SOX: Sunk Cost or Capital Investment toward a BPM Effort?

The cost of your SOX documentation has likely already been accounted for, and if you are like most organizations, you’ve already decided how you will address the ongoing maintenance and testing requirements that are now part of the publicly traded landscape.

One of the considerations that has been getting some discussion is how value can be built on top of the analytical work and assessment that SOX required. If you have ever undergone a business process improvement project or have a business process management function (BPM) that facilitates change in your organization, you are probably aware of the costs surrounding the “how do things work today” assessment. SOX documentation should give you a head start.

Should – this is the critical watchword, and this notion comes with caveats. If you’ve ever tried to pick up someone else’s speech, or inherited a process from someone else, you are familiar with the orientation challenges to recycling the work of others. Most documentation has a slant to it, in that the original author typically has been writing for an explicit purpose, which is probably different than yours.

The SOX documentation floating about your organization should provide a very concise orientation to the critical transactions that result on your financial statements – this was the driving purpose to the thousands of hours of documentation that preceded the flurry of testing. The intent of this documentation is to provide an external auditor that isn’t necessarily familiar with your process an adequate overview of how the transaction moves from initiation through the process and ultimately to the financials.

SOX documentation is very risk and control centric: the point is to demonstrate that investors can rely on the financial results because a series of key activities (controls) are being regularly executed that ensure the accuracy of the financial results. While it contains flow and systems details in varying depth, these are represented to help a reader understand effectiveness of the controls – not efficiency.

“Effectiveness” is the SOX objective, at whatever cost to efficiencies in the process. And therein lies the opportunity: an objective review of your controls will tell you what is being done efficiently (automated controls, or controls embedded in the process itself) and what is only being done effectively (manual reviews of printouts and signoffs that happen offline to ensure proper authorization). Business Finance published a recent article on the value that can be realized through BPM efforts, which might be useful as you make your case to senior management.

In considering a BPM technology initiative, your SOX documentation should provide a few useful data points to get you started. It is reasonable to expect:

An overview of the transactions from initiation to reporting
Identification of the workgroups involved (assuming that swim lane diagrams or narrative descriptions have been oriented this way)
A clear balance of current manual and automated activities that are relied on to get comfortable that the transactional data is being captured and processed appropriately.
Walkthrough and testing documentation that reflects the nuances of the control operation, including the use of the applications, spreadsheets, and other information necessary to evaluate if the transaction is being processed correctly
Business owners painfully aware of extra work that has been layered on them to meet the law (effective), but is hampering their day to day work efforts (efficiency)

You will not likely find:

Specific identification of process bottlenecks in the flow from initiation to reporting
A well-crafted list of grievances resulting from new manual processes slammed into place to meet regulatory guidelines
System development roadmaps that consider SOX requirements along side the demands of operations

The pain point exists, and the timing is excellent for companies deep in Year 2 of their efforts, where considerations of efficiency are now being put back on the table. Tapping into the vast knowledge store required for SOX is an excellent way to turn sunk documentation costs into a base of investment for business transformations.

Tell us what you think. (0) comments.
Send to a friend:

Wednesday, November 16, 2005

General Computer Controls - Access Management Woes

Thick in the world of SOX, it seems that many organizations are having a hard time getting their IT and business-sides of the organization to pull together. One such area that has been a particular challenge for me has been in regards to Access Management.

As a key consideration for General Computer Controls (see isaca.org and details regarding use of the COBIT standard to address SOX issues), Access Management means that you restrict the types of access that persons have to your systems. This applies equally to those persons in the business and in IT supporting or developing the applications.

One of the greatest challenges I'm seeing and hearing is that system access privilleges reflect where you've been, not what you now do. If you have folks that have moved around the organization, it is quite likely that they have retained their access to a number of applications or networked folders that reflect their past work. Hmm. Not a good thing when you begin your efforts to identify adequate Segregation of Duties.

A few considerations to help clean this up:

- Make role definition a priority. This means that, for each functional area, a specific project should be assigned that requires managers to determine what their team needs (and doesn't need) in terms of access. If it is not on the list, it needs to be approved by exception by both the persons manager AND the targeted system owner. Not only does clear role definition make it easier for managers to review at future dates, it makes it easier to adjust as changes occur in your staff.

- Get HR Involved. No one gets hired, fired, or transferred without HR ensuring that payroll details and benefits considerations get updated. A well-run HR process can assure that, before a new person gets put into a vacated role, all rights for that role have been closed out. You are likely thinking "that's not how our process works" - which is probably right. What you need to ensure though is that changes in the roster are reflected properly in the IT access environment. If you have managers that want to fill vacancies or get an internal candidate into the job, now is the time to task them with cleaning up the access details - while they have a clear motivation for knocking out the work.

- Make Managers Accountable. The best laid plans... go up in smoke without clear accountability. Your management structure should reflect a proper span of control, such that every manager should know what their team needs to do their jobs effectively. Make these managers acountable for proper access by pushing out periodic reports (i.e. quarterly) and have them validate that their teams' access is appropriate.

Any of the efforts around IT really need to be covered off in two specific aspects - clean up of existing access (data), and then building a process that ensures things don't get off track in the future. Clear processes coupled with a proper level of accountability provide assurance that practices stay on track long after the pain of cleanup has been completed.

Tell us what you think. (0) comments.
Send to a friend:

syndicate the
SOX Life blog

August 2004

September 2004

October 2004

November 2004

December 2004

April 2005

May 2005

June 2005

September 2005

October 2005

November 2005

December 2005

February 2006

May 2006

September 2006

October 2006

November 2006

December 2006

February 2007

March 2007

Sarbanes Oxley books

Sarbanes Oxley news blog

Sarbanes Oxley discussion