Sarbox: Setting
a Better Organization in Motion
October 28, 2005
By Sean Chou It's time to take Sarbanes-Oxley compliance
to the next level for competitive advantage.
In his first law of motion, Sir Isaac
Newton stated that, “Every
object in a state of uniform motion tends to remain in that
state of motion unless an external force is applied to it.”
While this law was intended to explain
actions in the physical universe, it could easily apply to
the corporate universe as
well — particularly when it comes to Sarbanes-Oxley (a.k.a.
SOX or Sarbox). This legislation, which recently went into
effect for most organizations, is intended to increase confidence
and assurance regarding the operations of large, public companies.
Although Sarbox is broad and implementation-agnostic, many
of the strategies that will meet its requirements can be drawn
from best practices that will also improve the overall operations
of the organization.
Yet like the proverbial Newtonian object
flying through space, many of these same organizations would,
given a choice, allow
momentum to dictate their direction rather than expend the
energy necessary to change course — even if on a collision
course with a much larger object. As a result, many organizations
are doing the minimum required for Sarbox compliance. They're
creating additional layers of bureaucracy and approvals “for
audit purposes.” The results are entirely predictable:
increased costs, more inefficiencies and frustrated employees.
These haphazard, reactionary compliance strategies not only
cause stress, they may cause the organization to miss a tremendous
growth opportunity that could create a real competitive advantage.
Instead of complying reluctantly, smart organizations will
take this opportunity to re-evaluate their processes and make
changes, including the occasional wide-sweeping and fundamental,
sometimes painful, ones that improve business operations. They'll
use Sarbox as a means to streamline their processes and auditing
procedures through workflow automation, with compliance a natural
byproduct.
Still, that's not quite an “apple hitting you on the
head” revelation. Truly enlightened organizations will
take it even further by embedding their auditing procedures
right within those automated processes. With embedded auditing,
the mere act of performing an action provides instant accountability
and transparency. Auditing, therefore, becomes not an afterthought,
dependent on the good intentions of the person performing an
act, but an integral part of the act itself. Having an automatically
generated, real-time audit trail not only makes it easier to
assure Sarbox compliance, but also creates a body of metrics
that could lead to additional process improvements, lowered
costs and, ultimately, a better-run business. That's the kind
of momentum you do want to gain.
How Technology Assures Compliance
To understand how embedding monitoring in the process assures
compliance, think about an amusement park that receives a mandate
from corporate to report its visitor count on a daily basis.
Since the park managers feel the day's ticket count is sufficient,
they are resistant to the new auditing requirements. The fastest,
easiest thing for them to do to meet the mandate is to station
people at each entrance turnstile to count each visitor as
he or she enters. This brute force approach is an example of
a manual and parallel auditing process. It certainly meets
the goal of counting actual visitors, but it has some serious
flaws.
There's the expense of the people,
of course. There's also a great likelihood of human error,
particularly because the
task is more repetitive. If the count is below expectations
and people are worried about their jobs, they may “fudge” the
numbers to line up with goals. To add insult to injury, someone
(or several people) in the office will have to take those manually
generated figures and sum them at the end of the day.
This brute force solution captures
the essence of how many organizations are approaching their
compliance requirements.
They are placing people, and often highly compensated ones
at that, with fancy “counters” at the start of
their business processes. Sometimes they may randomly scatter
them through the “park” and at the exit as well.
This approach meets the minimum set of standards required to
keep the executives out of jail and comply with the mandate,
but it really becomes more of a burden than a help to running
the business.
Revisionist History
One of the biggest problems with manual monitoring is that
it is only as good as the people doing the reporting. In many
of the recent scandals that caused Sarbox legislation to originally
be introduced, there were records. They just weren't the records
of actual events. Instead, at best, they had a loose relationship
to real events, and at worst an anti-relationship to cover
up improprieties. This prompts the question: Who watches the
watchers?
Embedding monitoring in the processes through technology eliminates
the chance of this revisionist history coming into play. Records
are generated automatically as a result of performing the action,
and reflect exactly what occurs. Once the records have been
completed, they cannot be changed through normal means.
Think again about our amusement park. Instead
of placing manual counters at the turnstiles, what if the turnstiles
themselves
did the counting and were connected electronically to a central
aggregator? You would eliminate the cost of the people doing
the counting, as well as the cost to manually tabulate the
results at the end of the day. You would also improve the accuracy
of the data, since electronic turnstiles don't get bored, don't
fight with their spouses before coming to work and don't leave
their posts for a lunch or washroom break.
You've now done a
much better job of meeting the corporate mandate and considerably
reduced the cost of compliance over
the long term. But you still haven't truly leveraged the
opportunity for change. A Force for Acceleration
Newton's second law talks about the relationship between force,
mass and acceleration. Likewise, the real benefit to be gained
from Sarbox compliance is the way it accelerates your ability
to use data in new and more interesting ways.
Instead of merely counting people as they come in, what if
the electronic turnstiles were hooked into a centralized database?
They'd be able to perform real-time trend analysis and monitor
anomalies in traffic patterns so the park could better understand
their customers. They could provide special benefits and incentives
based on the projected visitor count. They could alert park
management to an imbalance in the number of visitors passing
through each gate so they'd know whether to alter parking lot
availability to cut down on long lines. They could be tied
to past data so park management would know whether they have
enough employees in the park to handle the crowd.
In this scenario, technology plays
a key role in eliminating a highly manual and painful parallel
monitoring process. The
monitoring occurs as part of a natural process to the business — that
of getting paying customers into the park. And best of all,
the requirement to count visitors has become a secondary benefit
to the installation of a better business analysis tool.
Making Compliance an Automatic
Earlier we talked about employees changing a manual count
to assure they meet their objectives. Making monitoring a part
of the process solves that concern. If the turnstiles are hooked
directly to the central database, there is no opportunity for
the count to be changed before it is entered, either accidentally
or through a conscious effort. The data is more reliable and,
therefore, far more useful, both for Sarbox purposes and business
analytics.
Closing Time Blues
Closing the books, whether it's for the month, the quarter
or the year, is the mother of all processes designed to monitor
processes. It's generally a traumatic time, filled with great
pressure and angst. A hard stop for activities is agreed to,
and then the organization starts working backward to verify
what it believes has happened since the last close.
The trouble is that many organizations are still stuck on
the idea that auditing is something that happens after the
fact. Technology changes that equation, in effect creating
a real-time audit as each activity happens. Because it provides
full visibility and tracking, it allows you to immediately
know everything about everything at any time you choose. You
simply run the proper report and all the documentation is there.
Make Watching Part of Doing
Sarbox provides an incentive to drive
real change throughout the organization by breaking the inertia
of “we've always
done it this way.” By embracing rather than merely “complying” with
Sarbox, organizations of all sizes will reap rewards that extend
far beyond meeting the conditions required by the law.
Part of that reward is taking the opportunity not merely to
change processes but to automate them. Embedding monitoring
into the process through technology eliminates the possibility
of a breakdown, assuring compliance while making process improvement
both practical and sustainable. No one will need to watch the
watchers. The technology will do it for you.
About the Author: Sean Chou is chief technical officer of
Fieldglass where he oversees all technical aspects of the company's
software, which is designed to help organizations procure and
manage all their outsourced services. He can be reached at
schou@fieldglass.com.
Top |
