Editor’s note: Kevin Gribbon is a partner with VisageSolutions; Dave Mountain is director of marketing for QlikTech.More companies than people realize are subject to Sarbanes-Oxley. Not only are public companies subject to the regulations, but “private” companies may also be required to comply.

Public debt, a desire to go public or be acquired by a public company, or a customer requirement all may drive a company towards mounting a compliance effort. The approaching November 15th compliance deadline is creating a new sense of urgency and causing companies to shift their focus from the theoretical to the practical. Companies are in various stages of adapting the law and the Public Company Accounting Oversight Boards (PCAOB) rulings into their own environment.

Among other things, successful compliance requires that companies:

  • Define and document their business processes

  • Establish metrics and monitoring processes to address the
    effectiveness of those business processes, and

  • Periodically review and modify those processes and metrics as the business changes.
  • The foundation of any effective SarbOx effort is a solid understanding of management’s role in establishing, communicating and reinforcing the control environment. This essentially sets the stage for how the system will be operated. For example, having a company code of ethics is not effective if people are not aware of it, if they couldn’t find it even if they wanted to, or if it hasn’t been updated since two mergers ago.

    Understanding of the business is critical to a successful compliance effort. Understanding is gained by documenting business procedures (this includes a procedure for updating the documentation!), establishing metrics for each process, determining how management with monitor those metrics, and periodically revisiting those metrics to ensure that they remain relevant as the business changes.

    This goes beyond just documenting business procedures. Effective companies evaluate the risks associated with their critical business processes and prioritize their documentation efforts accordingly. It is also critical that a process exists to update and maintain the process documentation. “We haven’t updated our procedures since we outsourced our payroll processing two years ago” probably won’t help in court.

    Key performance indicators

    After documenting a critical business process, efforts can then shift to establishing metrics for the process and how, when and where the data for the metrics can be captured and managed. Much of this may sound like Key Performance Indicators (KPIs) or Business Process Management (BPM). In effect it is quite similar…those companies that have already developed their KPIs for operations will be ahead in the game.

    Effective process metrics will typically be derived from the core business transactions and maintain a connection to those transactions themselves to provide the ability to “drill down” when problems do occur. It is easy to envision an auditor requesting to review how often the invoice and the purchase order don’t match and how the situations were resolved. In the EnterpriseOne or PeopleSoft World environments, tools that can access transaction-level data and roll them up into dashboard displays that show KPIs make this process fast and efficient.

    Effective metrics need to be periodically revisited to ensure they are still representative of the business requirements. As the business environment evolves or the management structure changes, the measurements needed to operate the business must evolve as well.
    Speed of feedback is always important to the operation of any process. Measuring the effectiveness of the manufacturing process by the number of customer returns will result in higher costs than ensuring that each step is defined, and then measured as it occurs. The same applies to the critical business processes that drive the financial statements; trapping an error close to when it occurs will definitely be less costly than restating earnings as a result of not finding the error soon enough. This is an area where a successful Sarbox program can push a company toward greater efficiencies.

    Tools to use

    Although the Sarbanes Oxley Act doesn’t require “tools” of any kind, the practical implications are that software tools that are effectively utilized can improve the operation of the control system. For example, if a business intelligence tool is used to measure and report on the operation of the critical financial processes that are driving the financial accounts, it will require several characteristics to be effective:

  • Maintain a connection to the core data for troubleshooting.

  • Be flexible and adaptable enough to rapidly accommodate evolving business requirements.

  • Provide rapid feedback on the operation of the process. This will only become more important in the future.

  • Be easy enough to use and understand so that owners of the critical controls actually use the tool to manage.

  • Be able to look at data from the multitude of systems, databases and PC’s typically used inside a company to present a meaningful view of the real operation of the control environment.
  • In conclusion, effective SarbOx efforts combine a solid management control framework, meaningful and timely metrics to report on the health of the controls, and flexibility in the control framework to adapt to changes. Software tools that are effectively deployed and can be used to automate measuring and reporting on the operation of critical processes will make a major contribution to your SarbOx compliance program.

    For more information, contact Kevin Gribbon, Partner, Visage Solutions (kgribbon@nc.rr.com) or David Mountain, Director of Marketing, QlikTech Inc. (dmn@qliktechinc.com).

    VisageSolutions, developer of the SingleVUE• Methodology, are focused on guiding companies to achieve Sarbanes-Oxley in the most cost effective manner possible. Kevin Gribbon is one of the founding partners of Visage and combines over 20 years of experience in operations, sales and marketing with skills in applying technology to help companies achieve a significant return on their compliance efforts.

    QlikTech is dedicated to delivering on the full potential of business intelligence by providing powerful yet easy-to-use software for interactive data analysis, enabling companies and their management to effectively and proactively monitor, manage and optimize their business. QlikTech’s flagship product, QlikView, breaks down the traditional barriers of business intelligence by employing its groundbreaking, patented Associative Query Logic (AQL) technology to deliver more flexible analysis and reporting solutions faster and more cost-effectively. QlikView’s users include such diverse companies as AstraZeneca, Pfizer, Top Flite, London Fog, Sara Lee, and The Campbell Soup Company. QlikTech is privately held and its North American headquarters are located in Raleigh, NC.