|
My life has become a series of peaks and valleys, with madness surrounding quarter-end. I guess this may be the final determinant that puts me fully in the camp of "accountant", a title I've long argued against. Though I still don't think of myself in these terms, its much easier to explain to friends and family alike that I am an accountant, instead of a process engineer, a business analyst, or a controls consultant. Hmm, they think: I've never encountered one of those before. Poor boy must be making up titles while he looks for a banking or accounting job! SOX is full of crunchy, crunchy goodness. First, there was the mad dash to scope the project, followed by the mad dash to document the project, followed by the mad dash to document the project, followed by the mad dash to document the project, followed by ... remediation, and (hopefully, someday) testing. This work begs that organizations get consistent about how they look at their critical financial processes and practices, which is good. Painful, frustrating, but healthy. Do we uniformly have segregation of duties around all our journal entry processes? Do we consistently require management review before entries are posted? Is our monthly performance variance analysis sufficienty robust to tell us if strange things are showing up in our P&L? What do we do when the unexpected strikes, or rather, what are our exception handling practices? Good work, all of it. But for today, I've got a 9/30 deliverable target to meet.
Some of the questions include: Q. What is a Sarbanes or Oxley? A. "What" is probably correct, since the answer is "politicos". Q. How did they know so much about business to be able to write this? A. Good question, but it begs the larger question of who actually drafts all the bills that get passed? I'm not a conspiracy theorist, but I do have a hunch that special interest and lobbying concerns employ a number of writers to draft "suggestions". Q. Since I'm not public, I don't have to worry - right? I mean, right? Please? A. Sadly, wrong. If you invest in US markets - you're impacted. If you ever hope to exit from your business venture through acquisition or (ba-bang) IPO, you will have to get through a personal version of SOX hell. (see Entrepreneur Magazine's "How SOX Can Benefit You" for a great exec summary from this perspective, written by Robyn Aber). Q. Really, what are the odds that huge Fortune 500 companies aren't going to pass their SOX reviews? A. Probably worse (or better) than you think, depending on whether you are short or long the market. This is new stuff, and meant to send a clear message to public companies that they need to get their house in order. No more funny stuff. At least not in the financial information reporting process. I think it is fair to expect a number of name brands to get kicked in the teeth. Q. What should my small business be thinking about if we want to make a strategic play with bigger clients? A. Two words: SAS70. Get to know it, get to love it. Even if you aren't doing an activity that requires the submission of a SAS70, clients are going to expect that you know what it means and why or why not you will be providing one (in all likelihood, probably not). Q. So all this SOX stuff is about accountancy? So you're like an accountant then - can you help me with my taxes? A. Uh - yeah. I can also perform open heart surgery if need be - I applied a bandage once.
GENERAL COMPUTER CONTROLS. We've had our IT group working collaboratively with business process owners for the last 9 months. As an IT manager, I would look to you to provide comfort that the necessary general controls are in place (access managment processes, change control, logic access control, etc) so that as a business owner, I have comfort that the IT process is alive and well. This means doing some fairly rigourous review of user access processes, perhaps more consistent SDLC project managment practices, and the identification of gaps that need to be shored up (remediated). If your organization has only recently implemented a standard framework, yesterday is a good time to start talking with your externals about getting comfort with the data integrity of your systems. APPLICATION CONTROLS. The other responsibility you will find in your camp is going to be helping process owners 1) understand what elements of their process have automated controls, and 2) collaborating with process owners to gain the necessary comfort that automated controls can be relied on. This reliance will likely involve reviewing implementation and change control documentation (by system) for the last many years, or moving into a fairly robust testing cycle to ensure that calculations and reports arerepresenting information the way you intend. CHANGE MANAGEMENT. Unlike other disciplines within the organization, IT's work is largely project based. Your work on new system implementations and business process documentation and requirements development position you as a strong consultant from both a change and project management perspective. If you - or members of your shop - have delicate relationships with business owners but have the production environment well in hand, this is an excellent way to demonstrate your broader expertise as a member of your client's management team. Much work, certainly. But an excellent opportunity to apply your consultative skills with high visibility to senior managment.
Financial Shenanigans: How to Detect Accounting Gimmicks & Fraud in Financial Reports, Second Edition by Howard M. Schilit provides an excellent 101 on basic tactics that have scarred public companies in recent years. Schilit makes the issues very accessible for the non-accountant, and provides real world examples that tickle the long-term recall. Looking at seven basic shenanigans, Schilit walks the reader through the logic, the implications, and how to root out these issues: 1) Recording revenue too soon, 2) Recording bogus revenue, 3) Boosting income with one-time gains, 4) Shifting current expenses to a later or earlier period, 5) Failing to record or improperly reducing liabilities, 6) Shifting current revenue to a later period, and 7) Shifting future expenses to the current period as a special charge An excellent primer for new financial managers, and a great way to come up with smart things to say to accountants pressing you for improved performance at quarter-end. Good news - ! All the technological advances over the last ten years to connect our world have finally found the problem they've been preparing to solve - how to keep investors up on the play by play of their 401ks. Section 409 of SOX introduces a new degree of reporting requirements for public companies, which feels not just a little bit like Reg FD gone wildly amok. If Reg FD was about syncronizing messaging, 409 is about instant messaging. New details? 409-it, and you better get it out the door within 5 days. While I'll grant that most organizations shouldn't get surprised by 8K reporting issues (what, didn't you think this through before the merger?), I think this is actually going to be detrimental to the investing public. The days of the private, casual investor are rapidly disappearing if you think that you will be able to stay on top of changes in your target companies. Investment A establishes a new credit facility? 8k it. Investment A taps the new credit facility? 8k it. Investment A sneezes in a back alleyway with only the bums and alleycats to hear the honk? 8k it. If you thought you'd seen the worst of information overload with all the reality tv, you ain't seen nothin' yet. Sadly, this has a real impact on your bottom line (and not just another wasted weeknight). Time to route that 401k against the S&P500 and forget about it. I'm beginning to think that SOX may have been a conspiracy exacted by the National Association of Realtors to bring investors back to property, given the recent climbs the stock market has seen since 2001. Hmm. Maybe in cahoots with the National Comic Book Collectors Association, and the National Stamp Collectors Guild, and the Federation for Tops Baseball Cards.... A useful must read for managers struggling around the development of controls-oriented professionals and considering the basic concepts of resource pooling: http://www.people3.com/pdf/BestPracticesResourcePooling.pdf. People3 (A Gartner Group organization) has taken the narrow focus of looking at IT professionals, and how an organization manages this workforce. Without too much stretch, it becomes clear that many of the considerations are applicable in other skilled professional areas of the organization - Accounting, Finance, Sales, Engineering, etc. The core notion that strikes me is that an organization will never develop a core competency until some focused attention can be directed at the area of development. For example, my organization is looking to fill a number of seats in a SOX/business controls capacity. Reporting to business unit CFOs (which in turn report to the corporate CFO), business unit based teams will each have approximate 2 - 4 persons, creating 4-6 SOX teams to service the organization at large. Fine, well and good. The risk I perceive in getting folks on board is that we haven't figured out our level-set that we are hiring to just yet. Since we are still trying to sort out our core understandings among the folks already on the ground, we're hard pressed to understand the amount of effort that will be necessary to get new folks onto the same page. A tough task all around, but we can't delay the development of this new discipline. We've done our best to profile the professionals needed in the work, and have HR doing their level best to get candidates in front of hiring managers. Unfortunately, many of the candidates still in circulation are still looking for a reason, since so many companies are fighting for limited talent right now. The stronger play in developing this bench - which will continue to go through serious evolution in the next 12 - 24 months - would be to look at developing a talent pool that has more business breadth than might be percieved as necessary on day one. The development and populating of a talent pool puts some key considerations front and center: - You can hire the right people without assigned seating. It seems straight forward, but often gets lost in the shuffle. Organizations do a great job of filtering people on the way in, and generally hire on for a specific slot. If your organization does a good job of managing poor performers out of the business, you create space for grabbing great people when they come your way (which is better than trying to find them when you are desperate). - You are forced to consider training challenges to ensure consistency. If you want to use folks interchangeably, you better make sure they are operating from a consistent starting point. Start with standard technical compentencies, access to professional references and resources, methodologies, and views of the company and industry in which you compete. Yes - as a starting point, not after a few years of OJT. - You avoid the easy hire. It's easy but often detrimental - bouncing the odd man out to the next project. Accountability for hires in a pool configuration is an organizational challenge, and though you will need to appease more managers and internal customers, you will also create some meaningful depth. - You develop a bench of talent that can be tapped for future challenges. Given the work of the SOX teams, very few professionals will get the opportunity to see the business in this same process way, getting to know the seamy underside of the business and develop an understanding of where process and communications break down. If you get people that can solve these issues, what can't you use them for? It occurred to me on the drive in this morning that, while I've been busy working on organizational deliverables, I've been neglecting my own personal development. I'm getting my paperwork in order for my CIA exam, the only designation that really reflects the necessary competencies to manage this work in the new SOX world. With this new designation in hand, I can be a) a counterintelligence agent that appreciates the shared acronym, or b) certified by the Internal Auditors Association and potentially a more intelligible agent of change. Getting my act in gear not only helps the business - giving the externals a bit more confidence with a CIA testing controls - but it also makes me much more marketable in this mixed up little world of controls. I have to hand it to the CPA folks - great marketing of the designation, the IIA could learn a thing or two. Take a step or two away from the Internal Audit department and a few consultants, and the CPA looks like the logical background for this work, and going forward, I think it probably will be again. But controls haven't been a big part of an externals' game, unless they had gotten involved more heavily on the IT side. To the person, I've yet to talk with a former auditor that looks back on their work and says, "Yes - I was a damn fine controls auditor." Nearly every one has said that, as the external in the pre-SOX world, attention to controls only meant creating more work for themselves, so avoided it like the plague. No one paid attention to this piece of the work (or wanted to pay for many hours of it), and the audit meant getting busy with the work plan to test the numbers. Retooling is the name of the game. Though I'm fortunate enough to be working with some really quality accounting pros, I've also had a number of conversations at large that tell me bulk price of Accountants at COSTCO is no steal. Unless folks have spent time in the twigs and berries of process design and controls evaluation, there is going to be a learning curve. There is a reason that many organizations like to hire out of Internal Audit. These are generally professionals that have been able to bridge their public accounting experience and started getting really nitty gritty with process and controls. They have moved around the organization, and see the business as a series of interdependent systems. They know how to ask tough questions, and keep on asking even when it becomes a thorn for senior managers. This is the skill set we need to be seeking out, and in all likelihood, figure out how to build. Financial professionals may not see the personal value right away, but will thank visionary managers that make this a core discipline. If you haven't already bought it, you better start figuring out how to build it - you're going to need it. So, to the Big Four - feel free to keep your financial statement auditors until they've been through the process at a client or two, and understand what is expected to cross this magic line. I'll be keenly interested when they've had the opportunity to learn their chops in someone else's shop. Please steer a few my way that can talk about worst practices: I think there is more to learn in failure than success. (The kicker is that, by the time the Big Four have manufactured SOX and control-oriented auditors, most public companies will have already certified, meaning that what they will really be needing is process improvement and system implementation people, not auditors. Hmm. ) Which comes first - operational performance or financial performance? Does it take money to make money, and if so, do the financial controls come before the operational controls? What a fine quagmire SOX is. The degree of confusion is evidenced in the multitude of acronyms floating about - SOX, Sarbox, SOA, SarbOx. We can't agree on what it is, and we won't compromise on what it isn't. At least I don't think so. And the popular press hasn't really said much yet, since they don't know how many acts are out there and pending with all the damn acronyms getting floated about. I digress. So here's my thing: looking at the transaction cycle (initiate, authorize, record, process, report), anything west of recording sounds very, very operational. But after the dust settles, and the good, bad and ugly decisions have been committed to, the numbers better get nailed down right and wind their painful way to the financial statements intact. You want to look at the front end? Great - let's get to COSO's ERM. But for SOX, let's just focus the conversation on the financial aspect of the block, and get the company through the first controls audit intact. I'm as big on process improvement as the next guy, but for God's sake - prioritize a bit. How does a 105lb woman chew up a 250lb man? One bite at a time. And that's the same way this monster has to get taken down - bite by bite. High level transaction assessment, transaction cycle risk assessment, material financial account assessment... Top down, this should be the peeling of an onion, layer by layer, until we hit the bedrock of IT controls underlying the transactions within the impacted processes. Ok, it seems easy now that some of the stinging has started to go away, and the welts from version 9.02 have started to fade. But, as a voice of experience, make up your mind early on - and stick to a course. So now I see the real pain for on-going living with Sarbox: building the permanent team. Not easy, but folks on special assignment are likely starting to miss their old day jobs. To be sure, everyone loves confusing rules, shifting deliverables, and long hours. I was asking a former Big Four auditor why so few internal candidates have applied to our postings, and points out that most accountants love the numbers (LOVE), but get a sour, pasty taste in their mouth when controls are mentioned. Pavlov, what? Going back to the more-or-less recent past for many of these folks, a control assessment prior to year-end audit meant printing off last year's control assessment and asking the CFO to review for updates. Oh, same control environment this year too (Thank my lucky stars!), great - we'll move into the numbers. Numbers, lovely numbers. I personally don't get the same kick out of tying out numbers, but then, I find control work pretty stimulating - so I don't have a helluva lot of room to talk. But, given my new insight into the minds of former external auditors, I'm now terribly keen on tracking down process people. Ideally, ex-Internal Auditors, but also basic process folks that have a good head on their shoulders and a bit of business experience under their belt. Putting those few letters aside for a minute, the real challenges going forward that I SOX pros have to meet include: - Can a team member articulate their justifications, and argue their point? - Can they maintain their composure when they are getting absolutely pants'd? - Can they smile and nod when being lectured on the most mundane of issues, knowing that a nugget or two might be hidden in their somewhere? - Can they eat two helpings of humble pie before noon, and still attend a brown bag session to explore further interpretations of accounting pronouncments? Schools do a great job on theory and basics of business, and a few years of business experience goes a long way toward strengthing one's professional opinions and developing composure. With the shifting landscape and the near-guarantee of evolution in the months ahead, I believe an agile and curiousity thinker is sufficiently equipped to get started in this work. The real benchstrength in an organization will emerge when a team has driven players that work as a team, recognizing that a bit of confusion and mental gymnasitics are in the mix on a project like this. The work isn't always easy, and pushing change forward isn't always fun. But I am convinced the experience is well worth the investment - for the individuals and company alike.
|
subscribe
to this feed
through my yahoo! 
August 2004 September 2004 October 2004 November 2004 December 2004 April 2005 May 2005 June 2005 September 2005 October 2005 November 2005 December 2005 February 2006 May 2006 September 2006 October 2006 November 2006 December 2006 February 2007 March 2007
|
||
|
|||
