|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Leveraging Compliance Management into Performance Management
Reducing costs, while more effectively managing a business, raises assurances of positive returns to the investor community
By
Elliott Zember (and Linda Duncan)
|
|
Elliott Zember (and Linda Duncan)
Fox Technologies
|
Good governance is defined and regulated in different ways throughout the world. All organizations, irrespective of size, industry or country share the common goal of good governance ? to create, grow and maintain the value of companies.
Most agree this is best achieved through increased transparency, trust and accountability.
It is also important to understand that good governance has an intrinsic value. The tangible importance to the investment community of good governance is reflected in a share premium, a benefit which has been highlighted in several studies. The importance to customers is also reflected in higher rates of loyalty.
Aside from the structural standards set for Board Governance, focusing on accountability and stewardship to shareholders, the most common route advocated for achieving more transparency and accountability into company operations and finances is by developing and implementing more robust Enterprise-wide Risk Management (ERM), and demonstrating effective, intelligent Controls Compliance.
Companies continue to face increasing pressures to implement ERM. Regulatory bodies and investors are increasingly examining companies? ERM policies and processes, and Boards in many industries are now required to review and report on the effectiveness of their ERM frameworks.
Indeed, these more operational, practical areas have consumed significant resources as organizations have strived to achieve compliance with major new regimes such as the Sarbanes-Oxley Act of 2002 for U.S. listed companies, Combined Code for U.K. listed companies, and Basel II for financial services companies.
While regulation has forced many executives to address these areas in a more structured and holistic manner, for many it is a necessity rather than choice because of the personal consequences of having inadequate systems of risk management and control in their organization.
Many companies still have a long way to go. A recent report from The Conference Board in July 2005 shows that although an overwhelming majority of companies have started using ERM as a strategic business tool to manage a variety of risks which could impact their organization?s performance, most admit ERM is not yet embedded in their day-to-day business processes.
Additionally, more than 90% of executives reported building or wanting to build ERM processes into their organizationo, but only 11% had accomplished this.
?Intelligent? organization are starting to address the proactive management of risk as it becomes recognized as one of the key ?value-killers? in a company. A recent Deloitte survey highlights the main factors contributing to major corporate failures since 1994:
? Failure to foster a strong ethics and control culture
? Failure to manage critical risk interdependencies
? Failure to address rare but exceptional events
? Failure to provide timely information on control factors
The integrated and holistic approach to risk management is one of the cornerstones of effective governance; the other is more effective controls compliance.
Despite the very significant investment made by companies in identifying and documenting controls and testing the effectiveness of their operation, a number of control issues continue in many organizations related to the level of risk exposures being experienced and the cost of controls assurance testing.
So, why has this not been adequately addressed? Why do so many organizations continue to carry the excessive cost of an unsatisfactory controls framework?
There are several reasons:
? The ?race? to compliance. For many, the first year of Sarbanes-Oxley Section 404 compliance was a question of compliance at any cost. The pace of change and the inherent uncertainty in requirements ? for both companies and auditors ? together with the perceived consequences of failure to meet the standards required, resulted in too many controls being tested too often.
? Inadequate risk assessment. The failure to perform, or transparently rationalise the selection of in-scope controls based on risk assessment also contributed to the excessive volume of testing carried out. Consequently, companies chose or were required by their auditors to test more than required.
? The high level of manual controls. Many controls relied on were manual controls because they were easier to identify, understand and demonstrate to auditors than IT controls. Manual controls are inherently less reliable and, being labour-intensive, more expensive to test and maintain. For many, the option of relying on automated IT controls already in place was not pursued adequately due to either ignorance or a disconnect between the audit and IT functions.
? Inadequate attention to the design of controls, rather than testing compliance. Although the Sarbanes-Oxley Act requires certification of both the design and operating effectiveness of control, it would appear from the reported deficiencies that design has had inadequate attention. A prime example is the high incidence of lack of segregation of duties being reported as a cause of failure.
? Failure to leverage existing risk management and control frameworks adequately. Financial control is not a new concept, nor can it be looked at in isolation of the organization?s other controls.
The race is on by the best in class to find ways to become smarter at identifying and assessing risk, streamlining the ongoing cost of controls compliance, and turning the significant costs already incurred into an opportunity for performance improvement and turnaround in their companies.
An analysis of both reported control deficiencies and the significant and ongoing cost of control maintenance highlight considerable scope for improvement in a number of areas.
Creating a Healthy Control Environment
A healthy control environment provides the foundation for a top down, risk-based assessment to drive control design and inform compliance testing. The ethics and behaviours encouraged and expected from employees are often embedded in a large code of business conduct policy, never read and rarely enforced.
In the rush to document and evaluate the increasingly sophisticated systems and processes of complex businesses - whether for the Sarbanes-Oxley Act, Basel II, the FSA or Mifid - the ability to control organization by creating an environment where people ?do the right thing,? is often overlooked and yet it forms the foundation on which to build a healthy organization.
The Opportunity for Leveraging Compliance into Better Performance Improvement
The opportunities available to organizations by virtue of the sheer volume of information now available and the detailed level of understanding of processes can be used to:
? Drive improvements in the financial and operational performance of individual companies, and;
? Sustain and optimize business performance
Looking ahead at opportunities for leveraging effective compliance into performance management, a recent survey by PricewaterhouseCoopers of 180 top financial executives at a wide range of companies noted unexpected benefits from their compliance efforts such as revealing previously unidentified weaknesses and inefficiencies in controls and business processes.
This accelerated remediation efforts through a combination of control optimization, process improvement, and automation. Many said that the Sarbanes-Oxley compliance effort increased their understanding of their business and helped them find ways to make effective use of valuable data and resources.
Automation has a key role to play in delivering these improvements as part of a more ?intelligent? control culture.
Intelligent Control
Intelligent control has twin objectives of reducing cost and improving effectiveness, and, to this end, controls and the controls framework need to demonstrate a number of key features:
|
Intelligent Control Features
| Attributes
|
| Complete and Relevant
| The controls portfolio should include all, and only, those controls that are appropriate.
|
| Efficient and Effective
| In many instances, there will be an opportunity to select one from a range of alternative controls which overall, meet the same control objective. The right control to pick will be the one which balances cost and benefit (level of assurance).
|
| Risk-Based | A top-down thorough risk assessment has a key role to play in both the identification of areas where controls need to be focused and to ensure that controls are designed to prevent, detect or mitigate the assessed risk.
|
| Automated | Automation of controls performance and monitoring reduces cost and error rates compared to manual controls.
|
| Automated Testing | Automated testing significantly reduces the cost of testing and increases the sample sizes to support operational effectiveness.
|
Technology also has a key role to play in both improving controls effectiveness and in reducing the cost of controls in several areas including:
1) Identity & Access Management ? control of access to systems and data provides a fortress wall around the process and control environment. It is not logical to think of compliance without strong authentication and tight access control to data.
2) Automated Segregation of Duties ? prevents conflict in an individual?s assigned tasks, an essential element in the prevention and detection of error and/or fraud.
3) Automated Controls ? The lack of knowledge or communication of controls, which already exist within applications, is another major contributor to duplication, cost and ineffectiveness. The unattractive prospect of the continuing, ongoing high cost of testing is forcing this area under the microscope.
Organizations that build and embed strong governance principles into ?the way we do business,? and that rigorously apply risk assessment and control design techniques and automate the reporting, monitoring and testing activities required by various regulatory regimes, can significantly reduce the cost of the ongoing compliance effort. The new disciplines adopted alongside the additional information extracted can be used to more carefully manage and run the business. Reducing costs, while more effectively managing a business, raises assurances of positive returns to the investor community.
Assessing the Tone from the Top
? The types of business behaviours and attitudes that are encouraged in this organization, and those that will not be tolerated, are clear and rigorously communicated to the staff and enforced.
?The organization is committed to recruiting, retaining and developing staff so that they each maximise their potential contribution to the business.
?The management team and/or board are effective in leading, overseeing and challenging the management of the organization.
?There is a clear organizational structure, which sets out responsibilities and accountabilities for the delivery of the business? objectives and implementation of strategy.
?A clear set of policies and procedures exist for managing staff, which sends clear messages about expected behaviours, conduct, ethics and performance on which their compensation is based.
Fox Technologies develops complete authentication and authorization solutions for multi-vendor platform environments with many hosts, many users, and stringent security requirements. All solutions provide simplified user administration, secure single sign-on, strong authentication, domain-wide access control and centralized audit logging.
Some of the world's best-known companies, largest financial institutions and key governmental organizations use scalable, highly secure Fox solutions to enhance their infrastructure and protect their data assets. Fox identity and access management can be deployed on UNIX/Linux, Windows, and mixed-vendor domains.
Axena, Inc. provides Corporate Governance and Enterprise Risk Management solutions to both the US and international markets. Operating through its US headquarters in Orlando, FL and its
international headquarters in the UK Axena provides industry leading compliance, enterprise risk
management and corporate governance software and advisory services.
For more information visit www.axena.com
Elliott Zember (and Linda Duncan)
Fox Technologies
Elliott Zember
Mr. Zember is currently VP ? Industry Solutions for Fox Technologies, Inc. a major software company in the enterprise control market. He is recognized for his knowledge of global compliance regimes and their impact on enterprise control structures at all levels within a corporation.
Linda Duncan
As managing director of Axena in Europe, Linda Duncan is responsible for leading Axena?s business development efforts across the region. Additionally, she is focused on advising foreign registrants with the Securities and Exchange Commission (SEC) who must comply with the Sarbanes-Oxley Act, as well as working with organizations throughout Europe to develop enterprise risk management and internal controls processes and other key elements of their corporate governance and related legislative codes.
|
|
|
|
|
