SUPPORT CENTER
Q&A 2nd Qtr 2003

DATE: 6/23/03

QUESTION: We applied your concepts to a very complex process and we found many areas that were excessively controlled. We defined "over controlled" as the risk was being managed to well below the upper limit established by our executives. Nothing had ever gone wrong in these areas.

We were excited about the cost saving potential since our company is experiencing tough times. We received a decidedly different response when we reported our recommendations to senior managers. I suspect that they do not want to face the staff reduction and layoff issue, despite the fact that our executives are looking for cost savings.

Our question is whether or not this is common using your control methodologies. Do other people identify the over control areas and then find strong push back in moving recommendations to reduce staff forward? What suggestions do you have to overcome this push back?

ANSWER: Yes, it happens all the time. A simple fact of life is that no one wants to face the difficult issues associated with staff reductions. Resistance at senior manager level often reflects a concern for their job security as well.

I suspect that the cost reduction "heat in the kitchen" is not yet hot enough. When the company is serious about cost reduction, your work will be recognized regardless of resistance at middle manager levels.

Your situation emphasizes the danger associated with proceeding with these projects without strong Governance over your project. With strong Governance oversight on your project, middle management would not be able to block any recommendations to executives. While it may be too late to create it now, make sure that your next project has strong Governance involvement. The cost reducing features of our control methodology will then be delivered straight to the decision makers.

DATE: 6/11/03

QUESTION: I am writing to you hoping that you can help us. We are working through a control self assessment exercise with some managers of a very complex process and are helping them with their internal controls, all part of the Sarbanes work. We are attempting to apply the Arthur Andersen risk assessment model.

We are having major problems with the concept of completeness. There are so many parts to this huge and complex process. It is difficult to know where to start and what to look at as being complete. Further, we do not know whether the completeness controls that we have are adequate or not? Can you offer any suggestions?

ANSWER: I will do my best since, from the comments in your question, it does not appear that you have attended any of our training seminars or are applying our Governance, Management or Performance control concepts.

Before you can apply the concept of completeness, you need to know which part of the process that you are dealing with. Our concepts break complex processes down into what we call "Cradles" (places where we collect information about real world events) and "Graves" (final resting places in the books and records where we put information about real world events). There are two parts to "completeness." Completeness of Input makes sure that you have a collection about every real world event at each cradle in the process. Completeness of Update makes sure that the collection of information actually makes it to the graves that you defined.

To solve your problem, you need to break your process up into cradles and graves and then split the completeness concept into its 2 components. Unless you do this, you will become very confused and unclear or your controls will be so general and not provide any value towards managing the process.

Concerning adequacy of controls, this depends purely on the limits of risk that your Governance level (vice presidents) are prepared to take on in order to meet their specific business objectives, in your specific company, in your specific marketplace at this specific point in time. Obviously, the amount of risk varies dramatically and no external model can decide that for you. Your team will need to have a dialogue about risks and error rates, etc., with the vice presidents that perform Governance over the process before you can make any assessment about controls.

My explanation will make more sense to you if you can attend one of our Risk Based Integrated Auditing™, Internal Controls Training or Practical Governance and Risk Management™ seminars. If you cannot attend one, the concepts are outlined in detail in our Practical Governance and Risk Management™ textbook available from this web site.

DATE: 6/10/03

QUESTION: Does your Sarbanes Oxley software package comply with COSO?

ANSWER: Yes. Our Risk Control Manager software even has the COSO definitions built in (COCO definitions can also be defined to it). You will be able to order a free demo tour shortly.

DATE: 5/22/03

QUESTION: My name is xxxxxxxxxxxxxx. I am involved in fraud investigation work. I attended one of your RBIA overview seminars where you suggested (quite strongly) that small internal audit groups should focus their work at your "governance" and "management" levels and stay out of your "performance" level. This is what I would refer to as the detailed processes.

The problem that I have is that, in order to investigate a fraud, we have no choice but to spend a lot of effort down in the details.

How do you reconcile this?

ANSWER: First, a clarification. I stated that audit groups should focus their risk appraisal effort at the Governance and Management level to identify issues that need control improvement. Audit groups should then spend as much resources as available at the detailed Performance level to work on teams led by management to assist in resolving the problems. There are huge advantages to this concept for small internal audit groups, the most important of which is that it constantly reenforces the message that management is responsible for internal controls, not audit. Control problems are management's problem, not internal audit's problem. We have a lot to bring to the table. Partnering in a consulting role at the Performance level to help them resolve control issues is great for relationship building and your career.

Concerning your fraud comment, internal auditing is based on two fundamental premises. The first is that companies are run by people who have a degree of ethics and integrity and have a vested interest in doing the right things and doing things right. The second premise is that most things are happening the way that they are supposed to be happening most of the time.

The existence of a fraud invalidates both of these basic premises. You have no choice but to move out of "internal audit mode" and move into "investigation" mode. In any investigation, you have to go down to the detailed Performance level in order to obtain the evidence to support dismissal and legal action.

DATE: 5/20/03

QUESTION: Our accounting firm is telling us that we must use their software solution for Sarbanes - Oxley purposes. Can they legally do that?

ANSWER: No. Ask them to put that in writing. I am sure that the Public Company Accounting Oversight Board would be very interested in a copy of that memo.

DATE: 5/6/03

QUESTION: I am on the internal control committee of XXXXXXX company. We are considering different proposals from outside vendors for Sarbanes - Oxley compliance. I thought that I would ask you what you are seeing as the biggest mistake that companies are making with their approach to SOX 404?

ANSWER: In answering your question, I will assume that your company is serious about establishing a solid internal control structure and is not "going through the motions" and filling out forms to satisfy SOX 404.

The biggest mistake, by far, is hiring outside people to come in and document your company's controls. Culturally, your own managers and staff will switch off to their own control obligations. If your company uses the "owner" concept, someone will be assigned to coordinate the exercise with the outside people. This person will be called the "owner of controls" or the "owner of the control piece." Everyone else will switch off and not think about or focus on the issue of internal controls. The moment that something goes wrong, they will hide behind the "I'm not the owner of controls" twisted logic.

This approach seems the easiest and least hassle to those companies who are really not interested in establishing a solid internal control structure (despite their rhetoric to the contrary) providing that they can write the check! However, it accomplishes absolutely nothing from the perspective of improving the internal control structure of the company.

The second biggest mistake is to document all your internal controls in provided software that you do not have clear ownership of and access control over.

Download our SOX 404 white paper from this site's home page for more information.

DATE: 5/1/03

QUESTION: This is the problem that we are dealing with. Our XXXXXX process has an ever increasing number of failures that are causing disruptions to customers. I have been assigned to a team to analyze root cause and recommend solutions. We have been told by senior executives that, since the process has high risks, our goal is zero errors.

We were then told that the company is downsizing in all areas and budgets have been cut. Key people have taken the XXXXX buy out package and left.

Our solutions to accomplish zero errors all require the injection of skilled people and technology implementation. There is no money in the budget for either. However, our senior management refuse to recognize the situation and are insisting on zero errors.

Do you have any ideas on how we can communicate our situation to senior management more effectively?

ANSWER: There are a lot of people in your position in the current economic situation. It is easy to attain zero errors in any process when you have unlimited resources and money to throw at the problems.

You are attempting to solve a process problem at the Performance level without first addressing the Governance and Management issues. I suggest that you go with your senior management's goal of zero errors and quantify the various risks involved. Many executives like to "pound the table" and demand zero errors right up until they see how much that will cost in terms of cash outlays and opportunity cost. If they are prepared to accept those risks, which means allocating the money, then you are working within some boundary of economic reasonableness. If they will not accept the risk associated with zero errors, engage them in a discussion of just how much risk that they are prepared to accept and develop a solution accordingly. It will then be incumbent on Management to establish monitors to track the risks associated with your solution to within the limits determined by Governance.

If your senior management refuses to back off the zero error demand and refuse to provide you with the resources to deliver, you are clearly being set up to fail. They are not serious and are living in a dream world. I suggest that you prepare for the inevitable and start looking for another job so that you can leave on your terms, and not theirs.

DATE: 4/28/03

QUESTION: I remember from your class that auditors should never make a control assessment unless they can link it to a risk, a risk tolerance and a specific business goal. While this makes sense to me, our public accountants are making control recommendations from their own checklists. There is no mention of the business risk, tolerance of risk or business goals in any of their comments. We are being forced to implement their comments. What should we do?

ANSWER: The public accounting firm has no power to force you to do anything. Only your management can force you to implement their recommendations.

I suggest that you look at each recommendation and see if you can identify how it will cost effectively keep a business risk within a limit so that you can accomplish a specific business objective. If you can see this clear linkage, implement the recommendation with a positive attitude, even if it did come from a public accounting firm's checklist.

If you can see no clear linkage, and, therefore, no cost/benefit involved, raise it with your management team and offer an alternative. If you still have to implement it, recognize it as a political cost of doing business.

DATE: 4/22/03

QUESTION: We are in the process of comparing Sarbanes-Oxley software solutions. What is the main difference between what your offering and the solutions offered by the accounting organizations?

ANSWER: Most of the solutions that we see are designed around complying solely with Sarbanes-Oxley 404. They involve very expensive accounting firm labor to document your controls. They involve the use of the firm's software which, in the ones that we have seen so far, will not be sold to your company. Other than the issue of exactly who owns all the documentation about your controls, the big risk is that your management and staff, who are responsible for controls, culturally switch off to that responsibility since the accounting firm's staff is doing the documentation.

We believe that assurance about controls, for Sarbanes-Oxley or other purposes, should be a natural by product of the way you do business in the company, not a special, externally driven exercise.

We believe that it is a mistake to undertake a massive effort just to comply with Sarbanes-Oxley. Our approach is based on the following:

• Your management (not external consultants) should be documenting the controls that they are responsible for,

• The primary purpose of documenting internal controls is to capture the knowledge base of the company as to how Governance works, how Management works and how the detailed Performance level processes work,

• SOX 404 assurance should be a natural byproduct of the way you do business, not a major compliance exercise

Our Business Risk Control Manager software is designed to accomplish the above. It is fully compliant with COSO and has provisions for control testing for management, internal audit, external audit and one other group as needed.

Most importantly, it is owned by you and in your possession. Please click on the Business Risk Control Manager link on this site for further information.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007