|
Sagar Anisingaraju
CEO
InfoStep, Inc.
|
As the SEC announced the much anticipated extension of compliance dates for Section 404 of Sarbanes Oxley Act (SOA), there is a collective sigh of relief. This extension provides an opportunity to companies for reviewing their compliance efforts from a more strategic perspective rather than the tactical short-term approach that they have been forced to adopt.
Typical initial efforts have involved documentation of key processes, activities and controls. External consultants, extended audit and program management teams have enabled testing and validation of these approaches. From the initial efforts, it is obvious that internal auditors alone cannot manage the gamut of requirements imposed by the Act.
Testing and attestation of every control and documentation across the organization by a team of consultants and extended audit teams is neither foolproof nor cost-effective for ongoing compliance. Companies have to increase the control awareness among the operational management and involve them in the ongoing governance activity. Companies need to explore out of the box approaches to optimize all aspects of the compliance lifecycle and ask themselves an important question, "How do we minimize our costs and maximize the long-term effectiveness of these compliance efforts?"
This illustration shows an analytical representation of control health and gives an overview of the entity level status of the controls.
One of the answers to the above question comes from combining two established concepts from audit and process management worlds: CSA and CMM. Let's briefly review both these concepts and understand how they can be used to help in reducing the costs for compliance.
Control Self Assessment or 'CSA' as it is more widely known, is a mechanism in which key people in the organization assess the processes and activities they own, on a periodic basis for assessing the adequacy and effectiveness of controls. The corporate CSA champion conducts the CSA programs involving business managers across the organization either as facilitated workshops or as survey questionnaires. Internal auditors use the information generated out of the CSA programs to assess if internal controls are working as intended.
Capability Maturity Model or 'CMM' was developed by Carnegie Mellon Software Engineering Institute (SEI). It is a framework to help organizations increase the maturity of their human resources, process, and technology assets for long-term business performance improvement. Key to the CMM concept is the measurement of maturity of the organization using a standard yardstick.
Combining the best practices of the above two concepts gives us a new approach for effective corporate governance. In most companies, business managers and operational staff have limited knowledge of the audit practices. Similarly the internal auditors do not have the complete understanding of operational side of the business. CSA concept adapted with accountability and analytical measurement capability of CMM provides the basis for the new approach. It combines the gap between two diverse entities: 'Audit' and 'Operations.'
The new approach uses the CSA techniques to assess the health of the controls on a periodic basis and provides measurements using a consistent yardstick as in CMM. It makes the line managers, audit teams and other key process managers accountable for governance. By involving and empowering the process owners and managers, assurance provided by Internal Audit is grounds up and much more realistic. Cost analysis of fixing the control deficiencies is done from an analytical viewpoint and communication among the players is integrated in the workflow process. Executive management can measure and manage the health of the controls across the organization using the unified scale.
This figure gives an overall maturity index across the enterprise.
Bridging the gap between the know-how of audit and practices of business provides a low cost alternative for ongoing compliance. Internal audit teams can implement CSA techniques to distribute the periodic controls assessment among the business managers as part of their respective functions thus increasing the overall control consciousness. Managers are empowered to assess the controls and are made accountable for control violations. This approach results in a cost-effective, repeatable solution with real-time visibility for the executive management and audit committees into the state of internal controls.
Sagar Anisingaraju
CEO
InfoStep, Inc.
Sagar Anisingaraju is President & CEO of InfoSTEP Inc. He has over 18 years of experience in the software industry in various capacities. His recent contribution to the industry includes product innovation in CSA based analytical applications for managing Internal Controls. He was a winner of Applications Development Trends Innovator Awards in 1997 and holds a Masters degree from Indian Institute of Technology, Kanpur, India.
InfoSTEP Inc. provides solutions for managing Internal Controls and Assurances. InfoSTEP is headquartered in Santa Clara, CA and has been providing assessment solutions since 1998.
|
| 
