• Pages

  • Laresa McIntyre, CMA, MBA
    Senior Finance Executive ~
    Change Catalyst ~
    Highly-Adaptable Leader

  • Visit My Website

  • Follow Me

  • Team in Training

    Donate to fight blood cancers!!

    In addition to my professional life, I run marathons and half-marathons to raise money for the Leukemia & Lymphoma Society to help in the fight against blood cancers. Contribute to the fight by making a donation -- just click on the logo above.

Safeguarding Financial Resources: Issues in HR

As finance & accounting professionals, one of our primary roles is to safeguard the financial resources of the company for which we work.  This is accomplished through the controls we have within finance & accounting processes, and the analysis we do to identify anomalies in financial results.  Safeguarding financial resources also means understanding the potential risks that exist within the company’s operations that would have a financial impact, and mitigating those risks where possible.  It is important for a good financial leader to have a grasp of the entire company’s workings in every department because of this very reason.  Human resources is one area that needs to be on the radar screen when understanding potential risks.  Even in this day and age of automation, salaries & wages still comprise a large expenditure for the majority of businesses.

The U.S. Department of Labor as of late has been taking a more active role in investigating companies with potential violations in employment practices.  The DOL has been increasing the number of investigators on staff to support these efforts.  It is imperative for companies to  ensure they are in compliance with labor laws to avoid hefty fines or lawsuits.  Although there are a multitude of laws surrounding labor practices, I would like to address two areas in particular in today’s post:  classification of employees as exempt or non-exempt and proper timekeeping.

Exempt vs. Non-Exempt Employees

Just to make sure we’re on the same page, because I know people who get this mixed up, exempt employees are not paid overtime.  The determination of exempt vs. non-exempt lies in how an employee performs their job.  It is NOT dependent on their title so don’t think every person you call a “manager” is automatically an exempt employee.  This is why there should be a written job description for every position and modified job descriptions for each individual in a particular position if there are significant differences from the base position.  Exempt employees usually have autonomy in determining how their job is done and work whatever hours are necessary to accomplish the deliverables of their position.  These are usually employees that are paid a salary and have managerial, administrative or supervisory roles, or are professionals.  However, sometimes there can be a gray area in classifying employees.  Whenever there is a doubt about which way a position should be classified, seek the advice of an employment law attorney.  It may cost a little but it will help you decide what side of the line to walk on and determine what risks you are taking.

Timekeeping

Disputes over time paid, especially if an employee is contesting their exempt status, can be a huge headache for a business.  This is why having good timekeeping systems and procedures are essential.  When these cases are brought to the DOL or the courts, the assumption is the employee is right.  After all, who would know better how many hours they worked than the employee themselves.  These are usually civil cases so there is no “presumption of innocence” — it is based upon the preponderance of evidence.  This simply means that if the evidence was stacked up side-by-side, what side does it favor?  Any ambiguity will usually favor the weaker party, in this case the employee, because it is accepted that the company had greater control to write and implement the terms of employment.  Because of this, a lax timekeeping system will sink you every time.  When considering your timekeeping, there are so many situations you need to consider like “buddy punching” and how missed punches are handled.  Another consideration is cost — not every business will be able to afford the gold standard of a biometric system.  The important thing is to have a system and to make it the best system it can be to mitigate risk.

Now some of you might be saying these are issues for the Human Resources department to handle and I agree the legwork to ensure these issues are addressed lies with them.  However, if the company’s practices are found to violate legislation, and it faces large fines and payouts because of it, I can guarantee senior management will call both HR and Finance onto the carpet for an explanation.  After all, we’re supposed to be safeguarding the financial resources of the company.  And whether we like it or not, if we turn a blind eye to what is happening around us and stay strictly focused on “getting the books right” and reporting the numbers, we aren’t doing the job we were hired to do.  If you do nothing else, at least ask the questions to make sure the issues are being looked at and addressed.

Don’t Risk Your Data — Assess It

Disgruntled employees, hackers, incompetent personnel and competitors engaged in corporate espionage are all concerns for a business.  Even more concerning is what they can do to your data.  Theft, corruption, errors or complete data loss are reason enough to possibly lose some sleep at night.  This is why every business must be cognizant of the potential risks to their information.  This doesn’t just refer to financial data but also key information needed to continue being a viable entity.  Customer lists, proprietary information about products or services, and contracts that give the business a competitive advantage all fall within this group.  In order to ensure that data is safe, an information security risk assessment should be conducted at least on an annual basis.

Even before a risk assessment is conducted, the business will need to determine a set of baseline standards related to data security that it should meet.  These standards will look at things like access rights, password protocols, physical controls over equipment, policies and procedures for the business and many other items.  Once these standards are set, then the risk assessment should look at the following areas:

  • What information sources does the business have and what information comes from those sources?
  • How sensitive is each data source? Does it contain information that if breached would become a legal issue (like credit card information or employee data)?  Is it commercially important to the business?  Or is it just “run of the mill” information that if disclosed would not cause any harm?
  • What would be the business impact if the data source was compromised, lost or stolen?
  • What is the level of threat and degree of vulnerability to each data source from internal attacks, external attacks, system malfunctions, process changes or regulatory requirements?
  • What is the likelihood of an incident in each of these areas occurring?
  • What are the specific risks in each of these areas that can be identified?

On the surface, this might seem a daunting task but if you assess the top four or five data sources for the business, this will usually flush out most of the major issues.

This process is usually driven by the Internal Audit department but if your company doesn’t have one, it may be the responsibility of ensuring the assessment is done will fall to the finance & accounting department.  However, this doesn’t mean you should be the only ones involved in the assessment.  Getting input from all functional areas of the company is important.  Also, this isn’t and shouldn’t be an exercise conducted by the IT department alone.  Although our friends in IT are usually on top of what’s happening in the business from a data perspective, this assessment is more than just making sure password protocols and firewalls are in place.  The assessment speaks to the entire business process and should be treated as such.

There is also another very good reason to involve others.  It is important to get consensus from within the business about what data is most vital to ongoing operations.  Everyone thinks their information is important but in the big picture, some data sources will be heads and shoulders above the rest.  These are the data sources that need to be examined with a critical eye and it makes the process easier when everyone has agreed to this.

As the risk assessment is completed, it will highlight areas of concern and a list of things to be done to improve data security will result.  Some of these things will be IT-related but the list may also include efforts by the HR department to write up policies and update employee handbooks, or require department managers to educate their employees about new procedures.  By considering the analysis on data sensitivity, business impact, threat and vulnerability, and likelihood, this list can be prioritized to drive the work to the biggest issues first.  The end result is hopefully more secure data and a few less sleepless nights.