The ROI of SOX: SOX compliance investments can boost your bottom line.While Sarbanes-Oxley compliance costs can vary depending on a company's revenue, operational reach and ownership structure, many businesses have experienced a multifold mul·ti·fold adj. Numerous and varied; manifold. return on investment, ranging from the introduction of new initiatives to the implementation of improved business processes. Businesses can boost their bottom line if they approach SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. compliance as an opportunity to improve the business' management, as well as to reduce the costs of operations and internal audits. SOX COMPLIANCE In general, SOX compliance investments can be classified into one or more of the following: * Information Technology--investments in infrastructure, such as networks, system management and software; * Business Controls--investments in enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. , supply chain management, customer relationship management, etc.; and * Company Policy and Management--management decisions regarding the centralization cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. or decentralization de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. of the business' processes; mapping management accountability into processes; and improvements to corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . This article focuses on the quantification of SOX compliance benefits and the ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). of IT and business controls initiatives, the combination of which can provide controls to prevent fraud, misuse or loss of financial data transaction; enable speedy detection if and when such problems occur; and allow preventative action to be taken to limit and mitigate the effects of the problems. IT CONTROLS There are four basic general controls within the IT initiative as stated by Control Objectives for Information and related Technology: IT planning and governance--includes information systems strategic plan; the IT risk management process; compliance and regulatory management; and IT policies, procedures and standards. Computer systems management and operations--controls over the definition, acquisition, installation, configuration, integration and maintenance of the IT infrastructure. This will include service level management; management of third-party services; system availability; problem and incident management; and facilities management The management of a user's computer installation by an outside organization. All operations including systems, programming and the datacenter can be performed by the facilities management organization on the user's premises. . Program or application development and change controls--controls over the acquisition and implementation of new applications and the maintenance of existing applications. The risks are controlled through the development and compliance to system development and quality assurance methodology. The methodology provides guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. for the system design and implementation, documentation, testing, approvals, project management, etc. New releases of software will fall under application maintenance and ongoing change management. [ILLUSTRATION OMITTED] Computer security and access controls--control activities in the design and implementation of secure passwords, internet firewalls A firewall that is used to shield users from the Internet. See firewall. and data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign . Applications will provide access privilege only to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal as defined and approved by company management. BUSINESS CONTROLS Business controls ensure that the values on the financial income statement and balance sheets are accurate and reliable. These controls are provided through enterprise resource planning, supply chain management and customer relationship management applications. They also could be referred to as "application controls," where transactions are initialized, authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: , implemented, reported and validated. For example, accounts payable or receivable are performed through the transactional means and recorded in the accounting general ledger General Ledger A company's accounting records. This formal ledger contains all the financial accounts and statements of a business. Notes: The ledger uses two columns: one records debits, the other has offsetting credits. system and financial statements. Both IT and business controls are governed by documented policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental and segregation of duty. When application controls do not follow the documented procedure, and when the same person initiates and approves the same transaction, such as entering invoice information in the system, approving the invoice, changing vendor information in the system and issuing check for payment, this is a segregation of duty violation. As a result, the control is deemed ineffective. IMPROVING THROUGH SOX IT and business controls can lead to various types of business opportunities, including: * Financial Improvements. This can be realized, for example, by implementing an ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. application that automates controls and standardizes process. For example, the ERP software can be configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: to enable the company to identify and apply control rules that automate the segregation of duty rules to prevent potential violations. * Control Improvements. This could be realized by implementing Standards on Auditing Standard 70, segregation of duty, etc. For example, SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. 70, "Service Organizations," provides auditors with guidance in evaluating service organizations in the context of a financial statement audit. Service organizations that successfully complete an SAS 70 audit have been through an in-depth audit of their control activities, including controls over information technology and related processes. There are two types of SAS 70: Type I and Type II Reports. In Type II Reports, auditors provide an opinion on whether or not the controls that were tested were operating with sufficient effectiveness to provide reasonable--but not absolute--assurance that the control objectives were achieved during the period specified. These are the reports auditors seem to be accepting Also, segregation of duty is a control that reduces risk by separating the custody of assets from accounting personnel, separating the authorization of transactions from custody of related assets, and separating operational responsibilities from record keeping responsibilities. * Productivity Improvements. This could be realized by implementing standard processes; centralizing cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. processes, such as accounts payable or receivable; or aligning IT initiatives with company objectives, such as supply chain management implementation. SOX AND SOURCES OF ROI SOX presents many ROI opportunities for each business segment and core process. For example, in Exhibit 1, under "Business Enabler," if a feature like "timely, detailed reporting" is automated, say through the development and distribution rules of such reports through the use of enterprise report writer applications, it will impact the report's timeliness and transparency, as well as its delivery to proper staff throughout the organization. Ultimately, it will lead to rapid disclosure and accelerated reporting, which will result in greater operational effectiveness. The same logic applies when automated controls are realized by implementing an ERP application, ensuring standardization standardization In industry, the development and application of standards that make it possible to manufacture a large volume of interchangeable parts. Standardization may focus on engineering standards, such as properties of materials, fits and tolerances, and drafting and an active control status throughout the enterprise. Also, this will impact the enterprise model (Exhibit 1), and can reduce the internal audit cost by ensuring the implementation of internal controls and procedures. Preventative controls are the preferred status of controls and are recognized when the controls are automated, and will drastically reduce the audit cost by reducing the selected sample size for testing and expedited completion of the tasks. THE ROI METHODOLOGY The following methodology to quantify the returns and the realized benefits for the calculation of the ROI is based on non-traditional accounting techniques. ROI justification is a traditional accounting method based on a Discounted Cash Flow analysis. However, this fails to account for and quantify the intangible benefits of compliance. Where does that leave us? SOX compliance investments in IT and automation will be justified in non-traditional accounting methods. For example, to quantify the intangible benefits and rationalize ra·tion·al·ize v. 1. To make rational. 2. To devise self-satisfying but false or inconsistent reasons for one's behavior, especially as an unconscious defense mechanism through which irrational acts or feelings are made to appear the ROI of SOX compliance using non-financial methodology, such as the Analytic Hierarchy Process The Analytic Hierarchy Process (AHP) is a technique for decision making where there are a limited number of choices, but where each has a number of different attributes, some or all of which may be difficult to formalize. techniques. The following is a summary of the steps: BUILDING THE MODEL The proposed process to build the SOX compliance model (Exhibit 1) is based on management workshop setting; rule of collaboration/consensus; development of hierarchical model In a hierarchical data model, data are organized into a tree-like structure. The structure allows repeating information using parent/child relationships: each parent can have many children but each child only has one parent. ; and implementation of the AHP AHP Assistant House Physician. techniques. Management Workshop Setting: A forum where a company structure is represented as the official entity of each of the operating units operating unit A type of operating company that engages in transactions with outsiders and that is owned by another business. For example, in 1995 the stockholders of Capital Cities/ABC approved a $19 billion merger with the Walt Disney Company, whereupon . The company staff that carries the credibility of understanding and discretion to propose, support and implement the changes represents the units. These are the people who should participate in the workshop to build the SOX compliance model and carry out the ROI analysis. Collaboration: All individuals participating in the management workshop must agree to a collaborative approach in the design, prioritization and implementation of the AHP process. Development of Company SOX Compliance Model: The SOX compliance model is a representation of the company that describes the business, management and the intra-relationship of its entities. Exhibit 1 is an example, which is developed of six hierarchical layers: Ultimate Goal; Compliance Objectives; Critical Success Factors; Core Processes, Business Challenges; and Business Enablers. Each layer is defined by distinct components and could include an unlimited number of attributes. The components of each layer are linked to those of the layer above and below that are governed by the AHP technique. The value of impact are quantified and represented by each of the stated company "Business Enablers." All layers are linked in hierarchical form and each element in the business model can be expressed in a quantifiable fashion by all the elements in the layer below. Accepting the AHP Tools: The tool used in a management workshop forum is easy to use and establishes the links between different layers of the model attributes using a reliable ranking/prioritization technique of AHP. Download more information at http://sigma.poligran.edu.co/politecnico/apoyo/Decisiones/curso/Interfaces.pdf. CONCLUSION SOX 404 compliance opens the door for companies to evaluate their processes and procedures, and to measure their gap with the best practices. Doing so will help companies improve their business practices--and their bottom line.
Sarbanes-Oxley Business Model
GOAL: REDUCING MATERIAL MISSTATEMENTS, ERRORS & FRAUD
COMPLIANCE OBJECTIVES RAPID DISCLOSURE INTERNAL
CONTROLS &
PROCEDURES
CRITICAL SUCCESS FACTORS SEEKING ACCURACY SEEKING
TIMELINESS
CORE PROCESSES MANAGING FINANCE MANAGING SUPPLY
& ACCOUNTING CHAIN
BUSINESS CHALLENGES ON-GOING CONTROL PROCESS
STANDARDIZATION
BUSINESS ENABLERS INTEGRATING DELIVERY IN
MULTIPLE SOURCES REAL-TIME
COMPLIANCE OBJECTIVES ACCELERATED REDUCE INTERNAL
REPORTING AUDIT COSTS
CRITICAL SUCCESS FACTORS ACHIEVING ORGANIZATION
QUALITY TRANSPARENCY
CORE PROCESSES MANAGING MANAGING
RESOURCES INFORMATION
TECHNOLOGY
BUSINESS CHALLENGES PROCEDURE STREAMLINING
AUTOMATION
BUSINESS ENABLERS TIMELY, DETAILED REDESIGNING
REPORTING ACCOUNTABILITY
BY ROBERT PUTRUS, PE, CMC (Common Messaging Calls) A programming interface specified by the XAPIA as the standard messaging API for X.400 and other messaging systems. CMC is intended to provide a common API for applications that want to become mail enabled. 1. Robert Putrus, PE, CMC is the principal of Southern California-based Robert Putrus Consulting, an information technology and risk consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a . You can reach him at robertputrus@therobertsglobal.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion