Making the Most of Your Controls Environment
by William Aimone
Twin boys, one an optimist and one a pessimist, awake Christmas morning with gifts in their bedrooms. The pessimist walks up to a pile of toys and is irritated. “Do I have to read the instructions?” he complains. “These toys will break anyway.” The optimist finds a pile of manure in his room and exclaims, “There has to be a pony in here somewhere!”
Public company executives often find themselves looking at the mounds of regulatory requirements created by Sarbanes Oxley and the PCAOB with disdain like the pessimist. Although mounds of manure are a reality, there is a pony!
A SOX 404 implementation program can be managed in such a way to gain organizational efficiencies and achieve more effective processes.
During a controls and process mapping exercise, it is important to understand the purpose of all steps in a process. Many fast-growing companies inherently have bad processes in place that worked for a small company.
A large oilfield services company spent an inordinate amount of time physically matching vendor invoices to checks for the controller’s signature. This served the company well when they were small. As a larger public company, this was wasteful and did not serve a purpose. By implementing more efficient controls in the disbursement process, the company eliminated the paper matching process. Do not be afraid to look for ways to eliminate waste as a part of the SOX 404 implementation or review process.
Set Guiding Principles
The transition to the 2013 COSO framework implies a more robust and daunting control environment. Developing a set of guiding principles for the organization and each of the business functions links policies to strategy and sets the foundation for an effective control environment. Guiding principles capture intent, establish the tone from the top, and rally the organization toward implementing the right control activities.
A mid-sized exploration and production company used guiding principles as a motivation tool and as a way to give each function a sense of purpose and identity in the new environment. The control, monitoring, and risk management activities and policies were then tied into the guiding principles to establish and integrate a common tone.
Integrate Risk Assessment and Planning
The mere sound of conducting a risk assessment wreaks drudgery. The risk assessment process should be integrated with the business planning process. One seamless, forward-looking process is more efficient than two separate processes.
A product of the business planning process is a financial budget for the upcoming year. Why not also make the risk assessment a product of the planning process? A public midstream company integrated the risk assessment with planning and budgeting and only added a week to the entire four-month planning and budgeting process.
Companies have no choice but to address the mounds of regulatory requirements to comply with SOX and SEC expectations. Why not use the compliance process to improve other processes in the organization, too?
Read on to learn how SOX controls can improve your company.
4 Ways to Improve Your Company by Implementing SOX Controls
by Shannon Emerson
Companies often view SOX compliance as a necessary evil, similar to the way a child views homework. This is unfortunate. Companies should embark on a SOX compliance project with the intention of becoming compliant and making their company run better. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring new controls fit while improving their company. By focusing on the following, companies can benefit from the efficiencies and improvements that arise from implementing a process-based controls environment:
- Remember, every company is different
- Design controls to improve existing process
- Use controls to improve financial reporting
- Reduce the cost burden through controls automation
Remember, Every Company Is Different
A cookie-cutter controls framework will fail because it doesn’t consider a company’s specific attributes, such as industry, size, and unique processes. Auditors tend to look at risks in a silo: when a common risk is identified, they automatically align the corresponding control to fit within the same process for all companies. Instead, when designing controls, auditors should ask, “What is the most efficient place within my company’s current processes to implement this control?”
To answer this question, the company’s current state processes should set the foundation, offering a complete look at the current owners and procedures within each business process. Once the business has been deconstructed into its various processes, it becomes clear where the control will fit best within your company. For example, a manufacturing company books material usage by calculating the difference between the beginning and ending inventory count. Therefore, the applicable controls were placed within the inventory process rather than diving into the production process.
Design Controls to Improve Processes
A SOX implementation project can be approached with the goal of gaining organizational efficiencies through more effective processes. Conducting the risk assessment identifies current risks, the probability and impact of a potential deficiency, and the current controls (or lack thereof) to mitigate the discovered risks. Reviewing end-to-end company processes will expose inefficiencies and reveal opportunities for improvement.
The process review of a large energy company found that the Finance Director and Accounting Manager kept their own checklists of key entries and accounting processes. This practice caused key entries and accounting processes to be overlooked during the closing of the books. The inefficiency of the current process was causing a significant risk. By implementing a fully comprehensive close checklist, the company eliminated the risk of missing entries and used the checklist as a planning tool, shortening the time to complete the overall month end close.
Use Controls to Improve Financial Reporting
One of the primary reasons Congress passed the Sarbanes-Oxley Act in 2002 was to restore public confidence in the reliability of financial reporting. However, this increased reliability has value beyond the investor, as companies can use this improved information to make better informed business decisions, directly benefitting the company’s overall performance.
While designing and implementing a controls framework, companies should ensure controls and business processes align with reporting requirements. To align controls effectively, companies should focus on when they need information. The question of timing will help define 1) where the control is located within the process, and 2) how often the control is conducted. For example, if the control is placed at the end of the reporting cycle, information won’t be available until the process is fully complete. However, if the control is placed earlier in the process, the company will be armed with the right information sooner. The same is true for the frequency of the control. Rather than waiting until the year end to review impairment indicators (which was causing misstated assets), a quarterly review allowed an energy infrastructure company to have more timely and accurate goodwill impairment information for their financials.
Reduce the Cost Burden Through Controls Automation
A chief complaint about the Sarbanes-Oxley Act continues to be the cost of compliance. Cost of compliance is particularly demanding for companies relying heavily on manual controls. However, companies can focus on making information and processes more efficient and centralized by automating controls where applicable. Automation reduces time and improves accuracy by removing the chance for manual error.
A mid-sized manufacturing company implemented strong controls around a cumbersome manual invoice approvals with hand signatures. They found a way to automate the approval process with an inexpensive invoice routing and approval tool. The AP automation tool allowed them to control invoice approvals and eliminate the time it took to collect manual signatures.
Since the enactment of SOX in 2002, companies have worked diligently to implement robust SOX control environments. In the early years of SOX, auditors were overzealous with too many controls, so many companies worked with their auditors to rationalize and reduce the number of controls. Rationalization helped but didn’t offset the burden and costs associated with managing the controls environment. Taking the next step in improving efficiency and effectiveness as a part of the SOX controls environment is something every company can do.
Listen below to hear how controls can be implemented in a way that doesn’t slow your business down.
Internal Control over Financial Reporting
Companies often associate SOX controls with business prevention. Controls slow business processes down, right? Not necessarily. Listen below to hear William (Bill) Aimone and Peter Purcell, co-founders of Trenegy, discuss how controls can be reviewed and implemented in a way that streamlines processes and increases efficiencies.
Read on to find out when/why controls fail and how to prevent it.
Getting Controls Right
3 Reasons Why Controls Fail
by Natasha Tahan
Implementing controls implies a robust and structured environment. However, simply having controls in place is not enough. Some organizations have controls that are only partially effective and require remediation or are ineffective and require a complete overhaul. The most common control failures are caused by inadequate company policies, lack of documentation, and unenforced segregation of duties.
Inadequate Company Policies
Poorly structured policies are one of the most common deficiencies when it comes to controls. Policies are often overdone or written to cover everything that shouldn’t be done. The extensive list of exceptions becomes overly complicated and can cause employees to become overwhelmed and lose track of their own job responsibilities. Compare it to the U.S. Constitution: the amendments are overarching policies for Americans to abide by, but they don’t dictate every single exception of the law.
Policies should be written with a focus on what staff should do. Don’t overcomplicate it. Clearly and concisely state the policy to ensure a consistent understanding of the company’s expectations and provide legal protection when necessary. With well-established policies in place, the confusion is removed and business processes are consistent and more effective.
Lack of Documentation
If it’s not written down, it didn’t happen. Companies often grow complacent with documenting activities to support established controls and fail to recognize missing information. Required approvals or receipts are not enforced or documented. Performance metrics are difficult to track without historic data for comparison. Onboarding new employees is more difficult without documentation to reference during training.
Creating accountability for adopting a new documentation process is critical to mitigate controls. When preparing a documentation plan for the business, clarify the documentation requirements of staff and communicate the expectations to each function of the organization. Companies should develop a policy around managing documentation to clearly define which documents to retain and the appropriate storage location. For instance, companies should allocate a single location on Dropbox instead of storing approvals in a desk drawer or journal entries in multiple folders.
Unenforced Segregation of Duties
With policies and documentation plans in place, segregation of duties can be established. Segregation of duties (SOD) is essential to having an adequate control framework and is implemented to ensure separation of processing tasks, preventing opportunities for fraudulent behavior. To ensure a clear understanding of each job position, align the organization based on future controls. Define process owners and establish a clear separation of owners for conflicting duties. If the same employee tasked with setting up new vendors in the system can also process invoices and print checks, the SOD is ineffective and remediation is necessary.
To get employees on board with new processes and duties, clearly communicate why the duties are necessary to segregate rather than presenting the SOD as restrictions or rules. Ensuring employees understand why a SOD is required is beneficial to maintaining controls and providing a foundation for auditors to test.
Implementing effective controls throughout an organization ensures security in the system and protection against fraud. Develop strong internal controls around policies, documentation, and segregation of duties to get the most value out of your business.
Read on for insight into the auditing process.
Why Another Auditor Can’t Fix Your Audit Problems
by Michael Critelli
Do either of these scenarios sound familiar?
- You hired a Big Four audit firm to assist with fixing some internal control deficiencies. It cost an absurd amount of money and they provided you with narratives and process flows that were never implemented. Your team is left without a plan and the resources to roll it out. This results in a significant deficiency or material weakness around internal controls.
- Your company recently went public and spent a lot of time and money hiring an audit firm to assist with 404 compliance. After three months, your controller asks for an update. The audit firm has created some inaccurate policy/process narratives and hasn’t started a risk assessment or built controls documentation. Your audit committee isn’t happy.
Both of these scenarios are true stories. In each case, we have helped our client determine the root causes of deficiencies and implement the appropriate process solutions.
Those who come from the Big Four or another audit firm are familiar with the following audit process:
- Risk assessment and walk through: Identify and categorize risks (mostly using PCAOB guidance and previous audit results). Walk through the process and identify any other risks.
- Testing Plan: Identify sample sizes, timing, and test scripts.
- Test: Test the trial balance and internal controls.
- Results: Review with four levels of management and then offer an opinion.
This tried and true testing process allows the audit team to catch any significant errors or fraud. Auditors are trained to work long hours, know what’s needed, and find significant deficiencies. However, they should not recommend changes or corrections, as this could create a serious conflict of interest. If they do, they would be met with the wrath of the PCAOB (the auditors’ auditor) and the Department of Justice!
This process is ingrained in the minds of external auditors, and problems can arise if they join the industry or an advisory group. Many can break this mindset as they take on positions in industry. Yet for those who never leave audit, the find-the-problem mentality doesn’t morph into fix-the-problem.
Taking it even further, many audit and consulting firms employ the SALY method: Same As Last Year. This is a practice where the firm just repurposes deliverables from previous years or clients. This leads to deliverables that aren’t tailored to your needs or processes.
The Audit Mindset
Audit firms impact in the following ways when assisting clients with their internal controls framework:
- Audit firms will work with Internal Audit and Internal Controls to identify risks and control deficiencies
- Audit firms struggle with recommendations and don’t tend to possess the knowledge to make processes more efficient
- Audit firms don’t have change management experience and struggle with process owner and end user communications
- Audit firms employ the SALY method—no personalized touch
Don’t hire an audit firm with the expectation they will change/improve business processes.
Auditors have an ingrained methodology that works great for analyzing risk, but they miss out on a crucial piece of recommending and implementing changes. Even though more and more audit firms are getting involved in controls rollout, there’s still a huge gap in their process and change management experience.
The Trenegy Mindset
Trenegy performs the critical tasks of remediating controls weaknesses with process solutions.
- Trenegy works with Internal Audit to identify risks and control deficiencies
- Trenegy remediates control deficiencies, improves process efficiency, and drives change throughout your organization
- Trenegy employs strong change management experience to implement new processes across the organization
- Every deliverable is designed and customized specifically to your needs
Trenegy is a management consulting firm that understands your business processes, systems, compliance requirements, and the proper way to roll out change while improving efficiencies.
Continue reading for a deeper dive into implementing controls that work.
How to Implement Internal Controls That Work
by Joseph Kasbaum
In a period of rapid change driven by historically low and volatile crude prices, publicly traded companies cannot lose sight of their controls framework among the chaos. Finance departments need help keeping the controls framework in place and operational in the face of emerging risks and opportunities. Finance doesn’t simply need more internal auditors to tell them what’s wrong, but the CFO needs a team that can:
- Analyze emerging risk
- Design effective processes and controls
- Test controls and fix underlying deficiencies
Don’t fly blind. The risk environment is always changing, even more so as market volatility increases. A recent survey shows only 5% of CFOs and Audit Committee chairs receive “informed perspective on emerging risk” from their Internal Audit department.
This environment is driving companies to pursue extreme measures to manage financial exposure, but the exposure to financial reporting risks is often placed on the backburner. Both the conservative approach of hunkering down to shed costs and the opportunistic approach of making acquisitions while prices are low breed new risks. Risks identified in previous assessments must be reanalyzed as this business climate renders each decision more critical.
When performing this year’s risk assessment, be aware that the integrity of segregation of duties is threatened each time an employee is laid off. Each revenue accrual should receive greater scrutiny as your firm hovers near earnings targets and emerging threats like cybersecurity can impair your controls framework.
A control only functions if:
- The process it exists within is effectively managed
- All employees know which aspects of the control they own
- The process is scalable to control for future risks
For example, a firm may capitalize on this downturn and purchase a strategic target with seemingly similar business processes. However, if the company has only ever operated within the confines of the United States, their vendor management control process will reflect that risk level. The majority of all Foreign Corrupt Practices Act investigations occur because of payments to foreign vendors, and if the acquired company conducts business across borders, old processes won’t identify red flags.
The only way to control for the above risk, and scores of other risks, is with effective process management. Roles and responsibilities must be delineated between accounting, operations, and legal to appropriately vet all new vendors, and the process must be scalable whether you use a checklist or a vendor management system.
Do not let a control deficiency fester. Finding the underlying cause of a failure is critical. Internal auditors are the in-house experts on discovering control concerns, but you need a team to remediate as soon as problems arise. On the surface, many control deficiencies appear as isolated incidents with straightforward remedies. However, material and systemic weaknesses like tone at the top, resource availability, and technology flaws often reveal themselves during remediation.
On the flip side, there might be an antidote to the control deficiencies that pervade your entire organization. Your internal controls team must analyze the root cause of each problem and search for trends that link them. For example, if you notice repetitive failures within journal entry support, account analysis, and financial reporting key controls, don’t jump to the dreaded conclusion: failure of accounting governance.
Instead, look for what precedes these processes: closing the books. Implementing an improved accrual process to facilitate closing your subledgers on the first day of the month will give accountants more time to perfect journals and analyze accounts and provide managers more time to review final reports.
How Trenegy Helps
Trenegy provides a comprehensive review of an organization’s risk environment by drawing on years of experience advising multi-national publicly traded companies. We work across organizations through accounting, finance, HR, and operations to help design and implement effective controls with a focus on efficiency and future flexibility.
Trenegy does not simply identify and report control deficiencies. Once we have identified deficiencies in the process, we develop a specific course of action to remediate the underlying causes. By leveraging our expertise in ERP implementation, process design, and COSO 2013, we build strong controls around the people and tools you have invested in.
We arrive with both an attack plan and an exit strategy. Whether you recently became a public company and need a controls framework built from scratch or are trying to maintain a stable control framework in an volatile market, our focus is on providing the finance organization with deliverables and strategies that can be used long after we are gone.
Read below for advice on addressing internal controls as an emerging growth company.
5 Ways Emerging Growth Companies Can Address Internal Controls
by Nicole Higle
Establishing effective internal controls as an emerging growth company can seem burdensome, but it doesn’t have to be. Awareness of common obstacles can make preparation for 404(b) compliance less arduous. Here are a few steps we recommend taking along the way:
1. Define decision makers and leadership
Before starting an internal controls project, it is important to identify decision makers and the team responsible for leading implementation activity. Many decisions must be made throughout the controls definition process. Consider the following questions:
Who will have ownership and oversight of controls? Identifying governance over controls helps eliminate duplicate efforts across departments.
Do we prefer centralized or de-centralized controls? In a centralized environment, key controls are managed at the corporate office, and supporting controls are managed at the local level. A centralized control, for example, would be corporate Accounts Receivable personnel verifying all work tickets and including signatures and support documentation before submitting an invoice to the customer.
2. Address organizational changes
As emerging growth companies evolve, the defined controls must grow and change accordingly. Consider how acquisitions, reduced head count, or process re-engineering can impact established controls. The nature of how organizations change over time requires frequent re-evaluation of internal controls. If the structure changes or new technologies are implemented without assessing the impact on existing controls, there is a risk of control failure. Control owners must be aware of upcoming changes so control areas can be reassessed quickly and adjusted policies and procedures are communicated to stakeholders.
3. Incorporate change management
One of the most difficult components of implementing new controls is ensuring new process and procedure requirements are carried out. Often, control activities are partially developed but need an extra boost to establish a fully effective control.
For example, most companies perform account reconciliations each month, but lack documentation of management review. This results in an incomplete control. The goal here is twofold—to add a new step for documentation and encourage people to accept it. To add this control step, communicate why it’s necessary. If personnel understand the why, they are more likely to accept the change and contribute to the effectiveness of the control.
4. Prioritize controls
The risks of building a controls framework from the ground up can be overwhelming. It’s important to plan which controls to implement based on immediate needs instead of the longer-term SOX 404(b) requirements. If there are issues with unauthorized systems access, missed approvals, or if auditors have pointed out control weaknesses, focus here first. In the short-term, prioritizing areas of focus can prevent “control fatigue” and re-position attention to critical areas.
5. Establish right-sized controls
In large companies, it is easy to separate processing activities across multiple resources. However, emerging growth companies have fewer resources, so it is difficult to separate duties without adding extra work and slowing down the business. If it is not feasible to fully separate processing activities, such as entering AP invoices and printing vendor checks, consider establishing monitoring controls to be reviewed on the back end. These controls include periodically reviewing user access and conducting account trend analysis to compare account balances to prior months.
For emerging growth companies seeking to reduce the risk of fraud and collusion and adhere to Sarbanes-Oxley, internal controls are a necessity. Don’t wait until obstacles arise to address the issues. Plan now and set the stage to enhance your controls environment ahead of time.
Now let’s shift gears a bit toward enterprise risk management. What exactly is it, and is it necessary? Read below to learn more.
What Is Enterprise Risk Management? Do You Need It?
by William Aimone
When risk threatens a company, it does so holistically. Much like the anaconda, which swallows its prey whole, risk doesn’t waste time with a nibble here and a nibble there. It devours a business.
Just ask Saudi Aramco. When they were hacked in 2012, Aramco was forced to halt all computer-related activities. In an instant, the trillion-dollar company started doing business at the speed of paper. For any other company, this would have been certain bankruptcy. Arguably the most valuable company in the world, Aramco was able to recover, but it took five months.
Or ask Wells Fargo. The company was fined nearly $200 million in 2016 when deceptive sales practices resulted in employees creating accounts without customer permission.
Perhaps you remember Enron. A cyberattack affects much more than the IT department. False sales affect much more than the sales department, and misleading balance sheets affect much more than the finance department.
Risk management is an area where company executives often struggle with the questions: How good (or great) do we need to be at managing our risks? Do we need a professional level Enterprise Risk Management (ERM) program in place, or do we just need to buy corporate insurance and hope for the best?”
For most companies, the answer is somewhere in between.
What Is ERM?
ERM is a strategic discipline where the full range of risks are managed in a unified governance program. Sounds sophisticated, so let’s dissect the words.
- Strategic discipline means the program is important enough to say, “If we do not do this, the company will fail.” For example, a strategic discipline of most department stores is great customer service. If a high-end store provides poor customer service, people will stop forking over hundreds of dollars for a shirt, and the store will lose customers.
- Full range of risks means every risk in the entire company. Company leadership will shake the organization down from top to bottom and identify all risks. This is a difficult task. Which risks must be addressed and which ones can be sustained?
- Unified governance program uses a team of employees to govern the management of risks. This program includes processes for tracking how well each part of the company is managing, mitigating, and controlling each of the individual risks. For example, a department store manager may be required to report back to an ERM Group” on the store’s ERM compliance. The ERM report would include compliance and actions taken to mitigate and control employee turnover, loss prevention, parking accidents, fraud, weather, building maintenance, safety, and customer service risks.
Basically, ERM is a big deal and implementation requires discipline, time, and collaboration. It’s not for every company.
Very few companies have adopted a full ERM program as defined above. ERM requires a complete culture shift in an organization. Every major decision in the organization contains a structured thought process for assessing risks and potential outcomes based on the enterprise risks. ERM can hamper the entrepreneurial spirit in a company and significantly slow decision making. Therefore, before considering stepping into the ERM world, consider how it will impact the culture of the organization.
Companies should remember one of the main purposes of ERM: to create value for the company and its stakeholders by identifying and responding to risks, either negative or positive (opportunities).
Companies seeking to establish an ERM program have the opportunity to choose from a variety of frameworks to help structure the implementation. One of the most prevalent is the COSO ERM framework. Following the Enron scandal and the Sarbanes-Oxley Act, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published “Enterprise Risk Management — Integrated Framework.” COSO ERM was an expansion of COSO’s previously published “Internal Control — Integrated Framework.” The COSO ERM framework was designed to be used by businesses to help define the strategy, identify and manage risks, and ensure attainment of their goals.
The COSO framework is highly regarded as the most all-encompassing ERM framework. The most recent framework to be published was the RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, which was developed by Steven Minsky. It focuses on the key areas of efficient and continuous enterprise risk management.
The bottom line is, organizations should tread lightly into the ERM implementation process and consider the costs and benefits associated with an ERM program.
This article has been adapted from a chapter from the author’s book, Jar(gone).
Corporate Compliance Gets Personal
by Jackie Pfister
In November 2015, The Department of Justice (DOJ) appointed Hui Chen as the new corporate compliance expert. As the DOJ increasingly creates new laws pertaining to proper business conduct and corporate compliance, Chen’s role is to provide transparent interpretations of these laws to company leadership. She will also provide guidance to the DOJ regarding the existence and effectiveness of any compliance program’s measures to “detect and prevent future wrongdoing.”
The recent increase in government oversight of compliance programs leaves boards of directors searching for best practices in fraud prevention. To mitigate company sentencing, organizations must establish a strong compliance program, ensure employee cooperation, and deploy proper testing of said compliance and cooperation.
The scrutiny of compliance programs has escalated. The DOJ seeks out well-designed programs that are applied throughout the organization and actually work. What combination of tactics ensure an effective and well-designed program?
Compliance programs must use clear vernacular and be published in writing with easy company access. Upon clear written program establishment, organizations should conduct trainings to properly communicate and explain the documented program. Training hosted by compliance leaders with stature and respect elicits avid listeners prone to uphold program terms. Trained employees should then be liable and incentivized for maintaining lawful working practices.
DOJ compliance oversight is taking a new focus on individuals, not solely on the programs themselves. Strong compliance programs with non-compliant employees are as useful as no compliance program at all.
How does a company measure employee cooperation? Both leadership and employees must ethically handle conflicts of interest within and outside the workspace.
Cooperation with government and corporate laws is inherent to employee cooperation. When an employee lives outside of deemed lawful conduct, they must accept reasonable punishment with intent to act lawfully going forward.
Testing and Mitigation
The testing of compliance programs and employee adherence to these programs is the final key to avoiding corporate punishment. Companies can ensure strong programs and employee cooperation through several methods: guiding principles, risk assessments, and hiring assessments.
Guiding principles are the overarching strategic principles guiding how the compliance program will be structured, governed, and operated in the future. By documenting guiding principles, the business is able to easily maintain their purpose and objectives for the compliance program and the overall corporation as a whole. Often, change of leadership or processes leads to decisions and changes that are outside of the predetermined principles of the program. Guiding principles aide compliance programs in delivering ultimate value and impact and ensure that they accommodates future state business requirements.
Risk assessments help an organization to identify highly regulated areas of the business. Processes and procedures should be documented for these highly regulated areas in an effort to identify high-risk departments or people. Risk assessments outline potential threats to an organization, the likelihood of the risk occurring, and a proper response to the risk. This provides the organization an opportunity to react quickly to opposing situations with little impact on the business. The Department of Justice monitors not only the breach of compliance programs, but the organization’s response and mitigation tactics. But how does an organization recognize a department or individual as high risk?
A human resources hiring assessment outlines hiring prerequisites and indicates where higher risk roles exist departmentally. If an organization does not have stringent background checks or requirements prior to hiring an employee, this employee could be at risk for illegal behavior within the organization. This can also be viewed departmentally. A department manager that doesn’t enforce a strict hiring practice with lawful employee requirements could evolve into a department employed by high-risk individuals likely to break compliance program rules.
The Department of Justice has increased their enforcement and regulation of compliance programs. By implementing a strong compliance program, ensuring employee cooperation, and deploying proper testing and mitigation of these programs, organizations will be prepared and equipped for DOJ regulation.
Read on to learn ways to prevent corporate scandals within your organization.
Preventing Corporate Scandals
by Alan Quintero
Early in my career, I asked a mentor how to tell the difference between right and wrong in the business world. He said, “Before acting, ask yourself, ‘Do I want to see this on the front page of The Wall Street Journal?'” It was great advice, but someone must have forgotten to teach it to other corporate leaders. Opening fake bank accounts, rampant sexual harassment in news organizations, cheating on emissions testing, and expensive essential medical devices are just some of the recent scandals. We should learn from these events to prevent corporate scandals from happening in our businesses. As a leader, here are a few things you can drive in your organization:
Teach by Example
When growing up, our parents and teachers didn’t give us written home policies and procedures or check on us with a Kid Audit Department. So how did we learn right from wrong? We did it by watching and mimicking people around us in positions of authority. In other words, our parents, teachers, and older siblings were teaching by example.
The same is true in an organization. People in positions of power are mimicked by others in the organization. Therefore, the first and most important step in preventing corporate scandals is to ensure that your company’s leadership models proper behavior to the organization.
For the top managers of small companies where employee interaction happens on a daily basis, this means doing the right thing every day—simple but not easy. Many companies are large enough that direct interaction between top management and most employees do not happen daily. For those companies, other controls must be established.
The first thing the company must have in place is an ethics policy statement. This document is known by many names (e.g. “Our Values”), but it essentially outlines management’s expectations of how the company will conduct business and the values the company esteems. To remain credible, company management must ensure nothing the company does or espouses through policies and procedures contradicts these values.
In addition, the company must have an independent and secure system that allows the anonymous reporting of potential infractions and unethical behavior by any employee. The best whistleblower systems are managed outside the company and reviewed at the highest level (including by the board of directors).
Most companies hold required annual training for their employees on topics such as conflicts of interests, cybersecurity, and more. It’s a good practice to include a review of the company’s values and how to use the whistleblower system in this training, too.
Be very careful with your company’s compensation schemes. When establishing a performance indicator for bonus payments, ask, “What unintended behavior could this metric cause?” The very noble drive for increased sales at Wells Fargo and Volkswagen led to employees opening fake accounts for customers and inventing a way to cheat emissions tests. Also, your employees will know if you’re rewarding those who push the boundaries to get results over those who don’t. Make sure your employee evaluation programs measure the right behavior in addition to the right results.
Follow the Profit Chain
Now that you’ve set the right tone, it’s time to run your business. The goal of any for-profit business is long term profitability. In the book, “The Service Profit Chain,” authors James Heskett, W. Earl Sasser, and Leonard Schlesinger outline the way companies turn a profit. Nowhere in that book is cheating encouraged as a way to increase profitability.
Instead, a sustainable profit is achieved only through loyal customers. To keep your customers happy, you need to manage a series of properties of your operations that, when performed together, lead to customer loyalty. The three authors call this the “service profit chain” (below).
The authors’ research shows that a company must invest in the Employee chain and Customer Value chain to reach Profitability. Furthermore, each step in the chain drives the next chain (the Employee chain drives Customer Value, etc.)
To avoid corporate scandals, investment decisions must determine whether an investment is driving a step in the chain. For example, software to cheat emission testing doesn’t enhance any of the steps, and increasing the cost of medicine 600% actually reduces Customer Value.
Instead, investments that enhance the chain include:
- Employee chain: Invest in strong quality programs, customer facing systems and organizations, and systems and tools that make employees’ job easier. An unsatisfied employee is three times more likely to leave a company than a satisfied employee. They’re also more likely to sabotage the company or create a situation that may lead to a corporate scandal. Some studies show that the cost to hire and train a new employee is six to nine months of salary, but the real cost of losing an employee is the loss productivity. In a recent study I read, it cost five years and $2.5 million for brokers at a securities firm to rebuild relationships that were established by their predecessors.
- Customer Value: Perceived value by the customer increases with the results the customer sees and decreases with the cost of these results to the customer. Therefore, invest in products and services that the customer wants, and in ensure these products are of high quality. Also invest in ways to reduce the cost of these products.
If a company invests in these things, the results will be an improvement in the Customer chain. Studies show that customers who describe themselves as “very satisfied” will remain a customer 80% or more of the time. They’re likely to tell up to five other potential customers about you. On the flip side, customers that describe themselves as “slightly dissatisfied” or worse only remain a customer less than 40% of the time. They’re likely to tell 11 other potential customers to stay away.
Not only is following the service profit chain good business, but it will keep you out of trouble.
In science, the second law of thermodynamics states that any system, left alone, will become more disorganized over time. This is true of a corporation as well, so you must remain vigilant.
To prevent corporate scandals, diligently review the data collected in your organization and look for trends that don’t make sense. Are you seeing an increase in new products sold without a corresponding increase in revenue? Did your team solve a long-standing challenge without introducing a new technology or system? Are you experiencing an increase in HR complaints or calls to your whistleblower hotline? All of these could indicate trouble is brewing.
You should cultivate a culture of continuous improvement. Are you mining the root causes of incidents that didn’t go as planned? How are those learnings incorporated into the way you do business?
Victor Hugo said, “Initiative is doing the right thing without being told.” Thankfully, you can help the initiative of your organization to prevent corporate scandals by setting the right tone from the top, investing only where it drives customer loyalty, and remaining vigilant for signs of trouble.
Read below to learn how to optimize business performance through controls.
Optimizing Organizational Performance Through the Control Environment
by Nate Stroeher
It has been said that a pessimist sees the difficulty in every opportunity and an optimist sees opportunity in every difficulty. Similarly, the corporate executive can view regulatory requirements created by Sarbanes Oxley and the PCAOB with disdain or as a catapult for positive change throughout the organization. Private companies, which today face increased pressure to implement a control environment from lenders, partners, and investors, will face challenges similar to their public counterparts.
A SOX 404 implementation program can be managed to gain organizational efficiencies and achieve more effective processes. In the same way, companies that implement a control environment to satisfy outside requirements can benefit from efficient and effective processes that arise from this initiative. The guidelines below will help organizations realize benefits of organizational change while implementing a sound control environment.
Set Guiding Principles
The transition to the 2013 COSO framework implies a more robust and daunting control environment. Developing a set of guiding principles for the organization and each business function links policies to strategy and sets the foundation for an effective control environment. Guiding principles capture intent, establish the tone at the top, and rally the organization to implement the right control activities.
A mid-sized construction group used guiding principles as a motivation tool and a way to give each function a sense of purpose and identity in their new environment. The control, monitoring, and risk management activities and policies were then tied into the guiding principles to ensure a common tone was established and integrated.
Lesson Learned: Undertaking large initiatives such as creating and implementing a control environment presents the perfect opportunity to reunite the organization. The best place to start is with guiding principles.
Integrate Risk Assessment and Planning
The mere thought of conducting a risk assessment wreaks drudgery. Organizations benefit when the risk assessment process is seamlessly integrated with the business planning process. This one forward-looking process is more efficient than two separate processes.
A key element of the business planning process is a financial budget for the upcoming year. Why not also make the risk assessment a product of planning? Recently, a large developer integrated the risk assessment with planning and budgeting, adding only two weeks to the entire four-month planning and budgeting process. Completing both initiatives simultaneously offered a more holistic approach to both processes and exposed risks and opportunities which would have been harder to discover by looking at each process separately.
Lesson Learned: The total benefit gained by integrating the risk assessment and planning process is far greater the sum of the two initiatives completed separately. Organizations can use this integration as a starting point for organization-wide, integrated process change.
During a controls and process mapping exercise, it is important to understand the purpose of each step in a process. Many rapidly growing companies inherently have bad processes that worked for a small company but aren’t necessary for a larger organization.
Often, large construction organizations spend an inordinate amount of time physically matching vendor invoices to checks for the controller’s signature. This step served the company well when they were small, but as they grew into a larger public company, this was wasteful and didn’t serve a purpose. By implementing more efficient controls into the disbursement process, the company eliminated the paper matching process.
Lesson Learned: Don’t be afraid to look for ways to eliminate waste as a part of the SOX 404 implementation or review process. Along each step in the implementation/review process, ask, “Is this a necessary step, and does this step make sense for a company of our size?”
Companies have no choice but to address the mounds of regulatory requirements to comply with SOX and SEC regulations from lenders, partners, and investors. Organizations who adopt a pessimistic viewpoint and focus on the difficulties will continue to fight an uphill battle. However, those who view these requirements as a catalyst for change will recognize benefits that far outweigh the costs.
Don’t Let Your Major Capital Project Be like the Song That Doesn’t End
by Alan Quintero
When my kids were young, we used to sing “The Song that Doesn’t End” together at the top of our lungs. If you don’t know the song, the lyrics at the end of the verse run into the lyrics at the beginning so that you can keep singing the song forever.
A recent study of energy “megaprojects” shows that 64% run over budget, and 73% have schedule delays. But this doesn’t have to be the case. By following these simple, albeit challenging, rules, you can finally stop that “song that doesn’t end.”
1. Choose a prime contractor wisely
Most companies don’t have the expertise to manage a project with internal resources. A prime contractor engages with the project owner and executes the project’s primary scope either by themselves or by hiring and managing subcontractors.
Whether you’re choosing a shipyard for a major rig upgrade, or a company like Trenegy for a major IT project, choosing the right prime contractor is key. In this important role, picking the lowest bidder isn’t always the best choice.
Would you hire a company to install a pool in your backyard based strictly on price? Probably not. Why choose a prime contractor for your company’s major capital project that way? You would be surprised how many companies take this approach and end up paying more in the long run.
2. Have a well-defined plan
Have you ever started a home project only to find yourself making six trips to Lowe’s to get the right supplies? I have. Making a good plan prior to starting the project would have probably eliminated the additional time and cost. Now multiply that effect by a thousand… or a million. That’s the effect of a poor plan on a major capital project.
A good plan should include some basic concepts:
- A realistic time and cost estimate free of optimism bias. These estimates should include the possible positive and negative effects of risks and opportunities identified during the risk assessment (see below).
- A comprehensive risk assessment to identify potential risks and opportunities that could affect the project’s schedule and cost.
- A detailed inventory of resources required to complete the project, including resources that may be needed to address the risks identified above, and a plan of how to acquire them.
3. Make sure your capital project is a capital project
Many companies fall into the trap of accumulating deferred maintenance as they prepare for a capital project. They think a small maintenance item won’t interfere with the project’s critical path, and there will be more time during the project than during operations. This line of thought is a fallacy. When possible, maintenance is better performed during operations. Consider this example:
A home owner decides to change the AC filter while a contractor is doing a major kitchen remodel. The homeowner thinks: I’ll be home then, and such a small task won’t affect the kitchen remodel. While the remodel is going on, the homeowner borrows the ladder to install the air filter, which forces the kitchen contractor to delay the installation of a cabinet by a day. A few days later, the kitchen contractor paints the whole kitchen, fouling the air filter the home owner just installed and causing the home owner to install another one after the project.
The scope of capital projects should include only the capital work scope for which the project was planned.
4. Know where you are and where you are going
Great real-time tracking is necessary to ensure course corrections can be made during a project so it ends on time and under budget. To know if your tracking is effective, you should know the answer to these questions at any point during project execution:
- Where are we today (against the schedule, the scope, and the budget)?
- How much longer will it take to complete the remaining scope?
- What will it cost to complete the project?
If you cannot answer these questions confidently, then your tracking needs to be improved.
5. Be complete at completion
Almost everyone who buys a new home develops a punch list of items (quality deficiencies or incomplete scope) to be corrected by the builder before closing on the home. Many home owners have allowed these items to roll past the closing date, relying on the builder’s word to complete them sometime in the future. If you’ve been in this situation, which of the punch list items was the builder more motivated to complete?
Your original plan and continuous tracking should include provisions for completion of punch list items during the planned execution of a major capital project. It’s more likely that the prime contractor will act on these items prior to the project end date. A project should be as complete as possible by the completion date.
Although these rules seem simple, they aren’t always easy to implement and require a disciplined, deliberate approach to realize the desired results.
Continue reading for tips on managing projects with tight budgets and deadlines.
5 Tips for Managing Projects with Tight Budgets and Strict Deadlines
by Nathan Irby
No project exists without a firm deadline or a specific budget. If yours does, then you can stop reading here. But in today’s economic and competitive environment, tackling a major project is more difficult than ever. So how can a company take on a capital-intensive project? Whether a project is in the planning phase or the deadline was yesterday, these tips can guide any project to the finish line:
1. Develop a master plan
At the center of every new project should be a master project plan. A good project plan is complete prior to starting and includes detailed tasks, resources responsible for those tasks, expected start and completion dates, and up-to-date statuses. Enable project resources to regularly update their tasks and assign realistic deadlines for each one. Doing so will allow a project manager to accurately track the timeline of the project.
Once a project plan is complete, identify tasks that can be accomplished before kickoff. If budgets are set, this may be executing contracts or locating project space. In an ERP implementation, begin collecting data sets for conversion, setting up new environments, or writing test scripts. For acquisition integration, start gathering and mapping current and future state roles. There is usually an opportunity to complete work ahead of schedule. Find the tasks that don’t have dependencies or may require a long lead-time. These will allow for a head start.
2. Open the lines of communication
It’s a given that tensions will be high when a deadline is looming on a project team. Don’t let high stakes or emotions impede on open lines of communication. The result of bringing an issue to light should be praise and gratitude. The sooner an obstacle is identified, the faster the project can move forward.
Communicating to the right people is equally as important as the communication itself. Create a project governance model to establish lines of communication to key resources. Without structured communication, the organization will not view the project as significant. Management will miss steering committee meetings and team members will sit in meetings saying, “No update.” Keep the project under control and lines of communication open by setting monthly or quarterly updates for steering committees and weekly status updates with the project team. This will provide clarity into project progress without spending too much time catching people up on unnecessary details.
3. Build in flexible decision making
A byproduct of open communication and key stakeholder involvement is flexibility in decision making, which is vital to moving a project forward. When both are established correctly, issues/roadblocks will be addressed promptly. Set guiding principles early and allow key project members to make decisions and purchases. Often, executing a contract to make a small purchase can be the bottleneck in a much larger process. By setting appropriate delegation of authority limits and approvals, project team members can quickly gather necessary resources to keep the project moving forward.
While all decisions are not created equal, it’s important to identify and document those of high priority. Documenting a decision and the parties responsible holds department leads accountable. When clearly documented, a decision becomes more tangible and serves as a point of reference for future questions around the decision. A detailed decisions log may take time initially, but will save debate or disagreement going forward.
4. Prioritize compliance
Regulatory and compliance-related tasks should be at the top of every project manager’s list. While deadlines and budgets are much easier to forecast and change, failure to meet regulatory/compliance requirements can lead to serious problems. Prioritize compliance portions of the project and track their dependencies to control risk.
What often leads to missed deadlines and overspending are project additions that were not part of the initial plan. Once a project has begun, it seems easy to expand the scope and improve other areas. If the resources are already there and funds are available, why not make a bigger impact? Say no! With any project, there are necessities and nice-to-haves. As simple as it sounds, identifying each one can be the difference between success and failure.
After audit risks, identify the key components for day-to-day operations. If there are items that can be completed once the project is finished, determine the implications and likelihood of completion.
5. Have a contingency plan
There is a pivotal point in every project where a go/no-go decision must be made. If the project is going to exceed the given timeline or go over budget, it’s critical to communicate this at the earliest sign and plan accordingly. Even before a project reaches this point, it’s important to identify what causes this to happen in the first place. More frequently than not, external factors set a contingency plan in motion. Project team members will be pulled back into their day jobs and project tasks will no longer be a priority. Prevent these distractions where possible by transitioning or backfilling these tasks.
As a project manager or team member, the quality of your product or service should be of utmost importance. Read on to learn how to keep customers happy.
The Bitterness of Poor Quality: Why Reliability Matters
by Alan Quintero
I always wanted a two-seater German sports car. A few years ago, I finally checked that item off my bucket list when I found a great deal. I was the owner of a beautiful, champagne colored, road-handling machine. It was a dream come true. Until my dream broke down.
Just a few miles from home, my dream car started smoking, and flashing messages told me that I was having a catastrophic transmission failure. I spent an hour waiting by the side of the road for a tow truck and then waited weeks while the dealer fixed my new car. The waiting, expense, and inconvenience were irritating. The irritation made me angry, and the anger made me bitter.
And at the end of the day, the bitterness was caused by a broken, small, and inexpensive aluminum bracket that made a transmission fluid line disconnect.
I recalled a saying a friend of mine learned early in his career: The bitterness of poor quality remains long after the sweetness of low price is forgotten.
This is an important idea to remember when developing your operational excellence strategy. But how does a company design a program that ensures reliability? How can your organization ensure that whatever product or service makes you money will be available when called upon?
There are five features to a superior reliability program. These aspects, when properly applied to your internal product production and asset strategy, and when applied to your supplier network, ensure your customers and clients will not experience the bitterness of poor quality.
1. Set the right tone from the top
It’s important for your employees and suppliers to understand that reliability will not be compromised. Recent examples have shown how easily an organization will take the path of least resistance when it perceives management doesn’t care (airbags from Japan, diesel emissions from Germany, etc.). One step to setting the right tone is to ensure quality-related concerns are addressed thoroughly and rapidly when they arise.
2. Address reliability holistically
Inspections alone will not guarantee reliability. Quality must be promoted through the following:
- Improved management practices and policies
- Streamlined processes and procedures
- Built-in quality in the design and manufacturing of your products and those from your suppliers
- Robust maintenance procedures to support your assets
- Strong supporting technology infrastructure
3. Work on a few high-impact items
Research shows that an organization working on less than three enterprise initiatives is successful. When that increases by one or two more, the chances of success drop significantly. Focus on and prioritize where reliability will have the biggest impact on the bottom line, and work on that first. Once these reliability items have been conquered, move on to the next challenges.
4. Be data driven
Use data to take emotions out of the equation and get the right answer. There’s an old adage: Ask five experts what the right answer is, and you’ll get fifteen different opinions. Don’t neglect the data.
5. Keep going
An excellent reliability program never ends. Continuous improvement must be incorporated into the organization’s culture. Once this spirit of continuous improvement is established, the challenge will shift from motivating employees and suppliers to think about reliability to ensuring focus on the right priorities.
Don’t leave your customers and clients stranded on the side of the road, tasting the bitterness of poor quality.
Now let’s talk about IPO. Continue reading below for in-depth insight.
Energy: The Continued Race to IPO and the Hurdles to Clear
by Michael Critelli
Earlier this year, many oil and gas companies were racing to IPO in an effort to capitalize on the crude oil price rise. Companies were looking to raise cash to complete two major objectives:
- Eliminate debt caused by the downturn
- Expand assets to increase capacity for the upturn
These companies made a strong strategic move to grow and mitigate the growing debt and competition risk. However, with change comes new compliance risks which must be mitigated. Public companies require a new compliance burden around Internal Controls over Financial Reporting (ICFR). Most companies have a few years to prepare for these burdensome audits, thanks mostly to SOX 404(c) and a PCAOB interpretive release in 2007. However, management is still required to self-certify the effectiveness of their internal controls. SOX 404 is something many companies put off, forcing their CFO to certify ICFR is in place without any genuine confidence. With oil prices’ recent volatility, oil and gas companies must be prepared for sudden price hikes that could push their public float, assets, and/or revenue over the SOX 404(c) threshold, requiring an ICFR external audit. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring the new controls do not slow down efficiency.
Prior to an IPO, oil and gas companies must understand what SOX 404 specifically means for them. An IPO is not the time to be blindly confident in ICFR, but rather a chance to uncover and address potential weaknesses. Here’s what companies need to know to help identify and mitigate their control risks:
You can’t rely on an auditor safety net. Oil and gas companies that still lean on their auditors to uncover deficiencies could get hit with an ICFR deficiency. Per COSO 2013, public companies are now responsible for their own internal control risk assessments and proactive monitoring of control effectiveness. More simply, companies are now responsible for their own asset cycle counts, inventory counts, account reconciliations, controls, etc. How can a company take control without auditors? Perform a COSO 2013 Risk Assessment to map out the controls matrix and identify areas of risk.
You must cover more than the activity level controls. Activity level controls are often the controls that every CFO thinks they have covered. From a process standpoint, this is often true. However, the key difference between private and public processes is the required documentation needed to ensure controls are in place. Leverage the risk assessment to map out all the key controls in process flows. Each key control needs documentation to test and to confirm that it happens successfully. Examples of documentation include written approval, meeting minutes, system audit trails, and email chains. Pick what makes the most sense for your company and begin documenting.
Identify insufficient roles and responsibilities. Most private oil and gas companies run lean on the compliance side and, therefore, have some omitted roles and responsibilities that need to be filled. Utilize the risk assessment to identify these areas early and to assign roles and responsibilities to experienced professionals. Make early steps toward ensuring a strong tone at the top and governance structure.
Don’t overlook IT. IT is typically an unpopular department for most private oil and gascompanies, and is often overlooked in risk assessments. Focus on securing your financial systems. This means 1) confirming a strong infrastructure is in place to prevent unauthorized data changes, and 2) documenting a segregation of duties matrix to ensure users cannot make any unauthorized transactions.
Spending time on these tasks will go a long way in confirming a company’s transition to the public sector is smooth and less burdensome.
Implementing COSO 2013 framework to support a proper ICFR can be a time-consuming process and can quickly get out of hand if the wrong approach is taken. Here are some best practices when rolling out ICFR for Sox 404:
- Leverage the Risk Assessment’s key risks when deciding where to design internal controls.
- Each key risk should have controls that are both prevention and detection controls. Relying too heavily on one over the other can cause greater risks.
- Define the key processes and map out each key control, ensuring efficiently designed controls, so the team will better understand the whole process.
- Ensure all controls are designed with an expected output or evidence that can be tested.
- Quality over quantity is the most important factor when developing a controls framework.
- Training, tone at the top, procedural documents, process flows, and narratives all help to certify each control has strong operational effectiveness.
- Assign control owners and have them confirm whether they performed their control each month.
These best practices will ensure a properly developed controls framework that will not over-complicate or hinder process efficiencies. As oil prices continue to stabilize, we should see more and more oil and gas companies IPO in effort to reduce debt accumulated over the last 2-3 years. The companies who IPO need to understand the ensuing compliance risks and mitigate those risks in the most efficient way.
Check out five IPO myths to avoid below.
Don’t Believe These 5 IPO Myths
by Peter Purcell
The migration from a privately held to a publicly traded company can be onerous. Preparing for and operating after an IPO means that company owners must transition from operating with a degree of information privacy to working under the keen eye of regulatory bodies and shareholders.
Executives must navigate a complex set of steps when migrating to a new operating environment to provide confidence to external shareholders and regulators. Many of the steps are necessary, yet a few are myths. Falling prey to the myths could make the IPO process overly expensive.
Myth 1: You must implement a tier one ERP to provide the right level of reporting and control over financials
A tier one ERP like Oracle or SAP ECC can support the reporting and control requirements but can impose a significant cost burden on a company. There are a variety of tier two packages, like Microsoft’s Dynamics NAV or SAP’s BusinessOne, which provide similar reporting and controls at a much lower cost. NAV and BusinessOne both provide more than 600 different authorization points to limit employee access to key transactional data. Additionally, both provide strong reporting capabilities. Companies preparing for IPO can take advantage of these systems at a fraction of the cost of their tier one counterparts.
Myth 2: You must build out large administrative departments to mirror large publicly traded companies
Companies need key administrative functions, including HR, Legal, Internal Audit, Procurement, and IT. Privately held companies often have one department support more than one function with little worry about segregation of duties. Transitioning to having these functions supported by separate departments to provide investors a level of comfort around segregation of duties is costly. Combining a strategy of selective hiring and outsourcing key functions by using the right systems controls and documented procedures will provide the appropriate level of segregation of duties.
Myth 3: You must fire your accounting firm and hire a Big Four firm
Depending on the complexity of the business and the internal finance and accounting staff’s knowledge, many public companies are able to successfully satisfy investor and board requirements with a regional or national accounting firm. More complex companies with unique legal entity and tax structures often rely on the Big Four to answer some of the tougher questions. However, this does not mean the IPO needs to fire the regional accounting firm. This may require a shift in roles so the use of multiple firms becomes most efficient and effective. The regional firm can provide tactical services at reasonable rates while the Big Four can provide answers to the more complex questions.
Myth 4: You must create a budgeting process that requires detailed input from all parts of the organization
Equity firms will request a significant amount of plan-to-actual information from the due diligence through post-IPO timeframe. Following IPO, companies will often overcomplicate the budgeting and planning process, assuming the public company board will want to review information at the lowest level of detail. The reality is different. Public company investors do not require detailed budgeting information. Newly public companies should not feel compelled to have a complex budgeting process and should simplify, or possibly eliminate, most of the budgeting process.
Myth 5: You must build lengthy reporting packages for the public company’s board
A new board will most likely be convened to provide direction through the IPO process. In most cases, the equity firm sponsoring the IPO will drive who sits on the board. Executives often assume the new board will require detailed information about every aspect of the company. Accounting and Finance are tapped to develop complex board reporting packages with hundreds of pages. Board members do not typically have the time or the need to read detailed board packages. The CFO should work with the board to create a reporting package that highlights key information and provides a relevant level of transparency, results, and projections. This will reduce the distraction, cost, and effort required to pull together board reporting packages.
People Get Hurt, Right? Not Necessarily
by Alan Quintero
In seventh grade, I broke my arm while playing football. On the way back from the emergency room, my father said, “If you go through childhood without breaking a bone, you haven’t really had a childhood.” This learn-through-consequences approach to risk is how many of us grew up.
Toddlers learn not to touch a hot stove after getting burned once. Likewise, we might expect employees to learn from the accidents they experience. But consider this: an accident can cost a company between $600 and $2,000,000 or, much worse, lead to loss of human life. Our safety programs must prevent accidents before they ever happen.
In other words, employees must know not to touch the hot stove before they are burned.
How can a safety program prevent accidents without people having to experience them? Successful safety programs explain the why of the program’s processes in addition to the what. The most successful safety programs do these things well:
1. Establish leadership from the top
Organizations must know that safety is important at the highest levels, and it will not be compromised for profit or other business reasons. If it’s important to your boss, then it’s important to you.
2. Set simple, clear, and enforceable key processes
At a minimum, a successful safety program will include these key processes:
- A method for job planning that incorporates risk management and accident prevention
- Safe working procedures that are well known and used consistently
- A permit-to-work system that incorporates equipment lock-out and tag-out procedures
- Emergency response plans and practice drills
These processes must be simple, easy to follow, and documented so they can be audited for enforceability. Checklists and graphical instructions work better than long, detailed documents.
3. Develop a communication plan
Alerts, bulletins, and other communications express both the importance of safety and the “why we do it.” Short, visual communication and storytelling are more effective than detailed graphs, tables, and statistics. It is possible to preserve the quality of information while keeping it simple and concise.
4. Monitor performance and seek continuous improvement
Detailed incident reporting and analysis, field safety observation programs, and compliance audit programs are key elements to continuous improvement. Capture the data, then use it to evaluate where changes to your program will have the biggest impact. If you try to work on everything, nothing gets done. Start with a few high-impact areas for improvement and do them right.
With a little thought and discipline, you can have a safety program that not only makes employees learn from incidents, but prevents incidents before they happen. Regardless of what my father said, you can have a great childhood without breaking a bone.
How to Prepare for an IT Audit
by Matthew Barnes
With the euphoria of going public comes the responsibility and reality of audit boards, SEC/SOX regulations, and public scrutiny of internal policies. When a privately held company goes public, it must comply with an abundance of regulatory requirements. Auditors are required to examine company practices across an organization, including information technology.
IT controls are crucial to protecting the integrity of an organization’s financial data, third party applications, and primary accounting systems. Failing an IT audit could result in reported significant control deficiencies or material weaknesses, directly impacting a company’s valuation, attractiveness to investors, and public perception.
To prepare IT to meet public company regulatory requirements, an organization must assess risk, put a recognized controls framework in place, and establish tone at the top. It’s important to encourage compliance with controls and ethical practices throughout the organization.
1. Start with an IT risk assessment
Controls implementation begins with a top-to-bottom risk-based diagnostic of the current technology environment. This includes understanding employee attitudes and the use of technology as well as hardware and software capabilities. A risk assessment should result in clear understanding of each risk and include a formalized prioritization process. The prioritization process should be co-developed with the business leaders who own many of the risks.
While IT is responsible for maintaining the technology that supports the business objectives, each business unit owns the risks within its purview.
For example, if a company’s controller runs a consolidated financial statement and one of the legal entity’s data is not integrated, accounting is primarily responsible.
The heavy lifting required to perform a thorough and well-documented risk assessment pays dividends when it comes time to write detailed policies and process flows. IT controls and policies serve as the clear and direct solution to risks identified, and they are most useful when mapped to specific risks in the assessment.
2. Select the right framework
IT audit frameworks have been updated in response to the ISACA (Information Systems Audit and Control Association) and the CISA (Certified Information Systems Auditor) technical standards and help clarify their meticulous technical specifications.
The scope of IT audit frameworks can overwhelm smaller organizations. Understand the purpose of each framework, select the relevant components, and build a fit-for-purpose solution to best match your company’s:
- Historical controls
- Current size
- Projected growth
- Business model
- Industry and location
For instance, the COSO (Committee of Sponsoring Organizations) framework is strong regarding corporate governance. The ISO (International Organization for Standardization) has a stronger emphasis on risk. Neither framework is perfect for every organization. Depending on the organization’s issues and culture, selecting the right components from each framework should be a consideration.
A comprehensive approach to controls is a better long-term strategy than a rushed or provisional attempt to meet SOX standards. Ensure subject matter experts from the business are consulted, and appoint an IT project manager to supervise the rollout.
3. Set the tone at the top
The CIO champions the IT governance process and appropriately engages peers on the management team and within their department to enable the process. The CIO’s actions, planning, and communications should be the link between technology and business strategy. IT staff should understand the controls framework, be able to communicate the governance model, and follow established polices.
When the business views IT governance as an enabler rather than a tollbooth, the organization can optimize the use of technology and minimize the control risks.
Implementing control frameworks may seem daunting. Properly implemented controls provide discipline, accountability, and a smooth audit process. Much like checking your tires and oil before a long road trip, IT controls can be a simple discipline leading to a safer and more efficient journey.
Connect with Trenegy for more non-traditional insights.