|
With so many organizations facing labor shortages as the baby boomers look toward retirement, it becomes not only a staffing but a very practical governance conversation about addressing this talent gap. What would happen if all your senior talent left tomorrow? I recently received an email from a researcher in Austrailia interested in organizational maturity of KM practices, and how this is viewed in association with corporate governance. I would invite you to participate as well (and ask consultants to consider a key client as well for whom this would be relevant).
For all the work that has gone into documenting and monitoring practices for Sarbanes Oxley compliance these last few years, I would hate to see it lost in the turnover with retiring boomers due to weak change management practices. Labels: baby boomers, change management, corporate governance, human capital management, knowledge management
One professional writes: I am new at this and need to understand about SOX and SOD, do you have any other resources? I am looking for Purchases Orders to Negotiations for credit terms, to who enters the new vendor and who signs and who does Accounts Payable all the way through to Fixed Assets? Can you help or recommend a book on SOD or an inexpensive software solution?This reader had already come across a few past entries (Explaining Segregation of Duties, SOD Part II), and was still struggling with putting the concept into application. An additional entry that is less apparent was on the access management challenges that organizations face when cleaning up business practices - a highly correlated discussion. My best recommendation for a quick overview and orientation to control practices is to really dig deeply into the COSO Guidance for Smaller Public Companies. (I firmly believe that this should be a required part of the curriculum for business programs today, integrated not only into accountancy and auditing coursework, but also fundamental management and entrepreneurship core as well.) In the executive summary, the COSO organization (and framework most commonly used by SOX-compliant companies) acknowledges that limited resource can make proper segregation a challenge: I think the challenge in getting one's head around this issue isn't just about ensuring that work has been properly broken across roles to reduce the risk of fraud to the company, but also bumps into larger issues that crop up at most companies. I have observed and wrestled with a number of issues that contribute to the challenges of getting good SOD assessed and in place.
We don't talk about properly segregated activities usually, and this isn't something that is well explored in the typical undergraduate business programs (maybe accountancy and auditing, rarely in management programs). This makes what should be a very natural design consideration a very foreign topic when folks encounter it for the first time. So beyond my rant, here are a few resources that I think do help you in sorting out the logic of segregation of duties. I would also invite reader comments where other useful resources have been found). Here are a few things I've found useful:
Whatever your process for coming to understand the current state of affairs in your organization, "begin with the end in mind" and consider how you will not only identify issues, but how you will implement necessary changes and monitor these changes going forward. Labels: access managment, COSO, fraud, segregation of duties, seperation of duties
Hopefully, "Sarbanes-Oxley Section 404A Guide for Small Business" from the SEC takes some of the sting out of it. This incorporates much of the thinking and discussion in the last 18 months about "how much is enough" for small business. I also think it gives existing implementations an interesting viewpoint from which to re-assess their current environment. This is a great primer, with reference to COSO's guidance to small business for a "how to". The SEC site provides a nice level of overview, and I think one that sets an appropriate tone to begin discussions with management. Most importantly in my mind, the SEC reiterates a number of times that control is very much about having a capable, competent team in place to manage your business. Labels: COSO, guidance, reference, SEC, small business
What I do appreciate however, is that good, clear guidance continues to be developed. For those many professionals that have moved onto new challenges, the issue now becomes one of implementing the familiar COSO framework in a new organization. Deloitte continues to put forth webcasts and whitepapers, the most recent to hit my inbox being "Sarbanes-Oxley Section 404 for Non-Accelerated Filers: Applying a Top-Down, Risk-Based Approach", a white paper just released in January. High marks for shifting a very clear emphasis to entity controls, but also helping readers understand what makes for an effective entity level control. Certain standards should be met in order to rely on direct and precise entity-level controls: the control must be relevant to the risk (relevance); must operate with enough regularity to enablethe timely prevention or detection of misstatements (frequency); must operate at a precise level of detail to adequately address the risk of misstatement (precision); and should be performed by qualified and objective individuals (competence). My minor complaint on this guidance would be the limited discussion of risk-ranking, which I think is a very key discussion to getting alignment with internal management and key stakeholders. SAS109 sets a very clear expectation for management to understand and be capable of explaining their business in the context of industry - a challenge that many small businesses may not be prepared to address. I think this is a critical discussion from both a financing and competitive positioning view; in a world of rapid acquisition, partnerships that look much like mergers, and reporting requirements that beg very technical considerations of business interactions, the risk-ranking and regular management reporting of exposure is too critical to brush by. Being able to address business risks and not just financial reporting risks is arguably beyond the scope of an implementation brief, but an important consideration as organizations begin to consider operating under less prescriptive reporting practices. Escalating such discussions, and monitoring accountability for managing risk, remains a management challenge for businesses of all sizes, public, private and non-profit. That said, at 16 pages this whitepaper is a very reasonable primer to orient management teams, and should prove useful for articulating the importance to those outside the traditional sphere of audit impact. Labels: Deloitte, guidance, SAS109, SOX implementation
With the ongoing discussion around more principle-based (IFRS) accounting standards versus the more familiar rules-based (GAAP) standards in the US, many are interested - if not regularly dialed into - the discussion of adoption and the implications of domestic adoption of IFRS. In the published white paper, "Principles-based Accounting Standards", characteristics of an effective framework are proposed. Of interest will be how well a principles-based framework can hold up in the litigious US, where obscure precedent can often trump reasonable and professional judgment. Labels: Global Public Policy Symposium, IFRS, principle-based accounting standards
If you have lists you would like to share that are helpful for evaluating segregation of duties, please send to my attention and I'll be sure to post for public access. (I would particularly interested in matrices that map job titles and duties on the vertical and horizontal to plot incompatible duties). Best, Toby Lucich toby.lucich@insidesarbanesoxley.com Publisher Labels: activity conflicts, segregation of duties
But worst of all, they are at risk for creating justifications for less-than-professional performance. I'm not thinking about just fraud (though this attitude is very much at the heart of embezzlement and other acts of personal gain at the expense of the company), but about the impact to professional levels of service delivery. When feeling overwhelmed, "what is best or important" gets put aside for addressing "what is urgent." Just looking to one's own personal life provides a rich series of examples where important is sacraficed for urgent - poor eating habits, less/no exercise, lack of sleep - all given up for things that feel urgent at the time, but have limited long-term value. We sometimes get sloppy and lose our focus. Not malicious, just a simple error. Companies work like this too, and just like our own personal well-being, someone has to stop and evaluate what is important versus what is urgent. In a rush to chase the next big opportunity, get the books closed, or just keep up with the processing of so many transactions, companies lose site of what is important to keep up with what is urgent. In this way, a controls or audit function seems to work like a wellness coach for corporate processes and structure, serving as an independent professional to help keep companies mindful of what is important. Segregation of duties simply defined by U of U means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.Checks and balances, oversight. While processing business transactions or wrapping things up is urgent, being mindful that we all make careless mistakes is a duty we all have to the companies we support. A simple challenge question to evaluating segregation of duties is this: If I make an error in my work, will someone downstream of me detect it before it becomes a major issue for management and shareholders to read about? By breaking apart tasks (approvals, recording, processing, reconciling results), companies increase the likelihood that they can detect unintentional errors in their results before it's too late. Labels: segregation of duties
We've now rebuilt the Inside Sarbanes Oxley Jobs Board page using some very new tools and are offering an introductory rate on your job postings of $29 for 30 days - less than a dollar a day to get your jobs posted. (Short of going into full car-salesman mode, suffice it to say that I hope this fills a niche in your recruiting strategy). I hope this is a value added feature for professionals seeking talent, and welcome feedback on this tool and the quality of the candidates you see through this jobs board. Best, Toby Lucich Publisher, Inside Sarbanes Oxley Labels: job board, publisher message
|
subscribe
to this feed
through my yahoo! 
August 2004 September 2004 October 2004 November 2004 December 2004 April 2005 May 2005 June 2005 September 2005 October 2005 November 2005 December 2005 February 2006 May 2006 September 2006 October 2006 November 2006 December 2006 February 2007 March 2007 May 2007 January 2008 February 2008 April 2008
|
||
|
|||
