|
|
|
Features
< Back
Sarbanes Oxley : Technology : Section 404
Solutions to Help Avoid Sarbanes-Oxley Non-Compliance in Manual Revenue Cycle Processes
Many processes within a company?s revenue cycle are a key part of its Sarbanes-Oxley control activities.
By
Kelly Nicholas
|
|
Kelly Nicholas
nSite Software
|
There is no shortage of technology systems on the market to help public and private companies manage their Sarbanes-Oxley 404 compliance. But, even the most advanced Enterprise Resource Planning and Customer Relationship Management solutions fall short when it comes to capturing and controlling data from dynamic, people-to-people processes.
Many processes within a company?s revenue cycle are a key part of its Sarbanes-Oxley control activities, but most enterprise applications lack functionality for tracking reviews and approvals of sales quotes and contracts. Instead, these processes often exist as ad hoc, e-mail and paper-based procedures. The result is a potentially dangerous gap in a company?s Sarbanes-Oxley compliance initiative, or the need for increased reliance on downstream revenue cycle controls. This is the type of exposure most companies would be happy to avoid.
All revenue-related processes are under a high degree of examination as a result of Sarbanes-Oxley. Having reliable controls in place with an audit trail for material revenue streams, and the ability to fully document, analyze and report, is crucial to achieving and maintaining compliance.
Controlling the sales quoting process without constraining the sales organization?s ability to close deals is a common problem for many small- and medium-sized businesses. Most CRM applications are not designed to automate this transaction activity due to its variable nature. Accordingly, it is not unusual to see a company employing a combination of different quoting mechanisms, such as e-mail, spreadsheet templates and/or ERP-based applications. When a particular method is too rigid, the fall back position is often a manually generated sales quote. The financial statement risks of not controlling this activity include rogue quoting, margin erosion and loss or inability to retrieve historical quotes from a centralized repository.
For example, a midsize manufacturer on the east coast with $300 million in annual revenue, utilizes a popular web-based CRM solution to automate its lead and opportunity management processes. At the time a quotation with a non-standard discount request needs to be prepared for a prospective customer, an excel-based quote template is completed by the sales representative and e-mailed to sales management for approval. The process, as currently designed, lacks visibility into who must review and approve the request, as well as an audit trail and closed loop. Additionally, the ad hoc nature of the approval process would make it difficult to rely upon from a Sarbanes-Oxley compliance perspective, thus placing more pressure on downstream controls in order entry and invoicing.
Another variable activity in the quote-to-cash process is contract review and approval. For companies that have a moderate to complex contract negotiation cycle, the process of multi-department collaboration regarding non-standard transaction terms and conditions can be time consuming and error prone. Even for companies that have deployed a sophisticated contract management system, collaboration is difficult. Most contract management systems are not designed for collaboration across departments or with external constituencies, such as customers or partners.
The financial statement risk of not controlling this activity is unapproved contract terms and conditions resulting in additional or unknown customer commitments and corporate liability. These include, but are not limited to, unusual order acceptance criteria, extended warranty provisions or commitment to provide free products or services as part of the transaction.
Dynamic processes exist in all business cycles. In some cases, these processes can be considered a key part of the company?s control activities. Some examples are customer credit approval, IT infrastructure change management, engineering change notices and documentation of customer acceptance, project milestones and product installations.
What can a company do to ensure it is sufficiently capturing and tracking processes that are key to its Sarbanes-Oxley compliance? For some organizations, the answer is a combination of traditional preventative internal controls, supplemented with detective controls that embrace the dynamic nature of many quote-to-cash processes. The key is implementing solutions that anticipate the inherent variability in many quote-to-cash processes, while providing for an audit trail and control compliance monitoring. By incorporating dynamic process monitoring into the quote-to-cash work flow, companies create practices which mirror the way their employees actually do their work. The result is rapid user adoption and increased productivity and control reliability.
According to industry analyst firm Gartner, in its report Sarbanes-Oxley for Sales: Risk Assessment and Policy Enforcement, December 1, 2004, ?Because SOX is a set of guidelines, rather than a fixed set of rules, it is important that the technologies support the processes, which in turn support the policies. The key is to take reasonable actions to ensure compliance. It would be naive to assume that technology alone will increase compliance. The sales-related processes must map to how the salespeople sell and must be adhered to by the entire sales organization. Similarly, there must be clearly documented and published policies that reinforce the processes that are enabled through technology.?
That?s why sophisticated public and private companies are leveraging new business process automation solutions designed specifically for human-centric processes. Flexible business process automation has been designed to support the way employees actually perform their job responsibilities. These systems capture and track business-critical data that falls outside the scope of traditional sales and support, customer service and financial applications.
Now let us return to the example of the midsize manufacturer, who has just implemented a web-based human-centric business process automation solution that is integrated with their existing hosted CRM system. At the time a quotation with a non-standard discount request needs to be prepared for a prospective customer, an html-based form is completed by the sales representative and routed to sales management for approval. The sales representative can monitor the approval status of the quotation and receives a notification via the CRM system when the quote is approved. Furthermore, the quotes and evidence of management approval are now stored in a centralized repository. The result: a stream-lined, visible process which can be leveraged in the Company?s SOX compliance efforts. The company also benefits from the state-of-the-art security infrastructure utilized by the hosted solution vendors and no ongoing IT headcount and maintenance costs.
By adopting a human-centric business process solution in the quoting or contract review and approval process, companies gain complete automation, control and visibility across the key activities of these processes. When choosing a system it should be as easy to use as e-mail, yet deliver control and visibility with dynamic workflow capabilities. All data and process metrics are stored in a database and are available for control compliance monitoring and margin and non-standard deal analysis. In so doing, companies gain an effective, non-intrusive, controlled process which can be deployed quickly and painlessly.
Whether you are public and required to comply with Sarbanes-Oxley or private but looking at potential exit strategies such as initial public offering or acquisition, it is impossible to ignore the shortcomings inherent with most ERP and CRM systems. To properly address issues of authorization, monitoring and data retention, consider adding a solution geared toward capturing dynamic, people-to-people processes. Existing and future shareholders will thank you.
Kelly Nicholas
nSite Software
Kelly Nicholas has over 10 years of experience in finance and operational management. Nicholas is VP, Finance for nSite Software, Inc. (www.nsite.com).
Nsite solutions automate processes that have been previously accomplished with email, spreadsheets and paper. Prior to joining Nsite, Nicholas worked in Internal Control Services for Cisco Systems, Inc.
During her career, Nicholas has served in senior finance positions for several start-up and public companies. Nicholas started her career as an audit professional in Arthur Andersen?s high technology division where she specialized in providing audit and consultation services to businesses in the software industry.
Nicholas is a California Certified Public Accountant and has a Bachelors of Science in Business from the University of Colorado, Boulder.
|
|
|
|
|
