New Survey — Bridging the Gap Between Finance and Procurement

My colleague Bernie Donachie wrote earlier this week about high-performance procurement, focusing on some top performer characteristics that emerged from our procurement survey prior to its release. The full report is now out, and, top performers notwithstanding, it shows that there are divergent perspectives across stakeholders when it comes to the value generated by the procurement function.

The key takeaway from the results of Protiviti’s 2017 Procurement Survey is clear: Procurement functions need to focus on how they drive value and how they quantify and communicate their performance. In what is arguably the most notable finding in the survey, close to half of finance leaders say 20 percent or less of procurement savings drop to the bottom line. Just one in five finance leaders say their procurement functions effectively manage both direct and indirect costs. Overall, only a small percentage of bottom lines actually realize the savings that procurement functions have achieved. These and other issues identified in the study need to change.


In our report, we share key findings from the survey, examine the perceptual gap between finance and procurement regarding procurement’s objectives and value, identify traits commonly displayed by leading procurement functions, and present some action items for procurement and finance leaders to consider as they seek to get on the same page while increasing the value that the procurement function delivers to the bottom line.

Visit, where you can download a complimentary copy of our report.


High Performance Procurement: Getting More Savings to the Bottom Line, Faster

By Bernie Donachie, Managing Director
Supply Chain




Only a low percentage of chief procurement officers and chief finance officers feel that they have “very effective” sourcing, according to the most recent research we conducted among 400 procurement and finance professionals. Effective sourcing equates to 10 percent or more in savings year over year. Unfortunately, finance executives say only a small fraction of those potential savings ever make it to the bottom line, according to our survey. Operational variables — overspending, changing needs, and buying from unauthorized suppliers — were among the primary causes for suboptimal savings, along with invalid savings assumptions, unrealistic savings projections, and a failure to effectively track realized savings.

Our full survey results will be released later this month, and there are definitely positive and encouraging findings — but they are not the majority. I thought it would be instructive here to examine the responses of self-reported top performers in the three areas below to see what traits they had in common — specifically, how they analyze spending patterns, align with other business functions, and establish an effective savings governance program.

Spend Analysis

Over two-thirds of our top performers consider their spend analysis to be robust and routine. These professionals do not consider analysis as an afterthought; rather, it is baked into their budgets, planning and strategy from the beginning.

Our data suggests that, as companies perform more robust analysis, their ability to minimize financial leakage greatly increases. The categories benefiting most from this trend are duplicate payments, unrealized credits, and paying non-contracted prices.

Notably, over half are using a third-party spend analysis tool, rather than in-house assessments. Clearly, they’ve decided it’s an expenditure that’s worth making, and find, or expect, it to help them drill down into spend data to drive insight, identify savings opportunities, and support budgeting and future planning efforts.

Organizational Design and Relationship

Most of our top respondents have centralized finance and procurement departments. They describe the relationship between procurement and finance as “collaborative decision making.” This relationship is crucial for visibility and understanding of the savings that the procurement team is generating.

Savings Methodology and Tracking

Given the strong relationship between the two functions, it makes sense that almost all of our top respondents feel that their finance and procurement teams are aligned on cost saving initiatives. For this to be the case, initiatives must be clearly conveyed, strategized and executed. Over two-thirds of these respondents felt that the savings from procurement are properly tracked and well understood.

For the most part, the answers of the top performers paint a picture of confidence and solid understanding of the need for strong connection between procurement and finance. For those not yet there, I have the following recommendations:

  • Start with spend analysis. A formal, robust spend analysis is perhaps the most essential building block of procurement success.
  • Consider investing in third-party spend analysis tools.
  • Track and measure savings. Top procurement functions quantify the value they generate, as well as how effectively they document and communicate that value to the rest of the organization.
  • Ensure that negotiated savings make it through to the bottom line. Ultimately, procurement’s objectives should include making the organization more profitable, driving competitive advantage and exerting a positive impact on the bottom line.
  • Understand the value of cross-functional collaboration. Establish a consistent, enterprisewide view of spending and value to help enable sustainable savings.
  • Align with finance. All organizations should assess the extent to which a gap is evident between the two functions and identify ways to close it as quickly as possible.

Our report, complete with full statistics, methodology, and participation by title, will be released later this month. To be notified of the release, click here.

A Sea Change Is Coming – Transitioning to FASB’s New Lease Accounting Standard


By Chris Wright and Charles Soranno,
Managing Directors, Internal Audit and Financial Advisory



On the heels of the Financial Accounting Standards Board’s (FASB) new revenue recognition standard, which becomes effective for calendar-year public companies beginning January 1, 2018, the accounting and internal audit world is gearing up for another significant accounting and financial reporting change beginning one year later (on the first day of the first quarter), January 1, 2019 – the new lease accounting rules.

We presented on this topic last month at The IIA’s 2017 Gaming & Hospitality Conference in Las Vegas. Judging by the attendance at our discussion panel, many gaming and hospitality organizations are acutely concerned about making the transition to the new rule and are turning to their internal audit departments for strategic advice.

In scope for that industry are leases of real estate, hotels and casinos, and of course, the ever-changing casino floor electronic gaming equipment itself – if leased. However, for all industries, the new lease accounting standard represents a sea change in lease accounting for lessees, affecting all companies and organizations – whether public, private or not-for-profit – that lease assets such as real estate; airplanes; ships; and construction, office or manufacturing equipment. For lessors, accounting for leases is substantially the same as in the past.

The new standard will require lessees to recognize a lease liability and a right-of-use asset for all leases, except for short-term leases, as follows:

  • “Lease liability” is the lessee’s obligation to make lease payments arising from a lease, measured on a discounted basis.
  • A “right-of-use asset” is an asset that represents the lessee’s right to use, or control the use of, a specified asset during the lease term.

With regard to income statement recognition for lessees, the FASB retained a dual model, requiring leases to be classified as either operating or finance. Operating leases will result in straight-line expense recognition, while finance leases will result in a front-loaded expense pattern. Classification will be based on “consumption” of the asset, meaning that leases of property (i.e., real estate), which are typically not consumed, will follow straight-line amortization, and leases of non-property (e.g., office equipment), which are typically consumed, will follow an expense pattern similar to current capital leases.

Of note, the International Accounting Standard Board (IASB) retained only a single model – all leases treated as a financing.

While the new standard represents a big change, the bright side is that many companies might be able to comply using their existing processes and systems, provided their current lease inventory is appropriately inventoried, housed and cataloged.

That said, during our panel we stressed that lessees should nonetheless ensure that their policies, personnel, processes and reporting systems will be effective in generating the data and information needed to account for their leases in accordance with the new standard.  A few key points we addressed at the conference:

  • Determine the reliability of your lease inventory: Lessees should determine that all leases across the organization are identified on a timely basis and aggregated to create a complete and accurate lease inventory. Lessees should be able to update that inventory dynamically.
  • Assess systems and data scalability: If leases are managed through spreadsheets and databases at many locations across the organization, companies should consider selecting and implementing a suitable technology solution to simplify the lease data gathering process, store and update the required data, generate the required accounting, and support the required disclosures.
  • Watch out for embedded leases: If companies enter into arrangements that grant the right to use property, plant or equipment, that arrangement may very well contain a lease. Common situations are assets embedded in service arrangements or included in a bundle of goods or services. Don’t forget to account for those in your lease inventory!
  • Revisit your financing obligations: Lessees should review current debt agreements now to ensure the initial recording of new lease liabilities upon standard adoption would not be considered “new debt,” thus triggering unwanted debt covenant violations in areas such as debt/equity and debt coverage ratios, as well as working capital amounts and ratios, whether subject to covenants or not. Have that conversation with your bank now!
  • Understand what is new in the business: All organizations should assess whether technological or other changes are expected to take place in the business that will affect the nature of the lease instruments deployed to obtain access to needed assets to operate casinos, hotels or electronic gaming equipment.
  • Understand the new disclosures: Finance and internal audit executives will want to understand the financial reporting and expanded disclosures under the new standard and how they may require modification to existing systems and processes. The disclosures required of lessees and lessors include, among other things, the nature of the leased assets, management’s significant assumptions and estimates over lease amortization period and method, and a debt maturities summary.

In closing, the FASB’s new leasing standard is finally a reality. Financial management and internal audit teams need to familiarize themselves with the new standard and become educated as to its impact on the reporting of financial position, statement of earnings and cash flow, and all required disclosures.

Getting the transition process started early will enable management to develop an efficient and timely plan, as well as involve internal auditors early and enable them to have a voice at the table and offer strategic guidance to ensure orderly controls transition and project management monitoring. An early start will provide sufficient lead time to enhance processes, upgrade support systems and prepare stakeholders for the coming change.

NIST Seeks Comments on Cybersecurity Framework Draft

andrew-retrumrandy-armknechtBy Andrew Retrum, Managing Director, Technology Consulting, Cybersecurity

and Randy Armknecht, Director, Technology Consulting, Cybersecurity


Last month, the National Institute of Standards and Technology (NIST) published a discussion draft of revisions to the NIST Cybersecurity Framework (CSF Version 1.1). The draft, though still subject to change, provides new details on NIST’s recommendations for cyber supply chain risk management (SCRM), clarifies key terms, and introduces cybersecurity measurement metrics. Although this is a voluntary framework, the Financial Industry Regulatory Authority (FINRA) and others require organizations under their jurisdiction to adopt and declare a framework, and the NIST CSF is one of the most commonly used.

Here are some of the highlights from the NIST draft:

  • The NIST CSF, which currently has 22 control categories, will add another one, SCRM, in the identity domain, and eight subcategories — five for SCRM, and three in the “Protect” category. In addition, five existing controls have been clarified.
  • SCRM is now a critical consideration in the NIST CSF, in recognition of the fact that many organizations are outsourcing key business processes to, or sharing sensitive data with, third parties. The federal Office of the Comptroller of the Currency and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, addressing this “external dependency management.”
  • A new section, Section 4, has been added. Called “Measuring and Demonstrating Cybersecurity,” the new section contains suggestions on how to measure and demonstrate the efficacy of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical. Measurements should align with business objectives and should demonstrate a cause-and-effect relationship. NIST recommends that organizations should tailor the measures and metrics to their own level of maturity. The new Section 4 does not, however, offer concrete examples of what specific cybersecurity metrics should be included in a control dashboard.

We think these revisions will help the NIST CSF align more closely with regulatory and industry priorities, such as identity and access management, SCRM vendor risk management, metrics and cybersecurity threat intelligence. Considering these are the same areas that often come up as areas of concern for Protiviti during field engagements, we think the changes are necessary and appropriate.

Click here for our flash report on this topic.

2017 Perceived as Riskier by Top Executives, Survey Results Say

Executive Perspectives on Top Risks 2017 InfographicPolitical and economic instability, cyberattacks and disruptive change have global executives and board members on high alert for the year ahead, according to research from Protiviti and North Carolina State University’s ERM Initiative. The report, Executive Perspectives on Top Risks for 2017, and an executive summary are available for download on the Protiviti website.

Concerns about the global economy topped the list for the first time in the five years we’ve been doing the study, surpassing regulatory concerns, which fell to number two. Tech risks followed, with cyber-risk, identity and privacy remaining in the top five.

I had the opportunity to discuss the results — along with Mark Beasley, the Deloitte Professor of Enterprise Risk Management at North Carolina State, and my colleague Pat Scott, executive vice president, global industry and client programs at Protiviti — in a December 15 webinar, and wanted to share some of the highlights.

We surveyed 735 executives and directors at companies around the world, representing a cross-section of industries, and asked them to prioritize 30 risks on a scale of 1 to 10, with 10 being the highest level of concern. Risks were grouped into three categories: macroeconomic, strategic and operational.

The overall risk scores were higher than last year in every category, a sign that executives perceive 2017 as more risky than 2016. Despite that, few organizations plan to invest additional time or resources to risk identification and management — which could reflect either resource constraints, or satisfaction with current resource commitments and prior year investments in risk management capabilities.

From a regional perspective, respondents from companies in the Asia-Pacific region were the most concerned, followed by European companies. Although U.S. executives registered no change from the prior year (i.e., their perception of 2016 risk levels), volatility in global markets and currencies may create significant challenges here as well as abroad.

The next twelve months will be interesting on the regulatory front as a populist wave sweeps across major world economies affecting everything from healthcare, immigration, and trade in many sectors, with implications for many companies, not just the highly regulated ones.

Concern for cyber-threats has been rising over the years, and continues to increase, particularly in the areas of privacy and identity management, as new technology offerings expand faster than the security protections companies have in place.

For other top risks, I refer you to the report.

One parting thought: Just as concerns varied by region, industry and company size, they also varied by the respondent’s role within an organization. This is significant in that I think there is a tendency for companies to assume, internally, that everyone is on the same page when it comes to risk priorities and perception. That’s simply not the case. Therefore, the risk assessment process needs to be inclusive to encourage participation of multiple stakeholders and perspectives.

I think the bottom line is that 2017 is going to be a fun ride that’s not for the timid. So fasten your seat belts!

Jim DeLoach

Money 20/20, Day 3: Get the View From the Inside With Today’s Podcasts

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.


Ed Page, Managing Director, Technology Consulting for Financial Services, on IT Trends (6:08 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Regulating Fintech (3:03 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Good vs. Bad Innovation (4:46 mnutes)

Share on Twitter

Robert Ferguson, Senior Manager, Business Performance Improvement, on Customer Stickiness (3:21 minutes)

Share on Twitter

Regtech: The Fintech Innovation at the Heart of Compliance Transformation

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.


By Vishal Ranjane, Managing Director
Risk and Compliance



Recently, my colleague Jason Goldberg wrote about balancing the competitive need for technology-enabled customer experiences in payments, banking and wealth management with security and privacy controls. Customer-facing technology, as the most publicly visible example of financial technology (fintech), has received a lot of media attention. Nevertheless, it’s only half of the fintech picture.

Behind the scenes, financial institutions are beginning to adopt a subset of fintech, known as regulatory technology, or “regtech.” (Protiviti’s recently-introduced automated Risk Index tool is an example of such regtech solution applied to management information and reporting.)

Like fintech, regtech applies the same nimble, scalable, mobile-friendly solutions and rapid, low-cost cloud deployment to improve risk management, transaction monitoring, regulatory compliance, reporting, data storage and analytics. Unlike fintech however, regtech does not compete with traditional banking for the same customers; rather, it offers new ways of solving old problems by offering, speed, security, and agility in complying with regulatory requirements. As such, financial institutions have good reasons to look forward to implementing the technology.

Regtech has the potential to replace many of the traditional manual and paper-based solutions. Traditional solutions tend to be inflexible, disconnected and hard to update. Traditional solutions also tend to be resource-intensive, tying up both capital and IT capacity.

Regtech enables controls such as employee surveillance and transaction monitoring, on-demand reporting and full population data analytics. It makes conducting risk assessments faster, and provides a better audit trail.

Applied to anti-money laundering (AML) and counter-terrorist financing (CTF) compliance, a regtech real-time transaction monitoring solution can bridge communication gaps by consolidating and analyzing data from disparate systems. Applied to know-your-customer (KYC) processes, regtech can be used to create a secure central data repository with reference data utilities to protect personally identifiable information. The technology also can monitor financial services regulations in every country and region within an institution’s footprint, and report back to internal audit.

[Listen to Vishal discuss faster KYC onboarding revealed at Money 20/20]

In short, the opportunities for regtech in compliance automation, AML and management reporting are many and exciting. Financial institutions historically have struggled to comply with new regulations, in part because the compliance processes were rigid and not easily changed. As regtech matures, risk and compliance functions are likely to see increased operational excellence. Underlying data will become more reliable, enabling better decisions; adoption of new controls and compliance procedures will get faster and easier; and senior management will be able to manage risk more effectively.

One important caveat: Regtech relies heavily on third-party providers of cloud-based technology solutions but this does not mean that these parties assume the risk of the institution. While the IT burden of implementation and maintenance of the new technology may be reduced, there is a new and growing responsibility for institutions to vet and monitor vendors to ensure that the providers’ polices, values and procedures align with those of the organization — especially when it comes to privacy and cybersecurity.

Also, while automation can improve processes, it is critical for financial institutions to review all risk and compliance procedures during project planning to avoid accelerating bad or obsolete processes, and to verify data integrity to ensure that reports are accurate and reliable.

Regtech is a good example of what the U.S. Office of the Comptroller of the Currency meant when it talked about the need for “responsible innovation.” As the financial services industry undergoes a fundamental and disruptive digital transformation, financial institutions are going to need technology-enabled risk management and compliance tools to ensure that they can manage at the speed of risk.

This is an exciting trend and we’ll keep you posted as things develop.