In his first law of motion, Sir Isaac Newton stated that, "Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it."
While this law was intended to explain actions in the physical universe, it could easily apply to the corporate universe as well - particularly when it comes to Sarbanes-Oxley (aka SOX or Sarbox). This legislation, which recently went into effect for most publicly held organizations, is intended to increase confidence and assurance regarding the operations of large, public companies. Although SOX is broad and implementation-agnostic, many of the strategies that will meet its requirements can be drawn from best practices that also will improve the overall operations of the organization.
Yet, like the proverbial Newtonian object flying through space, many of these same organizations would, given a choice, allow momentum to dictate their direction rather than expend the energy necessary to change course - even if they are on a collision course with a much larger object. As a result, many organizations are doing the minimum required for SOX compliance. They're creating additional layers of bureaucracy and approvals for audit purposes only. The results are entirely predictable: increased costs, more inefficiencies and frustrated employees. These haphazard, reactionary compliance strategies not only cause stress, they may cause the organization to miss a tremendous growth opportunity that could create a real competitive advantage.
Instead of complying reluctantly, smart organizations will take the opportunity to re-evaluate their processes and make changes, including the occasional wide-sweeping and fundamental but painful ones that improve business operations. They'll use SOX as a means to streamline their processes and auditing procedures through workflow automation, with compliance a natural by-product.
Still, that's not quite an apple-hitting-you-on-the-head revelation. Truly enlightened organizations will take it one step further by embedding their auditing procedures directly within those automated processes. With embedded auditing, the mere act of performing an action provides instant accountability and transparency. Auditing, therefore, becomes not an afterthought dependent on the good intentions of the person performing an act, but an integral part of the act itself. Having an automatically generated, real-time audit trail not only makes it easier to assure SOX compliance, but also creates a body of metrics that could lead to additional process improvements, lower costs and, ultimately, a better-run business.
Technology Assures Compliance
To understand how embedding monitoring in the process assures compliance, think about an amusement park that receives a mandate from corporate to report its visitor count on a daily basis. Since the park managers feel the day's ticket count is sufficient, they are resistant to the new auditing requirements. The fastest, easiest thing for them to do to meet the mandate is to station people at each entrance turnstile to count each visitor as he or she enters. This brute force approach is an example of a manual and parallel auditing process. It certainly meets the goal of counting actual visitors, but it has some serious flaws.
There's the expense of the people, of course. There's also a great likelihood of human error, particularly as the task becomes more repetitive. If the count is below expectations and people are worried about their jobs, they may "fudge" the numbers to line up with goals. To add insult to injury, someone (or several people) in the office will have to take those manually generated figures and sum them at the end of the day.
This brute force solution captures the essence of how many organizations are approaching their compliance requirements. They are placing people - and often highly compensated ones at that - with fancy "counters" at the start of their business processes. Sometimes, they may randomly scatter them through the "park" and at the exit as well. This approach meets the minimum set of standards required to keep the executives out of jail and comply with the mandate, but it becomes more of a burden than a help to running the business.
One of the biggest problems with manual monitoring is that it is only as good as the people doing the reporting. In many of the recent scandals that caused SOX legislation to be introduced in the first place, there were records - they just weren't the records of actual events. Instead, at best, they had a loose relationship to real events and, at worst, they covered up improprieties. This prompts the question: Who watches the watchers?
Embedding monitoring in the processes through technology eliminates the opportunity for this revisionist history. Records are generated automatically as a result of performing the action and reflect exactly what occurs. Once the records have been completed, they cannot be manipulated.
Think again about the amusement park. Instead of placing manual counters at the turnstiles, what if the turnstiles themselves did the counting and were connected electronically to a central aggregator? This would eliminate the cost of the people doing the counting and the cost to manually tabulate the results. It also would improve the accuracy of the data, since electronic turnstiles don't get bored and don't leave their posts for a break.
Management now has done a much better job of meeting the corporate mandate - and reduced the cost of compliance considerably over the long term. But it still hasn't truly leveraged the opportunity for change.
A Force for Acceleration
Newton's second law talks about the relationship between force, mass and acceleration. Likewise, the real benefit to be gained from Sarbanes-Oxley compliance is the way it accelerates your ability to use data in new and more interesting ways.
Instead of merely counting people as they come in, what if the electronic turnstiles were hooked into a centralized database? The database would be able to perform real-time trend analysis and monitor anomalies in traffic patterns so the park could better understand its customers.
The turnstiles could alert park management to an imbalance in the number of visitors passing through each gate so management would know whether to alter parking lot availability to cut down on long lines. And the database could be tied to past data so management would know whether there are enough employees in the park to handle the crowd.
In this scenario, technology plays a key role in eliminating a highly manual and painful parallel monitoring process. The monitoring occurs as part of a natural process to the business - that of getting paying customers into the park. And best of all, the requirement to count visitors has become a secondary benefit to the installation of a better business analysis tool.
Furthermore, making monitoring a part of the process solves the problem of employees changing a manual count to assure they meet their objectives. If the turnstiles are hooked directly to the central database, there is no opportunity for the count to be changed before it is entered, either accidentally or through a conscious effort. The data is more reliable and, therefore, far more useful, both for SOX purposes and business analytics.
Closing Time Blues
Closing the books, whether it's for the month, the quarter or the year, is the mother of all processes designed to monitor processes. It's generally a traumatic time, filled with great pressure and angst. A hard stop for activities is agreed to, and then the organization starts working backwards to verify what it believes has happened since the last close.
The problem is that many organizations are stuck on the idea that auditing occurs after the fact. Technology changes that, in effect creating a real-time audit as each activity happens. Because it provides full visibility and tracking, it allows firms to know immediately everything about everything at any given time. Simply run the proper report and the documentation is there.
SOX provides an incentive to drive real change throughout the organization by breaking the inertia of "we've always done it this way." By embracing rather than merely complying with SOX, organizations of all sizes will reap rewards that extend far beyond meeting the conditions required by the law.
Part of that reward is taking the opportunity not merely to change processes but to automate them. Embedding monitoring into the process through technology eliminates the possibility of a breakdown, assuring compliance while making process improvement both practical and sustainable. No one will need to watch the watchers. The technology does it for you.
About The Author
Sean Chou is chief technical officer of Fieldglass, where he oversees all technical aspects of the company's InSite 4.0 software, which helps organizations procure and manage their outsourced services. Chou can be reached at: [email protected].