Sarbanes-Oxley: Setting a Better Organization in Motion
By Sean Chou, Chief Technical Officer, Fieldglass
In his first law of motion, Sir Issac Newton stated that, “Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it.”
While this law was intended to explain actions in the physical universe, it could easily apply to the corporate universe as well – particularly when it comes to Sarbanes-Oxley (aka SOX or Sarbox). This legislation, which recently went into effect for most organizations, is intended to increase confidence and assurance regarding the operations of large, public companies. Although Sarbox is broad and implementation-agnostic, many of the strategies that will meet its requirements can be drawn from best practices that will also improve the overall operations of the organization.
Yet like the proverbial Newtonian object flying through space, many of these same organizations would, given a choice, allow momentum to dictate their direction rather than expend the energy necessary to change course - even if on a collision course with a much larger object. As a result, many organizations are doing the minimum required for Sarbox compliance. They’re creating additional layers of bureaucracy and approvals “for audit purposes.” The results are entirely predictable – increased costs, more inefficiencies, and frustrated employees. These haphazard, reactionary compliance strategies not only cause stress, they may cause the organization to miss a tremendous growth opportunity creating a real competitive advantage.
Instead of complying reluctantly, smart organizations will take this opportunity to re-evaluate their processes and make changes, including the occasional wide sweeping and fundamental but painful ones that improve business operations. They’ll use Sarbox as a means to streamline their processes and auditing procedures through workflow automation, with compliance a natural byproduct.
Still, that’s not quite “apple hitting you on the head” revelation. Truly enlightened organizations will take it even a step further by embedding their auditing procedures right within those automated processes. With embedded auditing, the mere act of performing an action provides instant accountability and transparency. Auditing, therefore, becomes not an afterthought dependent on the good intentions of the person performing an act, but an integral part of the act itself. Having an automatically generated, real-time audit trail not only makes it easier to assure Sarbox compliance, but also creates a body of metrics that could lead to additional process improvements, lowered costs, and ultimately a better run business. That’s the kind of momentum you do want to gain.
How Technology Assures Compliance
To understand how embedding monitoring in the process assures compliance, think about an amusement park that receives a mandate from corporate to report its visitor count on a daily basis. Since the park managers feel the day’s ticket count is sufficient, they are resistant to the new auditing requirements. The fastest, easiest thing for them to do to meet the mandate is to station people at each entrance turnstile to count each visitor as he or she enters. This brute force approach is an example of a manual and parallel auditing process. It certainly meets the goal of counting actual visitors, but it has some serious flaws.
There’s the expense of the people, of course. There’s also a great likelihood of human error, particularly as the task becomes more repetitive. If the count is below expectations and people are worried about their jobs, they may “fudge” the numbers to line up with goals. To add insult to injury, someone (or several people) in the office will have to take those manually generated figures and sum them at the end of the day.
This brute force solution captures the essence of how many organizations are approaching their compliance requirements. They are placing people, and often highly compensated ones at that, with fancy “counters” at the start of their business processes. Sometimes, they may randomly scatter them through the “park” and at the exit as well. This approach meets the minimum set of standards required to keep the executives out of jail and comply with the mandate, but it really becomes more of a burden than a help to running the business.
One of the biggest problems with manual monitoring is that it is only as good as the people doing the reporting. In many of the recent scandals that caused Sarbox legislation to be introduced originally, there were records. They just weren’t the records of actual events. Instead, at best, they had a loose relationship to real events, and at worst an anti-relationship to cover up improprieties. This prompts the question: Who watches the watchers?
Embedding monitoring in the processes through technology eliminates the chance of this revisionist history coming into play. Records are generated automatically as a result of performing the action, and reflect exactly what occurs. Once the records have been completed, they cannot be changed through normal means.
Think again about our amusement park. Instead of placing manual counters at the turnstiles, what if the turnstiles themselves did the counting and were connected electronically to a central aggregator? You would eliminate the cost of the people doing the counting, as well as the cost to manually tabulate the results at the end of the day. You would also improve the accuracy of the data, since electronic turnstiles don’t get bored, don’t fight with their spouses before coming to work, and don’t leave their posts for a lunch or washroom break.
You’ve now done a much better job of meeting the corporate mandate, and reduced the cost of compliance considerably over the long term. But you still haven’t truly leveraged the opportunity for change.
A Force for Acceleration
Newton’s second law talks about the relationship between force, mass, and acceleration. Likewise, the real benefit to be gained from Sarbox compliance is the way it accelerates your ability to use data in new and more interesting ways.
Instead of merely counting people as they come in, what if our electronic turnstiles were hooked into a centralized database? They’d be able to perform real-time trend analysis, and monitor anomalies in traffic patterns so the park could better understand their customers. They could provide special benefits and incentives based on the projected visitor count. They could alert park management to an imbalance in the number of visitors passing through each gate so they’d know whether to alter parking lot availability to cut down on long lines. They could be tied to past data so park management would know whether they have enough employees in the park to handle the crowd.
In this scenario, technology plays a key role in eliminating a highly manual and painful parallel monitoring process. The monitoring occurs as part of a natural process to the business – that of getting paying customers into the park. And best of all, the requirement to count visitors has become a secondary benefit to the installation of a better business analysis tool.
Making Compliance an Automatic
Earlier we talked about employees changing a manual count to assure they meet their objectives. Making monitoring a part of the process solves that concern. If the turnstiles are hooked directly to the central database, there is no opportunity for the count to be changed before it is entered, either accidentally or through a conscious effort. The data is more reliable, and therefore, far more useful, both for Sarbox purposes and business analytics.
Closing Time Blues
Closing the books, whether it’s for the month, the quarter, or the year, is the mother of all processes designed to monitor processes. It’s generally a traumatic time, filled with great pressure and angst. A hard stop for activities is agreed to, and then the organization starts working backwards to verify what it believes has happened since the last close.
The trouble is that many organizations are still stuck on the idea that auditing is something that happens after the fact. Technology changes that equation, in effect creating a real-time audit as each activity happens. Because it provides full visibility and tracking, it allows you to immediately know everything about everything at any time you choose. You simply run the proper report and all the documentation is there.
Make Watching Part of Doing
Sarbox provides an incentive to drive real change throughout the organization by breaking the inertia of “we’ve always done it this way.” By embracing rather than merely “complying” with Sarbox, organizations of all sizes will reap rewards that extend far beyond meeting the conditions required by the law.
Part of that reward is taking the opportunity not merely to change processes but to automate them. Embedding monitoring into the process through technology eliminates the possibility of a breakdown, assuring compliance while making process improvement both practical and sustainable. No one will need to watch the watchers. The technology will do it for you.
About the Author
Sean Chou is Chief Technical Officer of Fieldglass, where he oversees all technical aspects of the company’s InSite 4.0 software that helps organizations procure and manage all their outsourced services. He can be reached at firstname.lastname@example.org.