Copyright 1996 CAUSE. From CAUSE/EFFECT Volume 19, Number 2, Summer 1996, pp. 38-44. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear, and notice is given that copying is by permission of CAUSE, the association for managing and using information resources in higher education. To disseminate otherwise, or to republish, requires written permission. For further information, contact Julia Rudy at CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301 USA; 303-939-0308; e-mail: [email protected]

Reengineering Beyond the Illusion of Control

by Elazar Harel and Greg Partipilo

UCLA has recently implemented an innovative computing system based on radical post-audit and distributed security concepts. Rather than automating standard manual processes, the University decided to eliminate all pre-approval processes and decentralize access controls. The implementation has resulted in significant cost savings, faster turnarounds, dramatic cultural changes, and improved employee productivity.

The administrative processes of the University of California, Los Angeles, have recently been transformed through the implementation of innovative computing systems based on radical, new post-audit and distributed security concepts. Like many other large public universities, UCLA has a long history of relying on bureaucratic and inefficient administrative processes. The recent State of California and University of California budget crises provided University administrators with an incentive and a mandate to reengineer, automate, and dramatically reduce costs.

Rather than implementing the standard industry method of automating/replicating manual processes, UCLA decided to take a risky leap toward eliminating all pre-approval processes and distributing access controls to the operating department level. We have found that valuable time and a significant amount of money were consumed by manual, or even electronic, approval processes that were historically justified by administrators for control reasons. These reasons have turned out to be an "illusion of control," costing the University much more than the savings they were supposed to produce. For example, due to the large volume of transactions it has become impossible to verify or check paper signatures. Similarly, traditional automated approval processes turned out to be almost as clumsy and time consuming as the old manual methods.

In this new process, people who key in transactions, such as purchase orders or personnel actions, are now empowered to fully perform their duties and are accountable for the quality and correctness of the data. Electronic mail messages containing a comprehensive view of the completed transactions are automatically sent out to the people assigned the responsibility for reviewing those actions. The key difference is that these reviews are done after the fact, with the reviewers assuming the responsibility for taking appropriate actions when and if necessary. Electronic logs of the accountability structure and of all actions are kept online in a relational database and are available to authorized users through a variety of search engines. These logs have proven to be an electronic paradise for auditors and other administrators who have always longed for access to such useful information.

Background: The culture

Over the past few years, the University of California has been facing difficult challenges, which have seriously threatened its financial, social, and economical stability. Financial support from the State of California to the University has continuously declined, while competition among higher education institutions (for students, private gifts, contracts, and grants) has become fiercer. The successful unprecedented growth period of the '70s and '80s has finally come to an end, and UCLA, being one of the largest UC campuses, was not spared the consequences.

UCLA is a large enterprise measured by any economical terms. Its annual budget is about $1.8 billion, with over 20,000 employees, 35,000 students, a large teaching hospital, and numerous colleges and professional schools. This Los Angeles campus is located in Westwood Village, spreading across 411 acres with over 150 buildings and structures.

Like many other universities, UCLA has developed over the years an "impressive" cumbersome bureaucracy. Many rules and regulations were piled on, based on complicated University, government, and state regulations. The number of paper forms increased exponentially over time; that necessitated, of course, a larger number of paper shufflers, more rules, and more forms. Eventually, many University faculty and administrators became involved in a spiraling paper-signing and -chasing ritual that complicated basic processes and increased the cost of doing business. It was not uncommon to see paper forms with fifteen (or more) signatures, and business transactions that took several weeks to complete.

The culture that evolved as a result of these processes was quite interesting. From a traditional audit perspective this seemed to be a well-controlled and accountable process. After all, so many of the involved parties signed the forms.

From a personal perspective, there seemed to be almost no accountability or risk involved, since so many people signed the papers. One of the authors still recalls his first days as a University director, when one of the campus executives told him, "There's nothing to worry about; someone will catch your mistakes or save you just in time."

Such a culture is obviously very dangerous and expensive, and encourages mediocrity. It also promotes the public view of a bloated, inefficient, government-supported bureaucracy that keeps wasting taxpayer money. Based on our experience and on discussions with numerous colleagues, we believe that this kind of a culture was, and still is, quite common in many other large universities and even in large Fortune 500 companies.

As the financial belt started tightening, it became obvious that something had to be done. The University had to cut costs and streamline its processes. It also quickly became apparent that in order to be successful, information technology needed to be a key ingredient of the prescribed medication.

Concepts: How radical can we be?

Thus, a few years ago, UCLA embarked on a process aimed at a fundamental restructuring of its administrative processes. The University's chancellor unveiled a campuswide blueprint titled, "Transforming Administration at UCLA," which called for dramatic cultural and organizational campus changes. Key concepts included a shift to personal empowerment and accountability, elimination of bureaucracy, and creation of appropriate incentives to facilitate these changes.1

This was naturally easier said than done. Cultural transformation usually takes a long time and requires an extensive top executive commitment. The process, however, had begun, and first steps were taken to communicate the challenges and issues.

Meanwhile, several of us started thinking about the potential steps that could be initiated. Many of the issues at hand were quite obvious. However, it was not clear how to remedy the situation and how to truly transform the organization. As we started to review what other universities and companies were doing, we quickly found out that the term "computerizing" was far from synonymous with "streamlining." We saw numerous instances of taking a bad manual process and merely automating it, resulting in a computer system that did not save money or streamline the process. In a typical example, the computerized form still requires numerous, now electronic, signatures, and the process elapsed time is still long (sometimes even longer than manual processes).

Interestingly enough, while these institutions were moving progressively forward in their efforts to allow distributed processing of transactions, they tended towards caution and conservatism when it came to proposing any significant modifications to the associated security access and transaction authorization controls. Basically, their design efforts tended to electronically replicate the long-standing manual processes.

As a result, those institutions that had implemented online transaction processing were not experiencing anticipated reductions in overall processing time. This appeared to be due to three primary factors:

  1. System access needed to prepare online transactions, while being requested electronically, was still being reviewed and approved centrally.
  2. The transaction authorization process remained basically the same, with electronic pre-approvals replacing manual signatures.
  3. Since it was now "easy" to add individuals, routing paths, and new approval criteria, the number of electronic signatures often increased, further prolonging the desired purchasing, hiring, or other financial outcome.

After reading Hammer's now famous "Don't Automate, Obliterate" article2 and capitalizing on the experiences gained by others, we decided that it was time to challenge these long-standing and well-accepted system access and transaction authorization policies and procedures. As a first step, the project team identified the core reasons behind the current internal control practices: the central offices reviewing and granting access to systems were only doing this because they alone had the system tools to do so. The resulting time delays were unfortunate, since requests were seldom denied as these central areas had no way of knowing the qualifications and capabilities of the departmental staff. This resulted in an "illusion of control" atmosphere, which had very little basis in reality.

The key reasons that the pre-authorization of transaction documents had been put in place were for department managers to (1) ensure that only authorized personnel were preparing transactions, (2) ensure the accuracy of recorded information, (3) confirm the adequacy of available funding, (4) verify compliance with special funding restrictions, and (5) monitor overall departmental activity. However, as the volume of transactions increased over time, this control became less and less effective. Better ways were needed to meet these objectives.

With these findings, the project team then determined that UCLA's paperless processing scenario could shorten overall processing times and provide fully automated controls using a combination of new technical tools and revised processing flows supported by modified policies and procedures. The specific recommendations presented and adopted by UCLA management included:

Figure 1: Post-audit process

Preparers granted acccess by local DSAs now finalize transactions
before any significant reviews and audit take place.

post-audit process chart

These concepts turned out to be truly revolutionary. The idea that purchase orders or personnel actions can be initiated and finalized at the same time and by the same person (see Figure 1) was very difficult for many people to digest. This meant that staff would need to be empowered, trained, and trusted to do their job, while those who used to sign the forms would have to become accustomed to acting or reacting after the fact. It also gave the word accountability a whole new and very real meaning. Figures 2a, 2b, and 2c respectively present a graphic comparison between the old manual process, its electronic replication (as implemented in many places), and the reengineered post-audit approach developed and implemented at UCLA.

Figure 2a: The old manual process

Numerous and often "pro-forma" reviews delayed personnel actions
and other business processes unnecessarily.

the old manual process

Figure 2b: Electronic replication of the manual process

Electronic signatures do not eliminate unnecessary
signature checkpoints

electronic replication of the manual process

Figure 2c: Reengineered post-audit process

Under the post-audit process, a combination of online data
entry editing and a limited transaction review allow speedup
of doing business without sacrificing audit control principles.

reengineered post-audit process

Gaining acceptance: The consultation phase

It was in the consultation phase that we began the legitimization process of these concepts. First, we tried to make sure that we were not totally naive or irrational. The core project group, which comprised financial managers, internal auditors, and technologists, discussed the issues over and over again, assessing different alternatives and solutions to the potential problems.

When we were truly convinced that the ideas were good and feasible, we began the second and most difficult task-communicating the concepts to the campus community, conveying the risks and benefits, and ensuring proper support throughout the implementation.

Several key factors contributed to the success of this process:

System design

Both ASAP and DACSS were designed as core infrastructure systems. They underline and interface with all other administrative computing systems which are a combination of purchased and home-grown applications (e.g., purchasing, payroll, billing, and financial journals.) All system data are stored in a relational database (DB2) and are available online to authorized users through predefined screens or via ad hoc SQL queries.

The new paperless processing scenario at UCLA begins with local departments defining their accountability structure, which delineates the personnel responsible for processing and reviewing transactions. This step first involves selecting a Department Security Administrator (DSA). In conjunction with the chief administrative/financial officer, this person helps identify those who will be entering and updating data (preparers) and those responsible for reviewing these transactions (reviewers) foreach specific online application. To ensure the integrity of the "check-and-balance" control mechanism, the preparer and reviewer must be different individuals. This accountability structure is then entered directly into DACSS by each DSA; it is the "glue" that holds the entire system together.

The post-audit process is performed through two main avenues:

Figure 3: Screen shot recipients

The completed transaction is sent via e-mail to the official reviewers.
Preparers have the option to add comments an add e-mail or fax
recipients to the e-mail distribution list.

screen shot recipients

Benefits and lessons learned: It was worth it!

The implementation of the post-audit and distributed access controls at UCLA has been extremely successful. Almost all financial and payroll transactions are now executed under the new paradigm by several thousand users in almost 300 departments. A recent audit conducted by the University external auditors concluded:
Our review found no major control weaknesses which would significantly impact either the University's MIS general control or the DACSS/ASAP control environment ... . With respect to the DACSS and ASAP systems and the process for preparing and reviewing online financial transactions, we believe the University is well ahead of its peers in its use of information technology to automate this process.

Processes that in the past took two to six weeks (or more) to complete and that traversed numerous approval desks are now being completed in a matter of seconds. Transactions that previously required four or more signatures are now typically reviewed by only one or two people in a post-audit mode.

The number of transaction errors has been reduced dramatically, primarily due to the increased awareness of personal accountability and to the edit controls that were added to the various application systems (e.g., verification of account numbers, ensuring sufficient funds, etc.) For example, one of our departments reported a decrease of monthly errors from 500 to 5! This, of course, significantly reduced the manual labor required to detect, correct, and explain the mistakes. Needless to say, customer satisfaction was also positively affected.

The systems allow for the delegation of financial management from central authorities to operating units. Thus, instead of routing paper forms all over campus for approvals before a transaction can occur, teams of preparers and reviewers in the operating units can conduct transactions online. Because of online processing, paper filing for purchases, personnel, and financial transactions have been reduced by 80-90 percent, resulting in staff time savings and regained office space.

Without top management and auditors' commitment to the concepts, it would have been practically impossible to challenge the long-standing (and traditional) security and approval practices. Also, the prototyping approach was mandatory to effectively show the skeptics how the new controls are much more effective than the old. Without such early demonstrative proof, it is likely that the fear of "loss of control" would have persevered, causing designers to "automate" in the old way. As can be seen from Figure 4, the number of transactions generated by the purchasing, payroll, and transfer of fund systems has significantly increased over the course of the implementation process (migration from the old to the new process), thus indicating the success and the users' "faith" in the post-audit review philosophy.

Figure 4

The steady growth in number of online transactions shows that
departments have moved away from the old manual process and have
faith in the post-audit system.

screen shot recipients

Training of users and executives proved to be one of the most important factors affecting the success of the implementation. The internal audit department, in coordination with other units, developed a comprehensive training session that addressed critical issues such as the changes in responsibilities, the accountability structure, and the use of the systems.

Although it is quite difficult to estimate the total cost savings realized by the implementation of the post-audit methodology, it is clear that the savings were substantial. An unofficial quick and very conservative calculation shows that if a total of only five minutes of staff time were saved for each transaction, the campus has realized an ongoing annual saving of at least 30,000 staff hours or about $600,000 (number of transactions X the time saved per transaction X average salary) due to the post-audit process. These savings are realized in reduction of personnel or a shift of resources to other activities. Significant additional savings were also realized with the elimination of outside form data entry (more than $300,000 per year) and the decentralization of access controls (at least $100,000 per year).

It is important to acknowledge the benefits of selecting electronic mail as the mechanism for delivering the notifications to the reviewers. Our goal was to build a process that would facilitate a quick delivery of the notifications without inconveniencing the reviewers, who typically are busy managers. Electronic mail was found to be the obvious choice-most people were already using it and there was no need for system training on how to use it. Additionally, this practically assured that reviews are performed in a timely manner, since most people check their electronic mailboxes at least once a day. The use of electronic mail also involves some calculated risk, since it is not possible to verify that the review actually occurred (reviewer may not have read the message or message may have not been delivered). We addressed these issues by: (1) issuing a campus policy that requires reviewers to check their electronic mail within two working days of the transaction, and (2) implementing an automated process that alerts the help desk on the occasional occurrence of undelivered e-mail.

An important shift in roles of central offices has resulted from the implementation of the post-audit process. These offices, which used to process transactions and play the "police" role, are now engaged in broader corporate activities that include policy setting, departmental support, training, and education.

Although it may be difficult to believe, there were only a few problems or disadvantages resulting from the implementation of these concepts and systems. The biggest challenge was addressing the skeptics who did not think that such an approach is workable. The other was accepting the risk (and the associated accountability issues) that some of the reviewers might not perform their duties as defined by the policies. Our experience so far, two years after the initial implementation, indicates that the process is working remarkably well and that the campus community (4,000 users in over 300 departments) has made no overtures to return to the classic pre-approval process.

The single, key factor that made this complex implementation successful is not the technology, but rather the unprecedented cooperative relationships between campus administrators, internal auditors, and the administrative computing department. This unique partnership was required in order to convince the University community that such changes are valuable, achievable, and sensible.


The issues presented in this article can have significant implications for other institutions that face similar problems. We believe that challenging the traditional approval and access control processes can be valuable for many organizations, not only throughout the higher education community, but also across a large range of private and public industries. Following are a few general guidelines that are based on our experience:

Summary and conclusions

The conceptualization and implementation of post-audit principles and new distributed security practices at UCLA can have far-reaching implications to institutions in numerous education and business sectors. This article describes a complicated process that resulted in a fundamental cultural change and significant cost savings using information technology tools.

To the best of our knowledge, UCLA was the pioneer in the implementation of the post-audit philosophy, and the University of California is probably still the only institution that has implemented this approach on a large-scale production environment. This concept has proven to be successful and has practically become a cultural "way of life" within just a few years.

We hope that the reader is able to identify with at least some of the cultural and transformation challenges presented here. We believe that comparable "illusion of control" situations can be found in practically every business. Post-audit and distributed access control solutions may be applicable to many of them.

Our journey toward a transformed University administration still has a long way to go. It is clear that information technology will play an even greater role in this challenging process. We hope to be able to continually introduce innovative and extraordinary solutions.


1 Charles E. Young, "Transforming Administration at UCLA-A Vision and Strategies for Sustaining Excellence in the 21st Century," unpublished internal document, September 1991.

Back to the text

2 Michael Hammer, "Reengineering Work: Don't Automate, Obliterate," Harvard Business Review, July-August 1990, 104-112.

Back to the text

This article was a winner of the 1995 Society for Information Management (SIM) Paper Award Competition, honoring outstanding work in the field of information systems and technology. More information about the project described in this article is available at

Elazar Harel ([email protected]) is currently Director of Administrative Information Systems at UCLA with overall responsibility for campuswide administrative computing. Over the past few years, he has been responsible for leading numerous technology-based processes geared toward a fundamental transformation of the UCLA administration. Additionally, Dr. Harel teaches at the Anderson School of Management at UCLA and is a member of several international organizations including the Society for Information Management (SIM) and CAUSE.

Greg Partipilo ([email protected]) is a Special Project Manager in Administrative Information Systems at UCLA. He has over twenty-five years experience in a wide variety of application areas, including not only all varieties of financial systems, but also such diverse areas as telecommunications, community safety, and storehouse operations. He is very experienced in most system implementation life cycle stages and techniques, and is also a documentation and training specialist who has been responsible for much of the training, user documentation, and development of online help facilities in support of many reengineered business practices on campus. the table of contents

[Comments] [Search] [Home]