|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Auditing : Thought Leader
Avoiding The Sarbanes-Oxley Hot Seat
By
Lois Melbourne
|
|
Lois Melbourne
Chief Executive Officer
Aquire
|
A common saying among carpenters is ?measure twice, cut once.? In other words, a little extra care at the outset means a lot less waste and trouble over the life of a project. The same can be said for compliance.
If, for example, your organization takes a moment now to find and use a good organizational charting solution, it will ultimately devote fewer resources to compliance and pay less for auditors. You?ll also have a much better chance of avoiding the penalties, economic losses and embarrassment that can go along with landing in the compliance hot seat.
So what do organizational charting and its supercharged sibling, unified workforce intelligence, have to do with compliance? At Aquire, we talk a lot with our customers. Over the last few years what we?ve heard is that when organizational charting is automated and imbued with real intelligence, it becomes extremely powerful. It becomes a road map in a company?s quest for good governance and in the never-ending quest to stay in tune with the demands of compliance.
Not surprisingly, unified workforce intelligence and compliance share a central goal: visibility. When you can see your workforce ? when you can visually understand all the relationships therein ?you can then understand it. And only then can you know what needs to be changed.
What exactly are your people doing? What controls are in place? Are your controls really reflected in your everyday corporate life? These are some of the questions auditors ask. Why not set up an automated way to answer them, easily and quickly ? an automated way that tells you where you might be lacking with regard to compliance?
Following are the major points we have identified that ensure good SOX compliance.
Make sure your payroll data matches your org chart
Manually produced organizational charts are an invitation for trouble. For example, your payroll data will never match your org chart if it?s done by an administrative person. The world, and your organization, change too rapidly, and people are too prone to errors. Automate, and make sure the data matches.
Be sure you can show how separate entities running different payrolls or HRIS systems merge together under the executive management or the board
Most corporations are distributed across several locations. When organizational charting systems don?t integrate information to show that all paths lead to the executive or board levels, you?re in danger of SOX non-compliance. You need a way to unify that information, to show the big picture.
Stay on top of your chain of command data methodology
If you are still using Person to Person reporting, you?re at risk and it?s time to consider a change. You need the ability to establish a visual record of chain of command data ? a real organizational charting solution able to visually display your organization after gathering information from all necessary sources. The bottom line is that positions reporting to positions is viewed as more compliant. It doesn?t matter who fills the position. The authority lies in the position, not the person. Plus it?s simply easier to maintain accurate records when you concentrate on positions.
Don?t pay anybody after they leave the company
It happens ? mainly when chain of command and reporting controls are not clear, and therefore are not enforced. If you want to raise alarms with an auditor, this will do it. If they see this they will probably look even harder at your organization. To eliminate any potential for this, implement the safeguards built in to many automated human resource management applications ? or else, warns Stephen Chipman, Regional Managing Partner for the Central Region of Grant Thornton LLP. ?When this happens, it clearly demonstrates a breakdown of internal controls,? Chipman said. ?The indication is that the company is not adequately safeguarding its assets. It is a control weakness that would get the attention of auditors. It?s true that trying to match your controls over the exit of an employee in different departments in large organizations is challenging. After all, there are often time lags and potential for communication breakdowns. But it has to be done.?
Make sure you can display adherence to effective segregation of duties
Remember, under SOX, the requirement for a transparent demonstration of who is doing what is not limited to your financial department. Companywide, anyone accessing files should be tracked. And make sure you have a mechanism to report failed access attempts so you can see if somebody who?s unauthorized is trying to tap into sensitive data. ?This is probably the single most difficult area that organizations have in maintaining an adequate internal control environment,? says Chipman. ?This is one of those problems you see often: trying to identify where the segregation of duties issues exist and having the appropriate understanding of people?s roles and responsibilities. In medium and small public companies, this is the biggest area where problems might occur under Sarbanes-Oxley.? Conclusion: Your quest to in address effective segregation of duties starts with an appropriate organizational charting solution.
Be able to visually demonstrate who is responsible for managing contractors
Contractors have always been a challenge for organizations, and SOX ups the ante ? it?s now the law. Keep in mind that knowing who is in charge of contractors isn?t enough. You must have effective internal controls in place showing managerial responsibilities. Under SOX, the information also needs to be readily apparent to outside parties, such as shareholders and auditors. This is only fair, since you want to be able to know about the contractors used by your partners. After all, they very well could have a real effect on your bottom line. ?SOX not only requires that controls have to be in place but that those controls be documented,? added Chipman. ?So having controls over contractors is critical. Once again, a robust org charting solution is a good place to document these controls.?
Keep all data on your outsourced personnel that could impact segregation of duties or other SOX requirements
Trouble is, this data is likely in several different systems throughout your organizations, and those systems often don?t talk to each other. When data is siloed, that?s a compliance problem. The solution is real workforce intelligence that can unify your workforce data despite disparate systems.
Be able to visually demonstrate effective controls over who has security access to which systems
The ability to determine who has access to various levels of secure information is critical to internal control. And don?t forget: Not only do you need to have the controls now, but you also need to be able to show you had them before. The ability to document what you?ve been doing at any point in time is crucial.
Be able to visually demonstrate that all managerial controls regarding authority and security rights are appropriate
Make sure the manager-subordinate chain is unbroken and logical. An org chart for example should show that subordinates are performing only subordinate functions and that they only have subordinate security access. Again, your organization is responsible for identifying control weaknesses, And again, this is a job for a robust organizational charting solution. Such a solution quickly and easily identifies conflict in authority and security rights between peers and their subordinates. And the right solution will make sure those controls are appropriately documented.
Automate systems to save money and trouble
If a company?s processes are manual, audits will require the highest-priced (most experienced) auditors because they will be required to make numerous judgment calls on the viability of the data. The better systems today can automate many of the processes that were handled manually in the past ? and the likelihood of SOX compliance increases as more data is automatically processed.
Bottom line
SOX requirements continue to evolve. Trying to keep up manually is asking for trouble. It?s also much too expensive and time consuming. That?s why so many companies are relying on leading organizational charting solutions, and particularly unified workforce intelligence, to keep them out of trouble. But such solutions go beyond merely keeping organizations out of the SOX hot seat ? they improve corporate governance and add real value, in terms of revenue, public trust and employee efficiency.
Lois Melbourne
Chief Executive Officer
Aquire
Lois Melbourne is CEO and co-founder of Aquire, known formerly as TimeVision, Inc.
Aquire is the maker of dynamic organizational charting software used by over 1,900 customers in 123 countries. The company?s flagship product, OrgPublisher, has remained the industry?s #1 organizational charting solution for more than 10 years. The company continues to expand its OrgBuilder solution services to include; workforce planning, risk mitigation and compliance, financial planning, budgeting and more.
Melbourne can be contacted at: loismelbourne@aquire.com.
|
|
|
|
|
