T. Mark Morley Chief Operating Officer of Obian Inc. Obian

Is There Still a Problem?
If you were to ask the CEO of a large publicly-held manufacturing company, what his inventory balance was at the end of the prior fiscal year and he were to reply, 'I don't know as we do not have an automated inventory system,' you would suspect that he would not be ready to attest to his company's management/internal controls in his upcoming Sarbanes-Oxley report. Yet this is indicative of the current state of many public companies.

The General Accounting Office (GAO) stated in its 1999 instructions to the department heads and CFOs of the Federal government "In short, internal control, which is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources."

The GAO report adopts the primary structure of the earlier 1994 report of The Committee of Sponsoring Organizations of Treadway Commission (COSO), when it recognized that internal controls are fundamental management tools. Using internal controls to mange the enterprise to success is, perhaps, more important than their mandated use for ensuring financial compliance.

The SEC in its rule-making, took its lead from the American Institute of Certified Public Accountants Auditing Standard AU 319. This standard sharply restricted the COSO definition by focusing almost exclusively on internal controls as they relate to financial reporting. The SEC is then in the incongruous position of having a set of rules that is focused on addressing Enron-type situations by requiring a financial reporting systems that will tell you after the fact that, for example, the company went bankrupt on a Tuesday in July at exactly 2:24 PM. The New York Stock Exchange, alternatively, has focused on independent Boards of Directors as the best remedial action post Enron. The GAO and COSO likely possess the kernel of the solution, and the solution leads out of 'the looking glass.' Correct design of management systems involves the review of control gaps to identify process weaknesses, which, if left without remediation, can result in a material loss enterprise. What is missing in the SEC, and NYSE views is the real purpose of internal controls, which is the proper management of the enterprise.

Sarbanes-Oxley requires that each company's Form 10K contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. But, most existing management/internal control structures are hierarchical and vertically orientated. They look down and report up. In effect, they stare down the stovepipes of the enterprise instead of looking at the enterprise both horizontally and vertically.

The legislatively mandated re-examination of internal controls is often catalyzed by highly visible losses to the investing public such as those arising from Enron, WorldCom, Global Crossing and Tyco. This problem is not new; did we forget Equity Funding (1975), Penn Square (1985), and Barings Bank (1996)? All these companies had adequate internal controls according to their auditors. Some of these failures, such as Barings and Tyco, were apparently the result of the lack of normal/vertical controls such as segregation of duties, delegation of authority or two level sign-off. But, many of these scandals were the result of persons acting outside the high-volume every-day flow of business where vertical controls are at their strongest. The Enron facts, for example, appear to show non-traditional financial transactions not effectively controlled by the vertical controls. The Enron special entities were engaged in lateral transactions, which are not easily controlled by vertical controls. These special entities should have been housed within their own set of Horizontal Controls.

The 'Horizontal Controls' present in virtually every company are the set of controls associated with the Revenue Cycle (Cash to Materials to Production to Invoicing and back to Cash). Most companies don't survive without this set of controls, although, even these controls are often a mix of unintegrated manual and automated systems.

Many companies can be depicted as follows, where two corporate initiatives A and B, that could be a merger, quality program, or other cross functional efforts, require horizontal interaction between vertical functions in order to succeed.

Figure 1

The cross-functional Revenue Cycle has a structure while the Initiatives A and B are authorized but there is no real structure to manage them.

They are missing some or all of the following:

1. Motivated team members
2. Executive sponsor
3. Real project leader
4. Member expertise
5. Roles and responsibilities
6. Mission statement
7. Time schedule
8. Cost/budget
9. Performance/quality requirements
10. Resource plan
11. Communications
12. Issue resolution methodology automated in a system that is robust and easy to use

Initiatives A and B in the environment depicted above have little chance of success and are essentially mismanaged and out of control from the outset.

We Had it Right
COSO defined internal control as an integral component of an organization's management that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Safeguarding of Assets
It is important to note the priority, irrespective of the SEC or the NYSE view, management/internal controls are first and foremost to support the success of the enterprise. Correctly implemented, they will also produce the secondary effects of correct financial reporting and regulatory compliance.

Most investors would prefer to invest in Company A that successfully executed its plan, and presented reliable financial reports, and met its legal requirements rather than Company B that failed to present reliable financial reports. Most investors don't know that a company is failing until too late.

Almost apologetically, an overview presented by one 'Big 4' accounting firm, when describing internal controls, states, "The benefits may extend far beyond compliance with Sarbanes-Oxley." Because internal controls are fundamentally management systems, this should be the expectation. Further, the COSO report states, "In determining whether a particular control should be established, the risk of failure and the potential effect on the entity are considered along with the related costs of establishing a new control," which should be precisely the test for instituting a new management system.

Many companies, in their efforts to comply with Sarbanes-Oxley, have rushed to implement various automated documentation tools that primarily address financial reporting and legal compliance. These tools are helpful, but critically, must not be confused with the control itself, or we will be back 'through the looking glass.'

Automated controls are different from automated documentation tools.

1. Automated Controls provide required information on a timely basis to the person responsible for performing the procedure.
2. Route the work product to the person responsible for initiating the next phase in the process.
3. Track the progress and results of the procedure to allow for monitoring of control performance at the supervisory level.
4. Initiate follow-up action in those instances in which control procedures have not been performed at all.

Automated Documentation Tools are focused on financial reporting and legal compliance. Automated Controls provide a real ROI when properly implemented.

If our hypothetical CEO were to now call back and say "Everything is OK. I have just hired 35 accountants to track the inventory on Excel spreadsheets and each of the 35 accountants will send their results directly to me." Our sense of disquietude would likely continue unabated. We know from past experience that the amount of data would be overwhelming. Additionally, he would probably be breaking Morley's Law, which states, "A person can deal with the amount of information that they can deal with, the rest must be done by a computer."

With the world's entry into the Information Age, most management systems in large companies are now automated. However, if the system is missing entirely or poorly designed it will not work.

Figure 2

The Horizontal Control Systems are best represented by the Revenue Cycle, and some times represented by a New Product Development System (NPD) and/or a Strategic IT (IT) system (albeit with only a 28% effectiveness rating).

Initiatives A and B above are shown with their own horizontal control systems that cover the 'white spaces' that are missed by the vertical control systems. The horizontal control systems provide significant risk mitigation. Yes, new IT systems can have higher than a 28% success rate and mergers success percentage can be expected to progress from 15% to well over 50%.

Is the cost worth it?
Best management practices say that each management system should have a positive ROI. Additionally, when using the synonym for management systems, 'internal controls,' the COSO report, also instructs management to make a cost/benefit analysis. What is the best way to calculate the correct ROI on a management system that is cross-functional and generates costs and benefits in many different divisions and departments? The Berkeley Process Maturity Model provides a standard and accepted method to measure the ROI on these types of management systems. The model, which is easy and intuitive to use, will quickly delineate the difference between Sarbanes-Oxley required Horizontal Control Systems and systems that cost more than the benefit that they will produce. One area where management must be involved is at the intersection of vertical and horizontal systems in order to avoid systemic gridlock. A quick review can avoid this situation.

In conclusion, existing management systems are essentially hierarchical. While these systems are needed, for the enterprise to be truly strong and robust, Horizontal Management/Internal Control Systems must also be implemented. Investors should be told whether their companies are well managed not just well reported.