Karl Hindle is a former auditor with Arthur Andersen and Pannell Kerr Forster, and covers the issue of Sarbanes-Oxley compliance and the Lean BPM solution for SOX using JobTraQ
SOX Compliance: Your Own Bed or ‘Club Fed’
Sarbanes-Oxley was enacted in 2002 in the wake of Enron, Tyco, WorldCom, and a host of executives being arrested and forced to do the “perp walk”, being led away in handcuffs and usually hitting the evening news. Bluntly, SOX introduced real teeth into the world of corporate responsibility, holding the CEO and CFO fully responsible for compliance with the legislation, and threatening large personal fines and jail time for messing up.
The problem then, and today, is just how can you be sure that the policies and controls you have instituted in the wake of SOX are actually being followed down on the ground?
Let’s look at a scenario involving IT and the back-up of data which if lost, will materially impact the financial statements.
The back-up schedule is a daily incremental back-up after business hours, with a full weekly back-up on Saturday evening.
Monthly back-ups are also conducted, as well as a quarterly full data and application back-up.
In each case, policy and control dictate that the back-up tape is sent off-site each day.
As the CFO or CEO now certifying your financial records (s302: Corporate Responsibility for Financial Reports), and also certifying you have adequate internal controls which are effective (s404 Management Assessment of Internal Controls), ask yourself these two questions:
- How do you know the daily incremental back-up took place on any particular day?
- How do you know that for any particular back-up, the tape was in fact sent off-site to your secure DR location?
Your answer may be that you have a log, maintained by IT, that shows on this date “John Smith” performed a back-up and sent the tape offsite.
The policy has been instituted and the control was executed – you’re in compliance you say, and here are all the sub-certifications that prove it.
However, you now you have a SOX audit, and for some reason the IT department is suddenly a very frantic place to work with lots of people working late nights and weekends, and there is an aura of apprehension and unease.
The auditors report that while you have a policy and control, you cannot evidence irrefutably that a backup took place when your records claim, nor a tape sent offsite as indicated. As the data subject to back-ups was financially impacting, you fail your SOX audit for lack of effective controls.
Now go and fix the problem.
A more brutal outcome is that, very disturbingly, the signatures on the manual log of daily back-ups all seem to be written in the same color ink for every day of the year, in the same handwriting, and in that style that indicates someone has simply been repeating themselves again and again as they fill in the checklist. (As a former auditor, I was trained to look for just such things with manually maintained records, as a validation that the dates and information recorded were in fact credible. Records such as spreadsheets or manual sign in sheets, can be created or modified by anyone at any time, and therefore cannot be relied upon to ensure that a control is properly complied with in fact.)
The auditors decide to do some digging, and to your horror they report that “John Smith” did not in fact back-up data on the dates in question, and accordingly there were no tapes to send off-site, the entries had in fact been simply made up in anticipation of the audit.
While you had a policy and internal controls, they were not effective at demonstrating you were in compliance, nor ensuring your people did what they were supposed to when they were supposed to actually do it.
At this point, you’re probably kicking yourself you trusted people, especially “John Smith”, but you’re still responsible because trust is not an internal control!
Now, as CEO or CFO, you have a personal problem which will need an army of lawyers and a ton of luck to fix, and you didn’t actually do anything wrong.
The real point is that there is a fundamental problem with this form of internal or management control, and it is this which generates SOX fear.
In practice, there is no visibility between the control and the work actually being done.
CEOs and CFOs must therefore ‘trust’ that what they are being reported is actually correct, with audits being the only way to test whether controls are effective. It is not unusual to see a senior executive refuse to sign a certification if juniors have not submitted their own sub-certifications first; they feel they cannot sign-off because the person closer to the work has not signed off.
So, in essence, CFOs and CEOs are not certifying the underlying credibility of the financial statements, nor of the presence of effective internal controls. They are instead certifying that someone junior has signed off, no doubt hoping that this will ultimately protect the CEO and CFO from criminal allegations of deliberate misstatement or alteration. Except this does not tackle the root problem, being compliant in reality, nor comport with the purpose of the law itself.
Another problem is that audits look at history, and if there is a problem, it is typically discovered because someone has been bypassing or ignoring controls and has now been caught out. Either way you’re still on the hook for ineffective controls, and having previously certified your financial statements are accurate , you must hope there is nothing materially impacting.
The Lean BPM Solution for SOX Fear
JobTraQ’s Lean BPM approach to SOX compliance creates visibility into the work being done, or flags up when it is not getting done or is late. So, taking our back-ups example, the execution of the control to perform a back-up and send the tape offsite can be evidenced and reported on with direct visibility into what happens almost as fast as it takes place.
For instance, recurring, automated tasks can be created for daily, weekly, monthly, and quarterly backups, with responsibility assigned to named staff or a work queue. Notification and escalation alerts to a senior manager can be established, and in cases of serious delay, escalation as far up the management structure as deemed necessary.
The IT employee marking a back-up task as completed within the system, is also providing their digital signature that they have done what they say they have (JobTraQ, as a digital compliance platform with a secure sign in, can use an approval of a task or project as a digital signature based on the secure sign in with unique login credentials for sub-certification purposes).
When it comes to sending the tape offsite, “John Smith” must take a photo with his cell phone of the receipt from the dispatcher transporting the tape to the DR site – this photograph must be uploaded to the task within JobTraQ before the system will allow it to be marked as completed. You now have contemporaneous proof of dispatch offsite which tracks alongside the task, and which cannot be subsequently manipulated.
JobTraQ will also date and time stamp who did what and when – you now have an audit trail that cannot be altered by anyone (perfect for any auditor or regulator).
What you have done in this Lean BPM scenario is provide the ability to instantly see when backups are scheduled, which are due today, this week, or this month, and which are overdue or failed.
You also can see who is doing the work, “John Smith” or someone else, and are now able to see that they sent tapes offsite when they say they did.
JobTraQ will also record all of this in a form which makes reporting simple and fast, for both senior executives who need a high-level view, and audit teams and managers drilling into the weeds.
Here we’ve just used a back-up scenario, but JobTraQ can manage any and all SOX processes, instituting real internal control which is backed by a full audit trail, state-of-the-art security, and the ability to establish the policy guard rails in between which people, processes, assets, and technology must operate.
And if any of these things do not happen when they need to happen, they can be escalated as high as is necessary, to the CEO or CFO if need be; after all, they are the ones signing their lives away.
For the CEO and CFO who prefer there own beds rather than those in a Club Fed penitentiary, a demonstration of JobTraQ and its abilities to enforce Sarbanes-Oxley compliance policy and controls is an excellent investment of 23 minutes.
Complete the demonstration request below or call 1.866.640.CODE (2633) toll free.