Computer Audit Update Quality of the system documentation reviewed. -- Overall security level of the system. Recommendations (these will, of course, vary from system to system) and suggested im- provements / alterations. Appendices. - - Structured test results. -- Attack testing results. -- Problem classification. -- Problem descriptions. The final report is the formal output of the test process. However, it is essential that the documents produced during the test process are up to date and complete at the end of the testing. This allows errors to be recreated and verified, if required. When security testing has been completed and the final report delivered, follow up action will be required to correct the problems identified during testing. A later article in this series entitled 'The Follow Up Process' details the objectives, process and common issues associated with a follow up programme and gives hints and examples of how an effective follow up may be achieved. Bernard Robertson is a principal consultant in the Security Consulting Practice of PA Consulting Group. He has extensive experience in performing a range of security testing programmes for public and financial sector clients. Bernard is a regular speaker on IT security issues and holds degrees in Economics and Business Administration. David Pullen is a senior consultant within the same Security Consulting Practice. Over the last five years he has conducted several security testing projects, including one lasting two years with a team of 15 security testing. David is a physics graduate and has produced security testing educational material. PRACTICE MANAGEMENT SYSTEMS & PRACTICE PRODUCTIVITY John Oates This article considers the use of IT for practice productivity and management in small and medium-sized firms. Why should it be done? The answer to this question is -- inevitability. Although this may seem to be a rather strange reason, it is necessary to consider the following: There are 87 million micros in the world (well that was last month!), consider the inevita- bility of it. Many clients will be starting to expect it. Competitors are doing it more and more. It will become much harder to manually pro- cess increasing volumes of data cost-effec- tively. It is necessary for the firm concerned to identify why the route is going to be tollowed (or rather for the majority of firms, to justify going further down the route). The benefits should become apparent as the elements of this article are further discussed. In order for the process to work, and work well, it is essential that the company identifies a 'champion', an individual who is going to drive the project forward, in the face of the obstacles that will inevitably arise. This 'champion' needs to be highly placed within the practice, not necessarily at partner level, but there needs to be a partner committed to it. If the correct people are put in place at the initial stages, this should go a long way towards ensuring the success of the project. Any project like this needs to be driven. If the firm does not support it then it should not be embarked upon. In other words, do it right, or don't do it at all! @1992 Elsevier Science Publishers Ltd 7

Practice management systems & practice productivity

Embed Size (px)

Citation preview

Page 1: Practice management systems & practice productivity

December 1992 Computer Audit Update

Qual i ty of the sys tem documenta t ion reviewed.

- - Overall security level of the system.

Recommendations (these will, of course, vary from system to system) and suggested im- provements / alterations.

• Appendices.

- - Structured test results.

- - Attack testing results.

- - Problem classification.

- - Problem descriptions.

The final report is the formal output of the test process. However, it is essential that the documents produced during the test process are up to date and complete at the end of the testing. This allows errors to be recreated and verified, if required.

When security testing has been completed and the final report delivered, follow up action will be required to correct the problems identified during testing. A later article in this series entitled 'The Follow Up Process' details the objectives, process and common issues associated with a fol low up programme and gives hints and examples of how an effective follow up may be achieved.

Bernard Robertson is a principal consultant in the Security Consult ing Practice of PA Consulting Group. He has extensive experience in per forming a range of secur i ty testing programmes for public and financial sector clients. Bernard is a regular speaker on IT security issues and holds degrees in Economics and Business Administration. David Pullen is a senior consultant within the same Security Consulting Practice. Over the last five years he has conducted several security testing projects, including one lasting two years with a team of 15 security testing. David is a physics graduate and has produced security testing educat ional material.

PRACTICE MANAGEMENT SYSTEMS & PRACTICE PRODUCTIVITY

John Oates

This article considers the use of IT for practice productivity and management in small and medium-sized firms. Why should it be done? The answer to this question is - - inevitability. Although this may seem to be a rather strange reason, it is necessary to consider the following:

There are 87 million micros in the world (well that was last month!), consider the inevita- bility of it.

• Many clients will be starting to expect it.

• Competitors are doing it more and more.

It will become much harder to manually pro- cess increasing volumes of data cost-effec- tively.

It is necessary for the firm concerned to identify why the route is going to be tollowed (or rather for the majority of firms, to justify going further down the route). The benefits should become apparent as the elements of this article are further discussed.

In order for the process to work, and work well, it is essential that the company identifies a 'champion', an individual who is going to drive the project forward, in the face of the obstacles that will inevitably arise. This 'champion' needs to be highly placed within the practice, not necessarily at partner level, but there needs to be a partner committed to it. If the correct people are put in place at the initial stages, this should go a long way towards ensuring the success of the project. Any project like this needs to be driven. If the firm does not support it then it should not be embarked upon. In other words, do it right, or don't do it at all!

@1992 Elsevier Science Publishers Ltd 7

Page 2: Practice management systems & practice productivity

Computer Audit Update December 1992

S Y S T E M S P R O D U C T I O N

Accounts production

Process

This is the ability to produce completed accounts, both those required for statutory purposes, and extra information required for management purposes.

For statutory purposes, this could include company accounts, possibly modified accounts if appropriate, including where appropriate all the notes required to the accounts proper ly referenced, the Directors' Report and Audit Report, and similar certificates as required for Sole Traders and Partnerships.

For management purposes this could include the detailed Profit & Loss Account, and also quite regularly monthly or quarterly management accounting figures, including variance analysis, and links to an ability to graph trends, etc.

Information can be input from the client's summary records - - if they are in a sufficiently acceptable state - - from summaries produced of those records, or alternatively by personally inputting all the detail. It may also be possible to link the data direct from the client's accounting package, where computerized, direct to the accounts preparation package, though this should only be attempted by the brave or foolhardy!

Advantages

• Cuts out secretary time and calling over time.

• Can be used produce lead schedules.

Amendments (final journals) can be very quickly effected, and revised accounts produced.

• Can also calculate many of the standard ac- counting ratios for analysis.

Encourages standardization within the prac- tice, making it easier for other staff to step in as necessary.

• Encourages quality standards.

• Notable efficiencies from the second year onwards.

Disadvantages

Setting up time of the package, though for all except the bigger firms the standard layouts that come with the package will likely be acceptable.

Loss of sight of double entry. It is particularly important that those operating these systems also understand well the manual systems that they are replacing. This means that when the output looks a bit strange, the operator is likely to pick this up; in other words knowledge of the process is required for effective review.

• New trainees should not be put on such sys- tems without basic double-entry knowledge.

There is a danger of loss of audit trail on the audit/account file if this is not managed properly. Schedules should still be printed out and filed.

Jobs going through for the first time are no faster than preparing the accounts manually, and may actually be slower as staff familiarize themselves with the approach.

• Transfer of client data can be time-consuming and complex for the inexperienced.

Example packages

Auditman II (CSM), Finax Gold, Ibis, Iris, Solution 6, Tudor.

8 @1992 Elsevier Science Publishers Ltd

Page 3: Practice management systems & practice productivity

December 1992 Computer Audit Update

Tax computations, schedules, letters

Process

Primarily for personal tax in the smaller practices; Corporation Tax packages are also available. Beware! There is a danger for practitioners to assume that the system will carry out all the necessary procedures, and for it to be implemented, and yet for the reporting aspects and the control of the processes to be neglected. There are two sides to this process:

1. Tax computations & returns

All client standing data is loaded into the system, such as name, address, dependents, allowances, earning types and due dates, and the system then produces the rest as required, e.g.:

• Facsimile tax returns.

Letters, such as requests for information, and schedules of figures from previous years for update.

2. Management of tax portfofio

The associated diary system must be implemented, and should not be treated as optional. The diary system:

Prompts in advance of dates becoming due, so that elections, deadlines, etc. are not inad- vertently missed.

It allows for a management overview. It is a very good way of ensuring that the tax case load is up to date.

Advantages

70% of the documentation can be generated automatically (if the system is set up cor- rectly).

• Easier management overview.

• Easier and more controlled compliance.

• Professional and consistent output.

• Much less likely to miss election deadlines.

Throughput increased for more complex cases. However, the simpler case will still be quicker manually, but if the system is not also used for these it makes the management aspects more difficult.

Disadvantages

• It can take longer for smaller computations.

Needs to be multi-user if more than one fee earner involved (there is a danger that if the system is a single-user, then those staff who have to wait to use the system will revert to manual, even when cases have been pre- viously loaded on).

Example packages

Pertax, Taxpoint, Taxman II(CSM)

Insolvency letters, reports & standard forms

Process

The loading on of standard data in respect of liquidations, receiverships, and other variations of this type of work. Includes loading on lists of creditors, and inputting all accounting data as it arises. Beware! As with tax systems, there is a danger for practitioners to assume that the system will carry out all the necessary procedures, and for it to be implemented, and yet for the reporting aspects and the control of the processes to be neglected. There are two sides to this process:

1. Input of data, and production of letters, reports, etc.

All case standing data is loaded into the system, such as name, address, insolvency

©1992 Elsevier Science Publishers Ltd 9

Page 4: Practice management systems & practice productivity

Computer Audit Update December 1992

practitioner, dates, creditors, debtors (possibly), and the system then produces the rest as required to, e.g.:

• Facsimile receipts and payments accounts.

• Letters (letters to creditors, (ex-)employees, requests for information).

• Other standard returns in facsimile form.

2. Management of your case workload

The associated Diary System (as with tax systems) must be implemented, and should not be treated as optional.

Advantages

• 90% of the documentation can be generated automatically (if the system is set up cor- rectly).

• Easier management overview.

• Easier and more controlled output.

• Much less likely to inadvertently miss dead- lines.

• Throughput vastly increased.

Disadvantages

Can take longer to implement effectively (es- pecially as insolvency practitioners are al- ways by nature very busy, even when they are not!).

• Needs to be multi-user if more than one fee earner involved.

Example packages

IPS from Turnkey Solutions, Solution 6.

Management accounting, business planning and analysis

Process

This can range from producing accounts for clients on a monthly / quarterly basis, and providing commentaries on these, through to illustrating these graphically possibly through the use of spreadsheet software, to the provision of other 'bureau' types of services such as payroll, and purchases, sales and nominal ledgers.

Spreadsheets and similar software may also be used to produce cash flows and financial forecasts for clients, and are part icularly appropriate for 'what if?' scenarios for client business planning.

Bureau management accounting

Advantages:

• Maintain very close contact and involvement with clients and their businesses.

• Steady flow of work, easy to plan for.

• Tends to generate other 'special' assign- ments.

Disadvantages:

• Needs planning well since working to tight deadlines.

• Work can bunch at particular times of the month.

Other bureau services

Advantages: as above.

Disadvantages

Apart from 'confidential' payroll services, for all but the smallest clients they would probably be better advised to run their own systems due to the

10 ©1992 Elsevier Science Publishers Ltd

Page 5: Practice management systems & practice productivity

December 1992 Computer Audit Update

low set up costs involved these days, with, where appropriate, the practice taking the monthly or quarterly figures, and providing a financial commentary.

Cash flows, financial forecasts, 'what if?' analysis, etc.

Advantages:

Once basic models set up, very quick and easy to amend for each new circumstance arising.

Output can be made to look very professional using some of the presentation facilities now available within spreadsheets and with laser printers.

Disadvantages:

Spreadsheets can be very personal to the user and are often poorly documented, mak- ing it difficult for others to use correctly.

Without care, formulae may be overridden giving incorrect results. Careful review re- quired.

Example packages

Accounts and payroll: most of the readily available accounting packages can be used, though links into accounts preparation software can be helpful. For example Finax has its own accounts modules, as does Auditman II, and Auditman can also receive input from Pegasus and other packages outputting files in Pegasus format such as the Bonus payroll package from Intex. For those clients where there are no sales or purchase ledger requirements, it will likely be simpler to use the accounts production package so long as management accounting layouts (variances, ratios, etc.) are available.

Spreadsheets : there are very many spreadsheet packages available, both as such, and also within the integrated packages such as Framework and Symphony. The more well

known ones tend to cost more, and users buy them in the knowledge that there are a large number of other users of the software and that training is readily available. There are less well known packages that in many respects are just as good as the others, and which are often much cheaper, but do not come with the advantages of a wide user base noted above.

Audit control & automation

Process

This is an area where many of the larger firms have invested much time and effort, quite logically since it is in auditing their types of client that the greater efficiencies are likely to be made. There are a variety of concepts involved here: audit planning, production of lead schedules, computation of important ratios from the balance sheet and profit & loss account, audit programme production and other working papers.

This heading also covers statistical and other forms of sampling, and other methods of item selection for audit testing. This includes audit interrogation packages, often running on the client's system to select output, or else running on that system to extract base data which is then processed fur ther on the audi tor 's own equipment.

This is a very complex technical area, and very much a subject in its own right. Indeed, many courses and seminars are run covering these subjects. For the smaller and medium-sized practitioners, the costs involved in setting up these procedures effectively, not just in financial costs, but also in the time involvement of professionals, the expense of their training and the continuing maintenance and update of the procedures, licence fees, etc., usually meansthat it is just not cost-effective to approach their auditing this way. This can be further justified given the other approaches available, and that these will be working perfectly effectively on the vast majority of their client base.

For many small and medium sized firms, the production of lead schedules, and trial balance ratio and variance analysis can be carried out

©1992 Elsevier Science Publishers Ltd 11

Page 6: Practice management systems & practice productivity

Computer Audit Update December 1992

using accounts preparation software. Although less sophisticated, there are great advantages in commonal i ty of training, and little further investment required, apart from setting up the required layouts, though these will usually be available from the package supplier.

Advantages

• Improved efficiency.

• Better and consistent audit control.

• Improved analysis.

• Efficient and easy tailoring of audit pro- grammes.

Disadvantages

• Danger of over-complicating.

• Staff have to be trained specifically and con- sistently.

• May only apply effectively to a small propor- tion of the client base.

• Software little used to date apart from by the 'big' firms

Example packages

FAST, Audit 2000 (on pre-release).

SYSTEMS CONTROL

Time recording & practice management

Process

These systems may be run as separate packages, i.e. time recording, sales ledger, purchase ledger, nominal ledger, or as an integrated practice management system. These latter systems have been in the process of development for quite a number of years now,

becoming viable as the power of smaller computers has dramatically increased, and prices have plummeted.

In terms of running our own businesses, since we spend most of our time advising others how to run their businesses better, there is little doubt that we know how to run ours better. The biggest difficulty that most of us have is that we become distracted with fee-earning client work, and just do not get around to running our practices properly! For the bigger practices, therefore, it may well be worth employing a practice manager to run the operation on a day-to-day basis, who will not suffer from conflicts of priorities through client commitments. For those who believe this is not an option, freeing up partner or other senior staff time may be an option, though whether this actually works in practice will be very much up to the person concerned. It may also be that the skills of that senior person might be better employed in a fee earning capacity. There are a number of areas that need to be considered:

Debtors

• Debtor days.

• Split by partner~department~office.

• Aged analysis of debts.

• 'Notional' interest charges by department, etc.

Work-in-progress (WIP)

• WlP days.

• Split as for debtors.

• Aged analysis of WIP based upon when time went into WlP.

• 'Notional'interest charges.

12 ©1992 Elsevier Science Publishers Ltd

Page 7: Practice management systems & practice productivity

December 1992 Computer Audit Update

Departmental efficiency

Providing an analysis by department, allows those taking an overview of the business to take an informed view of the contributions being made by the separate parts of the practice to the overall continuing profitability of that practice.

It is important, however, that this overall view is taken. There will be many cases where an operation appears on this basis to be providing either more or less to the overall practice than it actually is. It may be that a section appears very profitable, but that another section is in effect feeding it work and standing the related non-chargeable time. This, of course, works the other way round for the section feeding the work through. Thus, it is the overview that is important, and the detail is a useful way at arriving at that overview. Partner/manager effectiveness can also be considered.

Fee eamer utilization statistics

Normally deriving directly from the time recording input, and analysed between: chargeable; non-chargeable - - non controllable (e.g. holidays, sickness) and controllable (e.g. training, no work available, research).

The non-chargeab le e lement needs controlling carefully. At the same time fee recoveries need to be watched to ensure that non-chargeable time is not just being put down as chargeable, and having a detrimental effect on recovery rates.

Financial accounting and control

Leading on from the above and based on agreed budgets, monitoring billings and related recovery rates and overheads relative to budget. We all know about the importance of timely production of management information at least on a monthly basis, monitoring of the cash position, drawings and so onl Discussing this is not the purpose of this article, rather identifying that the software in use or being selected should have the facilities to produce all of this information with relative ease, and that an internal personnel organization is set up in such a way that this information is provided when required.

Assignment planning & monitoring

There are a few systems around to assist with this. Many of those in use are based on project planning software. It is also quite common to, in effect, replicate the wall-chart through the spreadsheet or word-processing software in use anyway. Some practice management systems also have a facility for assignment planning.

The benefits are plain to see, basically flexibility. The main disadvantage is the lack of visibility, since the most up-to-date version resides within the computer system. However, such systems are normally closely controlled by a single individual through whom ready access can be obtained.

Personnel~staff~exam data

The payroll package in use may well have an associated personnel system, which can be used for the above. Some of the newly-developed practice management systems also have the facility to hold this information, with suitable security protection, in association with staff details held for time recording purposes.

SYSTEMS PROFESSIONALISM

Built-in standards / quality control / training

All of the above are very important aspects for any practice. Even more important is the unders tand ing that implement ing these standards is expensive, and it is very important therefore that it is done in such a way that a good and fast return is obtained on what may be a substantial investment.

In particular, it is easy to cut out the costs relating to training. Don't! So long as the training is well structured, the time and expense invested will repay itself very quickly. There may also be a temptation to cut costs by sending one person on a training course, and then getting that person to train the others. This however, rarely works, but rather delays the effective implementation of the project. The firm's 'champion' will need to be particularly firm on this.

@1992 Elsevier Science Publishers Ltd 13

Page 8: Practice management systems & practice productivity

Computer Audit Update December 1992

Presentation of output / general image

You may take the view that your clients will not be particularly interested in the method of presentation, but that it is the content that counts. A market ing profess ional would tell you differently! Also consider who else sees the reports and other documents that are produced for the outside world. Bank managers, solicitors, and others who refer work to you? And of course probably your best source of referred work is your own client base. So long as they do not perceive they are being charged in excess of reasonable amounts, they too should be impressed.

Most modern w o r d - p r o c e s s i n g and spreadsheet software will produce very well presented output through the use of laser printers. Again, proper training, probably update training, will be required for the users of these packages, packages that probably already exist within the practice.

Adherence to deadlines: reference was made to this under the tax and insolvency systems headings. The audit planning systems assist to a lesser extent in this respect, and also, having an internal financial system running smoothly is just as important in deadline terms.

SYSTEMS COMMUNICATION

Internal

Management information - - timely, accurate, available, personal productivity

Much has been discussed under the above heading already. The information needs to be available to all those requiring it, preferably with no disruption to others. This is one of the areas where networks and multi-user microcomputers really come into their own.

For instance, in many of our offices now, most staff have their own screen which is on the network. When raising fee notes, they can gain immediate access in 'read-only mode' to: the outstanding WlP, fee notes already made, outstanding fee notes, staff productivity, and so on. This ready availability of the information

speeds up the m a n a g e m e n t p rocess considerably, and also in our experience means that it is now more likely to be carried out.

Electronic mail / networking

Electronic mail, in simple terms, is the ability to send memos, notes, etc. directly between users instantly, and for the senders to be able to see that they have been read. This does not sound very exciting. However, for staff who are regularly in the office, we find that this is an extremely efficient means of fast, effective communications. Having started from a position of scepticism, we decided to trial the concept in our Glasgow and Manchester offices, and are now in the process of expanding this as equipment permits, and including inter-location communication.

There was initially a concern over lack of audit trail. This seems to have evaporated, since users, senders or recipients, can print out the information at any stage. There was also a concern over lack of security, but this now appears to be no more of a risk than crossed lines, or inter-location mail going missing.

Firmwide consistent data structures

Clearly compatibility of software throughout the firm provides benefits not only through being able to utilize single sets of training resource and standards, but also for the useful interchange of data where appropriate. This can include internal accounting information, and information about the client base and other contacts. Actually getting it implemented comes back again to the need for the 'champion' to make it happen.

External

Selective client mailing

Selective marketing of services is one of the most effective means of promotion for practices. In our case, in most offices we use a separate system based upon the word-process ing package used, though plans are in place to move towards integrating this with the practice management system. This should allow us to

14 @1992 Elsevier Science Publishers Ltd

Page 9: Practice management systems & practice productivity

December 1992 Computer Audit Update

refine the process, and improve the results with the same amount of effort.

External databases

There are quite a number of external databases available for interrogation from a company's PC-based systems, most of which are charged for on a usage basis. Types of service provided include:

• Company searches, in varying levels of detail.

• Searches on individuals, businesses and companies for credit worthiness.

• Grants advice (also available locally on PCs).

Information databases, e.g. BT Prestel ser- vice for travel reservations and other informa- tion on sectional interests.

• Home banking (not strictly a database as such, or necessarily restricted to the home).

Conclusion

• If you are going to do it (do you have any option?), then do it right!

• Identify the 'champion', and the support that person will receive.

• Set priorities, probably starting with the areas of greatest initial impact.

• Identify the support infrastructure.

• Pick up priorities a bit at a time.

• Do not be too proud to ask for help.

For smaller practices, consider the option of grant-aided consultancy assistance, possibly under the DTI's Enterprise Initiative in the UK, which can cover between one-half and two-thirds of the consultancy costs.

If you have not really taken computing seriously up until now, then you had better start! In the efficient accountancy practice of the future virtually every employee of the practice will have regular and routine access to a computer-based system. Start planning now!

NEWS

Dutch police report increase in computer crime

The Dutch police's computer crime squad based in the Hague, has reported a doubling in the number of cases it has to handle. The squad has recorded 67 cases in the first nine months of 1992, compared with 33 in the same period of 1991. Frans van Gulik, officer in command of the Hague squad, commented that open systems and networking were increasing the opportunities open to criminals. Additionally, the increase in 'telecommuting' (working from home) looks set to add another major problem to security. In one case, the police were alerted when a manager noted someone logged into his company's computer using his own user identification. Police went to the manager's home to find someone had broken in and used the manager's portable PC to hack into the system. Gulik says that many companies are unaware of the dangers. "Ever more people are working from home on their laptop or palmtop. There the physical security is much less than in an office. What is more, control is lost."

In another instance, a gang hacked into a customs computer and accessed the files giving details of the customs 'profiling' programs. The profiles are used to automatically assess whether a customs declaration is likely to be fraudulent or not. The profile looks for factors which point to fraud. The gang was then able to make fraudulent declarations by avoiding details likely to be picked out by the profiling programs.

Paul Gannon

©1992 Elsevier Science Publishers Ltd 15