|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Continuous Auditing
Embracing Sarbanes-Oxley as an Opportunity to Streamline Business Processes
By
Suresh Ramaswamy
|
|
Suresh Ramaswamy
VP of BPM Strategy
Verity
|
Sarbanes-Oxley. These two oddly paired words strike fear in boardrooms of public companies across the country. Regarded by many as the most significant change to U.S. securities law since the New Deal in the 1930?s, the Sarbanes-Oxley Act of 2002 provides much needed financial reform to help prevent future Enron-style scandals.
While this is certainly a worthy cause, corporate efforts to achieve compliance have proved more challenging and costly than originally expected.
One key provision that has proved to be particularly troublesome for public companies is Section 404. An oft-cited section, Sarbanes-Oxley Section 404 spells out the requirements for internal control activities and processes that govern the creation of financial reports.
This might sound nebulous at first read, but it essentially says that a company needs to know with a high level of confidence everything that underlies the information published in financial reports. And of course, all reporting of this information has to be auditable.
Admittedly, this is a tall order. As a result, Forrester Research has reported that many organizations turned to outside consultants and hastily created manual solutions to meet the 2004 compliance deadline (The Forrester Wave: Sarbanes-Oxley Compliance Software, Q1 2005, April 2005).
Unfortunately, these same companies are finding that this tactic is an expensive proposition for the long term, as Section 404 requires regular reporting on an annual basis. In response, organizations are now looking for a more suitable, cost-effective and sustainable strategy.
Automation to the Rescue
One solution that is receiving a lot of attention is business process management (BPM) software. This is not too surprising, given BPM?s penchant for bringing order and efficiency to an organization?s pesky, yet invaluable, business processes.
By its very nature, BPM provides the enforceable controls, reporting and audit trails required by Section 404. Plus, its efficiency gains deliver a rapid return on investment, which makes it an extremely viable and economical compliance solution.
The interest in BPM was confirmed by an August 2005 survey commissioned by PricewaterhouseCoopers, which found that financial executives are placing a priority on automating compliance and control environments in this second year of SOX compliance.
Automation certainly makes sense from a financial and functional point of view, given the high number of processes that require controls, monitoring and reporting. However, according to the same survey, automation is having an additional effect ? it?s enabling companies to better understand their business and manage risk.
SOX as an Opportunity for Change
Given the valuable business insights that can be gained, it makes sense to view SOX compliance not as an obstacle to overcome, but as a unique opportunity to streamline business processes for maximum efficiency and competitive advantage. This is an important distinction, as a singular focus on merely achieving SOX compliance is a shortsighted approach.
A company would be better served by asking how it would go about achieving corporate performance measurement and financial data accuracy without SOX as the driver. The answer to this question will help an organization shed light on its own path and regain control of its Sarbanes-Oxley destiny.
BPM plays well into this strategy, as its benefits go beyond mere SOX compliance. By providing an unprecedented level of automation and control, BPM solutions can transform many elements of SOX compliance into a natural outcome of doing business. As a result, businesses are making a valuable investment in improving business processes.
Put simply, business process management is the design, execution and optimization of automated processes ? everything from line-of-business processes, such as work orders, customer interactions, payroll processing, order processing and regulatory compliance initiatives, to core mission-critical processes, such as payment remittance, billing, product development and logistics.
On their own, business process management solutions offer an effective way for companies to automate tedious, time-consuming and costly manual processes. The end result is improved efficiency, accelerated revenue cycles, increased profits and enforceable compliance.
An effective BPM solution will enable an organization to achieve a substantial return on investment, while simultaneously achieving compliance with SOX Section 404 mandates.
BPM as a Platform for SOX Compliance
In addition to its streamlining capabilities, a comprehensive, robust and integrated BPM solution can easily serve as a platform for the automated element of SOX compliance. This is a unique capability that differentiates it from other ERP, enterprise content management and SOX-specific solutions.
Unlike content management systems, which only touch a small amount of content and processes, BPM technology can be deployed across the entire enterprise. This cross-enterprise deployment capability enables process controls across all levels of the organization.
In doing so, you know that important steps are not being skipped. Every process is forced to follow the same set of rules, so there is no risk of individuals diverging from corporate policies and procedures.
Using BPM as an enterprise-wide platform for SOX compliance requires that the chosen solution have excellent usability. Everyone who contributes to a process will need to interact with the solution, thus it?s important that the BPM solution have an intuitive, easy-to-use interface.
The idea is to make compliance easy and not a divergence from traditional processes. BPM solutions should accommodate this requirement by providing advanced process modeling technology to replicate existing processes in a digital format.
In many situations where paper is integral to a process, the BPM solution should allow seamless integration between paper and the automated process.
In addition to offering superior usability, the right BPM solution will also leverage open standards to easily integrate with existing applications, such as ERP, HR, content management systems and external databases.
In this same report, Forrester Research gives excellent advice to companies evaluating SOX compliance automation solutions. It recommends that companies take the following actions in the decision process:
? Give preference to vendors that support existing IT infrastructures
? Make usability a high priority to drive extended adoption
? Be sure to know what is included and what is optional
BPM Capabilities that Support SOX Compliance
In regards to what?s included and what?s optional, you?ll definitely want to make sure that the BPM solution employed features the right mix of capabilities to ensure SOX compliance. The following are some on the non-negotiable features to look for:
? Documents and enforces business rules and internal controls for business processes across multiple lines of businesses and applications.
? Develops a complete audit trail for corporate processes so auditors can immediately retrieve any transaction, see its routing and approval path, and review supporting documents and data.
? Real-time monitoring of business processes and system-wide reporting capabilities to provide visibility into business processes and enable you to identify potential weaknesses or deficiencies in process controls.
? Provides real-time visibility into your content at every stage of the business process. This can be accomplished via integration with an enterprise search tool that allows you to extract critical information about a business process lifecycle at any instant.
? Offers flexibility to address changing regulatory requirements, other compliance initiatives and business process management needs.
? Features a highly scalable, fault-tolerant, open architecture that allows you to accommodate the growth of people, processes and information across your enterprise and bridge the gaps between departments and lines of business.
? Supports LDAP, single-sign on and digital signatures to meet SOX guidelines for non-repudiation.
? Offers a secure, client-server environment to improve security and privacy of transactions to meet SOX requirements for acceptable data security.
BPM?s Advantages for Improving Business Performance
Helping achieve SOX compliance is a wonderful thing, but the beauty of BPM is that it does so much more. With the ability to streamline processes and deliver a quick return on investment, BPM supports the recommended approach of finding a solution that ensures SOX compliance as a natural byproduct of doing business.
By using the feature criteria above to select your BPM solution, you can also look forward to receiving the following business performance improvements:
? Identify and Improve Inefficient Processes: BPM provides unique insight into your organization so that you can quickly find and correct bottlenecks, weaknesses and other inefficiencies.
? Accelerate Business Cycles: By choosing a solution with integrated, in-process enterprise search, employees can easily search for time-sensitive information, identify key trends and alert appropriate personnel. The end result is the ability to make confident decisions earlier in a process.
? Gain higher Profits: See opportunity and problems in advance to affect changes in manufacturing capacity, inventory availability, duplicate change orders, etc.
? Increase Productivity: Intelligent features, such as database auto-fill profile fields, automatic routing and line-of-business connectivity, allow employees to spend more time on revenue-generating activities.
? Reduce Costs: Automated business rules in corporate forms can eliminate redundant and costly administrative tasks.
? Gain Competitive Advantage: Keep your workforce connected to the information, resources and processes they need to make the right decision in real-time.
Implementing BPM Has Never Been Easier
,br>
When you start thinking about the vast number of business processes used throughout your organization, the idea of implementing a BPM solution to move them online may seem rather daunting. Like most things, the key is to break the migration down into stages.
BPM allows you to incrementally move your processes online. If you have 300 processes, start with five non-critical ones. Once you?ve gotten them in place, move on to 50 more, and so on. The right solution will feature intuitive controls to make this a relatively effortless process.
In regards to achieving Section 404 compliance, it?s important to identify the meta-processes that are associated with SOX. This begins with the CFO creating a risk matrix to determine the areas of highest risk. The next step involves implementing the proper controls to provide assurances that you?ve backed up your assertions and you?re ready for an audit. BPM allows you to accomplish this critical step.
Once you decide what processes need to be compliant, you can use BPM?s modeling capabilities to create the processes. BPM?s modeling tools should provide endless flexibility for creating online processes that effectively mirror your actual processes. Ideally, the modeling tools should feature a visual design environment for drag-and-drop simplicity.
By bringing processes online, you can now take advantage of integration with third-party systems. The right BPM solution will talk to existing enterprise applications, databases and line-of-business systems. The end result is that manual reference checks can now be automated, thereby saving time, money and resources.
A BPM-Enabled SOX Compliance Scenario
By now, you should have a good conceptual idea of how BPM can help enable SOX compliance, but it?s also helpful to understand how it applies to a real-world scenario. Verity has a unique understanding of the benefits that BPM can offer in this regard, as we have helped thousands of organizations streamline their business processes over the past ten years.
Verity?s core BPM product, LiquidOffice, provides the precise functionality to serve as a powerful platform for enforcing internals controls and streamlining processes.
In addressing SOX compliance, the Verity LiquidOffice platform provides the requisite internal controls by creating disciplined processes with checkpoints and audits to help ensure the reliability of an organization?s financial statements.
In short, LiquidOffice ensures that established processes and business rules are rigorously and consistently followed with a clear audit trail for accountability. The most sensitive areas requiring control include:
? Initiating, processing, reporting of account balances
? Prevention, deterrence, and detection of fraud
? IT infrastructure including security
In one real-world usage scenario, a customer uses Verity LiquidOffice to manage secure access to sensitive data, an important element of Section 404 compliance. More specifically, LiquidOffice is utilized as part of a change and configuration management initiative to institute formal processes for all security-related changes.
With LiquidOffice, every time a request is initiated for increased access privileges, a well-defined authorization approval process is launched.
This process considers the rules around the target system and orchestrates the process of getting approvals from the appropriate set of authorities before granting access privileges to the originator and sending out notifications.
All of this data, including who requested access privileges to which system and who authorized it when, is recorded for audit purposes, providing a high degree of confidence to the executives about the security of the underlying information systems that govern their business.
LiquidOffice even goes a step further than other BPM solutions by offering a variety of unique and extremely valuable features, including accommodation of paper processes, dynamic process modeling, integrated enterprise search, and unparalleled integration capabilities.
For example, with LiquidOffice, organizations can integrate their paper processes into an auditable, online process. Once integrated, information from all organizational processes, whether initiated on paper or online, can be searched in real-time, thereby resulting in better decisions, increasing employee productivity and delivering more effective customer service.
Conclusion
For publicly-traded organizations and those that do business with them, Sarbanes-Oxley is an everyday reality. However, with the right approach, organizations can turn SOX compliance into an opportunity to streamline and improve its business processes.
By implementing a BPM solution with the right capabilities, organizations can evaluate their existing processes and implement new ones to overcome any inefficiencies or weaknesses. Taking a lot of effort out of the compliance picture, the right BPM solution can serve as a platform for the automated element of SOX compliance.
Specifically, solutions like Verity LiquidOffice can help organizations meet Sarbanes-Oxley Section 404 compliance requirements by creating clear and comprehensive audit trails to sales orders, expense reports, legal agreements, purchase orders or any content-driven process that could affect a company?s balance sheet.
In doing so, auditors can immediately track transactions, see their routing and approval path, and review supporting information at every step.
In addition, with process content indexing features like those available in LiquidOffice, companies and audit teams can search all in-process and completed transactions for potential irregularities or patterns that require further investigation. Digital signature support is also a critical element in any BPM solution, as it helps enforce Sarbanes-Oxley guidelines for non-repudiation.
With greater visibility and transparency, solutions like LiquidOffice can help assure auditors, shareholders and regulatory agencies that proper controls are in place to document and follow processes. In short, BPM takes the sting out of Section 404 compliance by making it a natural outcome of doing business.
Suresh Ramaswamy
VP of BPM Strategy
Verity
Suresh Ramaswamy is the Vice President of BPM Strategy at Verity, Inc., where his role is to drive the strategy for Verity's offerings in the business process management (BPM) space. Suresh joined Verity with its acquisition of Dralasoft in December 2004.
Suresh was previously president and founder of Dralasoft, with the vision of making business process management technology accessible and ubiquitous. Previously, he was an Enterprise IT Architect at Qwest Communications and US WEST developing architectures for use of distributed object technologies to build enterprise class n-tier applications.
Prior to Qwest, he designed computer-aided design (CAD) applications at Mentor Graphics for six years. He has published papers in the Journal of Object-Oriented Programming (JOOP), Java Report, and Java Developer?s Journal and holds a software patent in computer-aided design.
|
|
|
|
|
