|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Fraud
Five Key Sarbanes-Oxley Compliance Focus Points
Companies now have the wedge to quickly change organizational culture for the better . . . .
By
Rich Lanza
|
|
Rich Lanza
Conference Chair
Institute of Internal Auditors North Jersey Chapter
|
As I talk to Sarbanes-Oxley project teams and work on a project myself, I believe there are some key focus points that we all need to keep in mind:
• ?Moving from a compliance mentality to an enterprise risk management framework
• ?Turning SarbOx into a money making machine for the organization
• ?Utilizing proven project management to ensure success
• ?Maximizing technology investments
• ?Developing fraud prevention, deterrence, and detection programs
Let me take the first three topical areas. I believe they all relate to project management; an under-utilized skill that can be learned and should be adopted by all members of the SarbOx project team. Project management has become a proven technique to maximize benefits from minimal resources. Given the high cost of the initial compliance effort and the expected long-term maintenance, anyone in a project sponsor position needs to ensure this initiative is well defined, planned, executed, and that any lessons learned are captured for later improvements. I may go as far to suggest a program management office be enacted, an organizational model popularized by the Y2K effort, to ensure the project investment is well-in-hand.
For example, one requirement of a well-managed project is to draft a solid business plan that assumes a positive return on investment. This is an easy task given the regulated mandate to change bad processes. Companies now have the wedge to quickly change organizational culture for the better . . . .or face the legal and criminal consequences. And this does not need to be a negative intervention. It can be one that provides an improved financial reporting product; a great return in itself. Further, it can identify over-controlled areas that could drop a few (control) pounds, while giving an excuse to complete a corporate-wide efficiency and effectiveness analysis. Done right, this "documentation exercise" that many people consider Sarbanes-Oxley, can deliver positive ROI that should be communicated through a business plan and status reports often to senior management.
It must be noted that one dimension of effective project management, as promulgated by the Project Management Institute, is the use of risk management. While this should be applied, at a micro level, to the SarbOx project, it also should become a staple of effective management throughout the organization. What's more, the SarbOx initiative provides the right opportunity to get in front of practically every employee so that they (1) may be trained in risk management, (2) can test their new skills in complying with the Act, and hopefully (3) leave with a positive experience that they can apply to their day-to-day jobs. In essence, Sarbanes-Oxley can be used as the catalyst to implementing an enterprise risk management program, the next iteration of the Committee of Sponsoring Organization's model.
Moving to the fourth topic, Maximizing Technology Investments, I am seeing a great deal of technology dollars being spent and I can only think back to the days when leading a Y2K project and every software vendor had the "silver bullet" to make the two to four digit problem go away. In other words, make sure you are making the best investment of your technology dollars and try to maximize what you already have (that is probably sitting on a shelf right now). As business professionals, we need to become more bionic which will automate our rote activities, strengthen our analysis capabilities, and allow us to focus our efforts on the most fruitful investment opportunities.
My fifth and last topical area focuses on the f-word, yes the one concept why this Act was drafted . . . . fraudulent financial reporting. Interestingly enough, it is the one concept that seems to have been placed on the back burner and replaced with the focus on documenting process risks and controls where, unfortunately, fraud does not live. Therefore, a company could have the best documented and tested controls (like Enron who had a premiere Enterprise Risk Management program), yet still commit the most heinous acts of fraud due to management override, poor tone at the top, and an ineffective fraud prevention program. Therefore, look for the best practices in fraud prevention as developed by the Association of Certified Fraud Examiners, one of the best places to get anti-fraud knowledge.
As a final word, I am looking forward to this SarbOx journey and the knowledge I expect to gleam from the Sarbanes-Oxley Compliance Journal. Done right, our efforts should re-awaken process improvement, improve risk management, and the maximize technology to deliver a more reliable financial report and to ensure that fraud is dealt with proactively.
Rich Lanza
Conference Chair
Institute of Internal Auditors North Jersey Chapter
|
|
|
|
|
