Technology & compliance: looking at the big picture of Sarbanes-Oxley.Welcome to the age of compliance, governance and risk management initiated by the demands placed on publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. , and in many cases private firms, to comply with the Sarbanes-Oxley Act See SOX. . [ILLUSTRATION OMITTED] For most companies, initial compliance has focused on Sec. 404, which places responsibility on management "for establishing and maintaining an adequate internal control structure and procedures for financial reporting." The tools companies use vary from Excel spreadsheets to Word documents to specific SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. compliance tools that are too numerous to list. The cost for these specialized compliance tools can range from $1,500 to more than $100,000. The majority of the technology, regardless of the cost, has a static-point compliance focus for a given reporting cycle. Most companies have had key concerns and have focused on documentation requirements and accuracy to meet initial compliance. To this end, any and all of the compliance tools have some value. However, there are company management teams that believe the costs incurred for SOX compliance have been excessive, and considerably greater than the benefits received. This conclusion can be attributed partially to a nearsighted near·sight·ed adj. Unable to see distant objects clearly; myopic. focus on SOX implementations employed by many of these management teams, which--per published polls and interviews conducted for this article--still seem to hold the view that internal controls and related governance activities are little more than a necessary evil. Further, there has been little confidence placed in technological solutions leading the charge. A recent CFO See Chief Financial Officer. Research Services study titled "The Convergence of Compliance and Performance Management" states: "Compliance efforts may well strengthen business processes, but the cost of such initiatives--both in dollars and in managerial attention--makes some senior finance executives very reluctant to endorse compliance as a source of performance improvement. "One senior finance executive among our interviewees worries that regulatory compliance may actually hurt his company's performance, due to its high costs. 'Overall, compliance probably does help us manage performance,' he says. 'But it may also hurt our financial results, because the costs of compliance are so high.'" In the article "Unintended Consequences For the "Law of unintended consequences", see Unintended consequence Unintended Consequences is a novel by author John Ross, first published in 1996 by Accurate Press. " in the January/February 2005 issue of CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. Magazine, several CEOs voiced complaints about SOX, including: * Time CEOs spent on compliance issues, when it should be focused on customers and company strategy; * Fear of board members to serve; and * Board members' apprehension to approve strategic risk-taking. In the article, several of those surveyed indicate that when possible, some smaller companies that are able to privatize pri·va·tize tr.v. pri·va·tized, pri·va·tiz·ing, pri·va·tiz·es To change (an industry or business, for example) from governmental or public ownership or control to private enterprise: "The strike ... will do so to get out from under SOX. FOCUS ON THE FRAMEWORK What seems to be missed by many as they tackle SOX compliance is that the Treadway Commission's framework focuses on compliance as a process as opposed to independent compliance tasks unrelated to the rest of the organization's functions. In this spirit, setting compliance-focused goals, defining associated risks and developing and implementing documented, tested controls to address defined risks should be part of an entity's strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. process. This incorporates SOX into the overall strategic planning process that many businesses have employed for years. [FIGURE 1 OMITTED] The primary difference is that, rather than just focusing on revenue, profits and cost controls, today's focus is enhanced to include controlling financial reporting and fraud prevention; risk assessment as it applies to efficiency and effectiveness in the use of an entity's assets; and appropriate documentation and visibility over the associated internal controls by upper management. The outcome is transparency to all stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. that is systematically incorporated as part of the overall strategic planning and business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets process. SOX TECH SUPPORT Within this context, technology support for SOX is in line with the issues of strategy and operations management Operations management is an area of business that is concerned with the production of goods and services, and involves the responsibility of ensuring that business operations are efficient and effective. . This area has been a software hotbed hotbed, low, glass-covered frame structure for starting tender plants. It differs from a cold frame only in that the soil is heated—either artificially as by underground electric wiring or steampipes, or naturally with partially fermented stable manure, which for several years. Companies have been evaluating and purchasing software solutions, including ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. systems; data warehouses and data marts; analytical tools; budgeting and planning applications; OLAP (OnLine Analytical Processing) Decision support software that allows the user to quickly analyze information that has been summarized into multidimensional views and hierarchies. OLAP tools are used to perform trend analysis on sales and financial information. ; and reporting tools and applications, among others, to better manage internal operations as they relate to strategic goals and stakeholder/shareholder wealth maximization. Within the focus of compliance and governance there are four approaches to which several software applications, tools and platforms have emerged: * Generic applications that enhance controls; * Documentation management and workflow; * Data mining, file retrieval, pattern recognition and business intelligence; and * Business performance management and real-time compliance. To date, all but one of the approaches have addressed SOX compliance, particularly as it relates to Sec. 404, as "single pass" static compliance-focused solutions. The result is that key management can sign the financial statements knowing that they are in compliance as stated in the financial reports, i.e., all business processes are documented, communicated and secure; financial reports are free from material misstatements and fraud; and internal controls are in place and operating as designed to ensure these claims. The shortcoming short·com·ing n. A deficiency; a flaw. shortcoming Noun a fault or weakness Noun 1. is that each year the same process is repeated for the next fiscal period, much like the initial compliance exercise, because ongoing compliance is neither scheduled nor treated as an ongoing process. This creates gaps in visibility of the status of internal controls, and creates additional difficulty in meeting Sec. 409 notification requirements regarding "significant" events that impact the entity's value within a set number of days from occurrence. To meet the requirements, providers within each of the four classes of software have developed solutions to meet the compliance issues based on their core competencies. To cover requirements outside of their core competencies, they customize existing applications. For example, document management solutions specialists provide excellent documentation support, but are considerably less proficient in providing risk assessment and business process mapping Business Process Mapping refers to activities involved in defining exactly what a business entity does, who is responsible, to what standard a process should be completed and how the success of a business process can be determined. capabilities. Data warehousing See data warehouse. data warehousing - data warehouse and ERP solutions provide high visibility of financial reporting and transaction controls, but are weak in delivering process flow tracking. To address process flow mappings and documentation management needs, they require third-party add-on utilities. Several business intelligence and reporting tools unimpressively address aspects of the previous two, by importing information from various sources to present a static picture in time, but are short on process management. Moreover, ongoing compliance is not addressed. Companies would be wise to consider business performance management and real-time, compliance-based solutions as an approach to satisfying SOX compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). on an ongoing basis. Solutions implemented with such an approach address compliance by employing a framework with strategic focus that defines goals; identifies associated risks; institutes controls to manage the risks; and monitors performance using ongoing, regularly scheduled reviews. Such solutions use a business process platform to combine process flows with benchmarking. And compliance-focused scorecards juxtapose jux·ta·pose tr.v. jux·ta·posed, jux·ta·pos·ing, jux·ta·pos·es To place side by side, especially for comparison or contrast. to strategic planning scorecards and strategy maps to create the most complete documented approach. They track and schedule processes with historical comparisons and employ performance alerts driven by integrated benchmarking. They are driven by a scorecard framework integrated with process-engineering flowcharts that are linked to supporting documentation. Company management teams then employ dash-boards and portals to manage the oversight of the process. This approach provides a value-added aspect by tying controls and documentation requirements under SOX to process efficiency improvements that can have a direct positive impact on the bottom line. Operating inefficiencies often are the first findings spotted by an internal control review, even if the controls themselves are free of material weaknesses or lesser deficiencies under SOX. A process of ongoing evaluation is critical here. Tracking and scheduling processes with historical tracking and appropriate documentation attachments--enhanced with alerts driven by integrated benchmarking and scorecarding--reduce the effort; increase the visibility of an operation's efficiency and effectiveness; and ultimately improve the cost/benefit factor of compliance. CASE STUDY In January 2005, we interviewed a large defense contractor Noun 1. defense contractor - a contractor concerned with the development and manufacture of systems of defense armed forces, armed services, military, military machine, war machine - the military forces of a nation; "their military is the largest in the region"; and a closely-held cement manufacturer regarding SOX compliance. For both companies, relying on technology was important, but their outcomes were considerably different. The defense contractor used a SOX specialty solution in which the core competency was document management. The solution met the company's needs from a documentation standpoint, but other aspects dealing with ongoing monitoring of compliance and performance did not receive the same high marks. The company indicated that its initial compliance process was very challenging in light of a large government contract base as part of its business, and that its costs were considerable in both dollars and staff time. The experience at the closely-held cement manufacture was much different. Though a closely-held company and not required to conform under SOX, it chose to do so as part of its internal control structure. Instead of using a SOX specialty solution, the company used generic tools that enhanced controls--spreadsheets, word documents, etc. It discovered early that its current systems were virtually in compliance with the COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) framework. To meet SOX requirements, the company only needed to make a few changes to its board's structure and create a couple of committees. It also needed to make minor enhancements to documentation. The company already had the primary goal/risk assessment/internal controls framework in place as part of its operations. The company's entire compliance effort took less than six months and included only minor cost additions in dollars and staff time. MOVING FORWARD Technology will continue to play a big roll in SOX compliance and solutions will evolve into an approach that uses collaborative-based platforms that combine business process flows with a portal-based scorecard/benchmarking analysis as they relate to compliance and business performance. Management's challenge is to recognize that the usefulness of solutions from a cost-benefit analysis cost-benefit analysis In governmental planning and budgeting, the attempt to measure the social benefits of a proposed project in monetary terms and compare them with its costs. is only part of the game. The goal is not just to be SOX compliant, but to add value through improved visibility of operations process flows that enable process improvements that ultimately lead to more efficient and effective operations. Future solutions will likely provide support through improved enterprise risk management, i.e., better assessment and application of entity resources and capital with better controls and higher visibility of their performance. This may become the first step in a "continuous assurance" auditing process--ongoing auditing that enables external auditors to objectively monitor company operations throughout the year. The result will be greater transparency to the various entity stakeholders and more complete and timely management information support to achieve the entity's goals. BY WILLIAM BRAUN, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. AND RICK E. NORRIS, CPA William Braun, CPA, MBA MBA abbr. Master of Business Administration Noun 1. MBA - a master's degree in business Master in Business, Master in Business Administration , MIM MIM Metal Injection Molding MIM Mendelian Inheritance in Man MIM Mobile Instant-Messaging MIM Man in the Middle MIM Multilateral Initiative on Malaria MIM Metal-Insulator-Metal MIM Master of International Management MIM Made in Mexico and Rick E. Norris, JD, CPA are principals with Los Angeles-based Decision Point Solutions LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , which designs and implements compliance monitoring solutions. You can reach them at wbraun@decisionpoint.la and rnorris@decisionpoint.la. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion