|
As dumb luck would have it: A colleague recently shared a paper from Compliance Week (Oct 12, 2004), noting that 51% of disclosures in recent months were due to problematic financial systems. Other big issues showing up as significant deficiencies/ material weaknesses: - Personnel Issues: segregation of duties, inadequate staffing/training, supervision issues- Tone at the Top (following instances of restatement)- Poorly documented accounting practices An interesting read. For small businesses, I could see some of these issues. I've worked in immature organizations that are still trying to find their public legs. I can see where SoD comes up in small companies, and that training can be a challenge when you're running lean and everyone must focus on operations. But these are often multi-billion dollar companies. Not start-ups, but organizations with thousands of employees, of a size and market value that the investing public expects solid business practices to be applied at the helm. What a sad state of affairs into which corporate financial practices have fallen. Coming from the operational side of the business, I find it astounding that so few departments have strong, repeatable, documented processes. It seems that many large businesses move on momentum: ask any serial entrepreneur what has resale value, and they will tell you - repeatable processes. In conversation after conversation, the single biggest risk in my mind is that people are too busy chasing the little things to ever get ahead. Some of the brightest people I've encountered are also the busiest, far too busy to every teach anyone what they are doing, and therefore always shoulder to the grindstone. (Not the formula that I would expect to be applied in organizations trying to build capability - and by extension - shareholder wealth.) Not that everyone is in danger of getting hit by the proverbial bus, but expert-specific risk is a very real exposure. Health-risks, burnout, separation, and -yes- getting hit by a bus all put the business at risk. We recruit these experts to build our organizations, but fail to capture that expertise in more than a transactional way. Task :: Completion. Problem :: Solution. This is not creating corporate capability - this is perpetuating a very real, unhealthy dependency. SOX should simply be affirming what we already know to be true about building strong companies: you are what you measure. If you want to be successful, measure the elements that define success. Documenting practices, organizations are now forced to explain the process of expert knowledge in action. Maybe SOX is driving some much-needed-but-never-scheduled reflection on what makes a company healthy. A thought worthy of some personal reflection. Sounds like a set up for a bad joke, something about herding cats. The truth of the matter is, your business owners are probably doing more by way of informal control than you give them credit for. As controls professionals, we often look for that element of evidence or review that sits off to the side of a process in a folder that is loaded with printed reports, tick marks, and initials. The classic notion of auditing these evidential binders is misaligned when it comes to the design of effective operational controls. In my work with process owners, I continue to find that experienced people typically require more comfort from a process or calculation than the uninitiated. Though I see Excel (and Access, and assorted query tools) used across our business, I often find a number of reconciliations occurring after the fact:
The ideal that I think we are all seeking are controls that are transparent to the operator because they are embedded in their process. This is how good controls work - they offer assurance to the operator, not just as evidential matter for later reviewers. [here is the last template tonight. this was developed based on a review of PwC's whitepaper, "The Use of Spreadsheets: Considerations for Section 404 of Sarbanes Oxley" dated July 2004. Aside from a brief foray into some sample-of-one control walk-throughs, the past year has been all about scoping, agreement, disagreement, redeployment of resources, redirection, and documentation of the control environment. (I've probably just described the project plan at most Fortune 1000 companies - but I wouldn't map against it as best practice.) Q3 deliverables were provided on time, and all was well in the land. Fits and starts - I have found this to be the norm for most projects that are of a unique flavor. I remember the challenges to doing re-engineering in healthcare, where the projects were unlike anything the organization had experienced before in terms of breadth, resources consumed, and impacted lives of professionals in the work community. So many interested parties, so many expectations, never enough deliverables to go around (and never fast enough, either). The upside in this project has been that, though the steps toward the goal have felt elusive, the larger team has consistently been working toward the same objective. This has been a pleasant organizational discovery, driven largely by the fact that you can't get over this hurdle by yourself - the whole company has to pass, or your efforts were wasted. Hmm - teamwork? Speaking of: nothing makes a stronger team than a significant challenge under a tight timeline. This is an exceptional opportunity to meld and weld together working relationships in a way that month-in, day-to-day work never will. If your team isn't getting comfortable leaning on each other, you should really reconsider the players on the bus. If you've been looking for value in all this work - this may be the riches part of it. With luck, the documentation phase will officially be over (read: complete for now), and efforts can turn to remediation, education, and getting testing into a rhythm. The last year has flown by, and it seems like little progress has been made. I'm hoping for better traction in the weeks ahead. Note: I notice that few professionals read as much emerging and supplemental literature as you would expect (or at least as much as I expected), which in no small way explains the recycling of rehashed and tired ideas. By default then, "the way we did it at Xxxx" remains the often-herald best practice. Go-forward, I will try and provide links to references on my shelf that are making a difference in how I look at business issues and weigh alternative paths. Hope it helps.
|
subscribe
to this feed
through my yahoo! 
August 2004 September 2004 October 2004 November 2004 December 2004 April 2005 May 2005 June 2005 September 2005 October 2005 November 2005 December 2005 February 2006 May 2006 September 2006 October 2006 November 2006 December 2006 February 2007 March 2007
|
||
|
|||
