Research Series
A Top-Down Approach to Risk Management and Internal Control
Issue 3
Using a Process Point of View to Reduce Documentation Costs
Published by Financial Executives Research Foundation
FERF Research Series
January 2007
A Top-Down Approach to Risk Management and Internal Control – Issue #3: Using a Process Point of View to Reduce Documentation Costs By R. Malcolm Schwartz Purpose This four-part report presents a business-centric and cost-effective approach to internal control and risk management using systems thinking and systems. This approach provides business benefits and enables compliance with the SarbanesOxley Act of 2002, and other laws and regulations. This document is the third installment of the series, and it explores process analysis and documentation. This FERF research series is being sponsored by BWise B.V.
Executive Summary It is unrealistic to assume that the costs for risk management and internal control will be reduced simply be repeating the same process year after year. Experience alone will not generate all of the possible benefits. An approach that specifically addresses business benefits while enabling compliance is necessary. The purpose of this four-part series is to suggest how to do that by considering both the technical and managerial tools. Selecting technical tools -- software -- is not the first step. First, have your managerial design in place. Otherwise, you will risk using software that does nothing more than make a marginal approach more efficient and lose the opportunity to become more effective. This is what is happening to many companies after their first Sarbanes-Oxley compliance cycles. To improve effectiveness as well as efficiency: 1. Have a business process focus tied to business planning: Integrate management and governance with operations and transactions processes to reduce costs of overlap and maintenance; 2. Use an aggregated risk assessment, to reduce documentation costs; 3. Use a process, and not a financial accounts, point of view to reduce further the costs of documentation as well as testing costs; and 4. Rely on ongoing monitoring to test the performance of controls and to reduce the scope of separate testing. These are the issues examined in this four-part report. This part examines issue #3. You can reduce costs and become more effective if you start with a focus on the business processes and: • • • •
Prioritize -- to reduce the effort to what is necessary and valuable, Organize -- to use accountability as a key to control and performance, Integrate -- to avoid overlaps and redundancies, and Manage performance -- by using monitoring to control and improve performance.
These four management issues must be addressed first, and then the right projects and systems support can follow. Furthermore, if a template of a generic solution to the
1
management design is the basis of your effort, then your work can focus on tailoring that generic design solution, and not on the larger effort of creating one from scratch. In sum, begin with a management design that addresses risk management and internal control from a business-centric focus. Next, select systems and tools that will support this approach. Then, follow with audit activities as part of your business plans and operations. Financial executives are well aware that most business processes and most software applications treat compliance as a standalone function. This leads to added effort to develop separate programs and then integrate them. The problem is compounded by the extra work to maintain the integration and connectivity as one or more programs change. But a new approach to compliance and internal controls reporting will solve the problem: assess the relevant activities of the business and then develop a top-down approach to financial controls reporting.
Issue #3: Using a Process Point of View to Reduce Documentation Cost Once you have completed the top-down risk assessment, which is described in the second of these four papers, you can document the priority activities. Also as noted, you can limit these priority areas to activities, within processes, that have unacceptable levels of risk, and to the control activities that follow and mitigate those risks. The second paper also dealt with the approach to differentiating risk by activity and then aggregating risk. After you have identified key areas of risk and the related controls and are ready to begin documentation, you can save more time and money -- some companies have saved as much as 80% of what comparable companies have spent -- by using an integrated process model from a generic template. A team of employees should develop and apply tailored solutions based on processes instead of having overlapping and separate functional efforts that then have to be integrated continually. The emphasis on process management will enable you to focus on content, resources and results. It is also consistent with the intent of The COSO Framework (as published by The Committee of Sponsoring Organizations of the Treadway Commission), to integrate and highlight transaction, management and governance processes, so that the interconnected principles are addressed for: • • • • •
Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
This process-centric approach is cost-effective and is based on: • • • •
Using a comprehensive process design and documentation technique; Incorporating transaction, management and governance processes; Linking process-centric documentation with risk management to financial statement accounts; Using the process-activity approach for improvement opportunities and needs;
2
• •
Capturing process and activity characteristics; and Supporting with software for integrated process design and documentation.
Using a Comprehensive Process Design and Documentation Technique Too often, documentation is based on experience and anecdote, and does not use an underlying technique to support design objectivity, rigor and thoroughness. But IDEF, short for the Integrated computer-aided manufacturing DEFinition language*, is a process documentation and design standard that enables integration by encouraging designers and documenters to consider: • • •
•
The activity as it relates to other activities through its inputs and outputs; The performer of the activity, so it provides for linking to position descriptions, segregation of duties, training, appraisals and development plans; Inputs, and not just the information or product or service inputs that enable the activity to proceed, but also the inputs of: - Tools and mechanisms (or, resources and enablers). These inputs are the means of getting the activity done, and done well, by resources that are competent, controlled, and motivated. Resources can include people and their characteristics, and systems and their features. By including resources as inputs, you can consider and integrate the features of control with the basic inputs for the work - Constraints and controls (or, the rules for getting the activity done). Here, policies, procedures, governance guidelines, laws and regulations, customer requirements and levels of authority are considered as inputs. Not only are controls considered in the design of activities and processes, but so are the integration of policies and procedures. Outputs (or, what is received as products, services, and/or information). And, of course, the output of one activity becomes the input for one or more other activities.
For example, as shown in Exhibit 1, for the overall “Maintain accounts receivable reserves” process**, IDEF reinforces that your documentation should show inputs for ________ * The Integrated Computer-Aided Manufacturing language was an initiative of the US Air Force for data modeling, and it was particularly useful for representing data structures no matter how they were to be stored. Process designers would call this “ideal design,” as distinctive from “practical design.” Quickly, IDEF was adopted by data and process modelers and analysts in private industry as a way to represent data structures during requirements-gathering sessions. Later, IDEF was adapted for process documentation and modeling. Because IDEF was produced with government funds, the technique is in the public domain. **One process example -- “Maintain accounts receivable reserves” -- is used throughout this fourpart series, so that a lot of specifics about the selected process can be shown and discussed. “Maintain accounts receivable reserves” was selected because it involves: (1) both operations and financial reporting objectives, so it helps to explain the value of integrating business and compliance planning and management; (2) judgments and estimates, so it relates to the area of major risk regarding accurate financial statements; (3) transaction, management and governance processes, so it illustrates how these different types of processes can be integrated; and (4) a number of different forms of documentation, so it illustrates how they can be integrated.
3
constraints and controls, including credit policy, customer history and economic trends. The documentation also should show who prepared and reviewed the reserve calculation and posting. This approach integrates the COSO Framework control components with associated work activities, instead of separating them onto checklists and spreadsheets, and isolating them further by calling them “entity-level controls.” The inputs called tools and mechanisms help to integrate all five COSO Framework components. Furthermore, some of the outputs also relate to transactions as such, and some relate to other parts and components of The COSO Framework. As a consequence, management and transactions processes are integrated, and the design execution and monitoring aspects of the activity are addressed in one set of documentation, saving time and cost. Exhibit 1. Illustrative IDEF Diagram For example, “Maintain accounts receivable reserves”
Constraints & Controls Governance guidelines -- Credit policy and procedure Roles – position descriptions Policies and procedures -- credit line review process, product/market authority
Inputs Requests - Reserve update Reports - Customer history - General ledger - Receivables information
Process/Activities Design/Control Review/Control & monitor Transact
Outputs Approvals - Reserve calculation - Reserve positions Awareness - Exposures - Customer/Channel risks Completed actions - Information
Tools & Mechanisms Resources -- trained credit analysts, and accountants Enablers -- applications software, economists newsletters, journal entry format
IDEF should not be applied at the overall process level. Instead, it should be applied to individual activities. In this illustration, and as discussed more fully in part II, the process “Maintain accounts receivable reserves” comprises the following activities with the following results, or outputs. • • • • • • •
Review economic trends – credit policy, recommended; Maintain and communicate credit policies – credit policy, approved; Calculate accounts receivable reserves – accounts receivable reserve, recommended; Approve accounts receivable reserve – accounts receivable reserve, approved; Post accounts receivable reserve to the general ledger – accounts receivable reserve, entered as a journal entry to the general ledger; Approve the posting of the accounts receivable reserve to the general ledger – accounts receivable reserve, posted to the general ledger, approved; and Certify the accounts receivable reserve calculation process – accounts receivable reserve, certification report.
4
In this example, the update of the accounts receivable reserve value in the general ledger is the output of the overall process. Note that, as shown in the above list, outputs of other processes connect to this process as constraints and controls, and as tools and mechanisms, and that activities in this process might also be components of other processes; as examples: • •
“Review economic trends” can be part of planning and evaluating processes “Maintain and communicate credit policy” might be derived from the business planning process, and it in turn might drive sales planning and other processes
With this activity focus, you can apply risk assessment and management to each activity, and to control results, you must emphasize the work activities themselves. By controlling activities, you then can continually address results in terms of risks and controls. In using the IDEF technique, as shown in Exhibit 2 below, you are considering how the process is designed and monitored as well as how it is performed or executed. You should consider all three aspects of each process -- design and control, execution, and monitoring – from the standpoint of risk and control. As an example of this related to the accounts receivable reserve, the strategy of aggressive growth led one company to a change in structure -- adding a new sales team -- which in turn led to control concerns about defining who could authorize product purchases; and who was accountable for new customers and their information and the related files, and customers’ orders; and what were balanced rewards that did not cause the desire to inflate sales in the new organization, with its new, growth strategy. Exhibit 2. Integrating Strategy, Structure and Process
Monitor -- Measuring & Assessing, Using KP/CIs • Results -- Share • Demands
Strategy -Aggressive growth
• Ideas
• Results • Appraisals
Structure -new sales group
•Guidelines –
who can buy •Budgets •Accountability –
• Results – file accuracy, on-time updates, fields completed • Audits – agreement with policy
Processes --
For example, “Maintain accounts receivable reserves”
Generic Industry -specific
• Specifications – for files and contents • Guidelines – frequency of update, economic considerations • Procedure – form of update
file ownership •Rewards
Controlling -- Directing & Conforming
5
Incorporating Transaction, Management and Governance Processes Sarbanes-Oxley requires that a complying company use a framework. The Securities and Exchange Commission (SEC) cited The COSO Framework. The Public Company Accounting Oversight Board (PCAOB), in Auditing Standard 2, used The COSO Framework extensively. As a consequence, most complying companies claim that they are using The COSO Framework. However, many of these companies are using it marginally, and that has led to its being misused and misunderstood, which has caused complaints about it. The focus for compliance often has erroneously been on: • •
Transaction processes and their control activities Separate checklists, or spreadsheets, for so-called entity-level – controls.
Using disconnected tools and techniques can lead to shortcomings in applying The COSO Framework. These shortcomings can be overcome if you use an integrative technique such as IDEF. The concepts behind IDEF reinforce that many constraints and controls are the outputs of many management and governance processes -- such as the policies and procedures (the rules) for transaction processes. When you disconnect these rules from the processes that they control, you risk ineffective control and higher costs. In the example, for instance, the accounts receivable reserve process combines transaction, management and governance processes. • • •
Developing credit policy is a component of a management process Posting the reserve to the general ledger is part of an operations process Certifying the process, as a monitoring activity, is part of a governance process.
Integrating these through one tool and a common design, and from a generic template that you have tailored to your business, leads to both good control and cost-effective documentation. The example also involves human resources policy and procedure, a sub-component of “Control Environment” in The COSO Framework, which should be integrated with the “Maintain accounts receivable reserves” process. Yet, many companies do not integrate position descriptions with process, activity and control documentation. Without integration, the performer of a role, or the appraiser of that performer, might not treat accountability for control as part of the role. Also, there is a risk that, over time, the update of one set of documentation no longer will be synchronized with the other set. So, integrated documentation in this example not only reduces cost, but it also reduces risk. Furthermore, The COSO Framework treats the competency and motivation of staff as sub-components of “Control Environment;” position descriptions, and development plans, and the performance review policy and process, are key to understanding staff competency. In the “Maintain accounts receivable reserves” process, and specifically related to it the “Certify accounts receivable” sub-process, these activities and their outputs are inputs to overall certification, as shown in Exhibit 3, on page 7. Other inputs include the certifications of the sub-processes, the current policies and procedures, and the current accounts receivable reserves, some of which come from transaction processes and some of which come from management processes.
6
Exhibit 3. Inputs and Outputs for “Certify Accounts Receivable” Process Activity Sources of Inputs Process accounts receivable -- Maintain customer lines of credit
Outputs
Inputs
Customer line of credit, current
Customer line of credit, approved Credit process certification report
Activity Destinations of Outputs Process accounts receivable -- maintain customer lines of credit
Process accounts Accounts receivable receivable -- Maintain reserves certification accounts receivable report reserves Process accounts Customer sales receivable -- Maintain certification report accounts receivable sales activity Accounts receivable payments & credits certification report
Process accounts receivable -- Collect past-due accounts
Collections process certification report
Maintain accounting policy, schedules and procedures -Communicate changes in accounting policy and procedure Manage HR -- Train and develop staff -appraise staff -approve staff appraisal
Policy and procedure, accounts receivable, current
Manage HR -- Build organizational capability -- Approve development plan
Controller, current development plan, approved Accounts receivable clerk, current development plan, approved Accounts receivable clerk, current development plan, approved Credit analyst, current development plan, approved
Accounts Receivable Control Log (ACRL), updated
Controller, current appraisal, approved Collections clerk, current appraisal, approved Accounts receivable clerk, current appraisal, approved Credit analyst, current appraisal, approved
Accounts receivable ledger, current
Process accounts receivable -- Maintain accounts receivable payments and credits
Accounts receivable process certification report
Maintain internal control framework -Monitor -- Conduct ongoing monitoring -Conduct ongoing monitoring internally
Certify accounts receivable process -- Review accounts receivable certification reports
Process accounts receivable -- Maintain accounts receivable payments and credits
7
A certification such as this -- a “horizontal,” or process, certification, contributing to a vertical, or business unit, certification -- is built in to the basic process. It thus becomes part of the monitoring, or testing, of that process; and is the basis for integrating processcentric documentation through risk assessment to financial statement accounts. Linking Process-Centric Documentation to Financial Statement Accounts When it comes to Sarbanes-Oxley compliance, the PCAOB suggests starting with a topdown risk assessment. This works fine if you understand the underlying bottoms-up structure of processes and activities. If not, then top-down, broadly stated risks will lead to broadly documented controls. Documenting only those activities that truly cause risk in financial statement accounts will save time and money, compared to documenting the overall process. From the standpoint of the accounts receivable reserve illustration, its output can be stated as “accurate and compliant posting of the accounts receivable reserve values to the general ledger,” when the key control indicators of risk -- accuracy, completeness, compliance, and timeliness -- are considered. As noted in Part II of this report, this also incorporates fraud and/or mismanagement problems because they would lead to an inaccurate result. This integration of fraud control leads to both reduced costs and risks, because it further integrates documentation. Also as noted previously, risks related to financial reporting objectives involve uncertainty, or variability, in the activity output, and the impact of this variability on financial statement accounts. When this variability causes you a level of concern, which could lead to a material weakness in Sarbanes-Oxley terminology, you must address this inherent risk. The two such activities in the generic template for the “Maintain accounts receivable reserves” process are: • •
“Calculate accounts receivable reserves,” and “Post accounts receivable reserves to the general ledger.”
Each of these could cause inaccuracy in the financial statements. Therefore, to avoid concern about the overall process, follow each of these two activities with a control activity -- “Approve accounts receivable reserves,” and “Approve accounts receivable reserves posted to the general ledger,” respectively. Now, you have four activities to document, to enable assessing that each is designed -- and is expected to be properly performed -- to reduce the inherent risk to an acceptable level of residual risk. Removing these two control activities, or performing them poorly, would put the overall process at an unacceptable level of inherent risk. Performing these control activities well results in an acceptable level of residual risk for the process. Note than in this approach, you begin with activity risk, and then link it to the affected financial statement accounts. By working in this sequence, you only document the activities and their controls that cause risk to the financial statement account. If you start with the financial statement account, you run the risk of documenting all processes, and their activities, that link to the account. Yet, some of those processes and their activities have very little risk. In regard to the documentation in the example being used: •
•
“Review economic trends,” and “Maintain and communicate credit policy” are important to operations, but have little impact on financial statements; “Calculate accounts receivable reserves,” and “Post the accounts receivable reserves to the general ledger” are the activities that cause uncertainty. Documenting
8
•
•
them enables better performance, through training, supervision, assessment, and monitoring; and identifies the relevant key control indicators as accuracy, compliance, and to some extent timeliness. At the same time, if you effectively design, perform and monitor the following control activities, then the documentation of these two activities can be much less Approving each of these activities is where the bulk of your documentation should be, explaining what is to be monitored, by whom, and how. This ongoing monitoring becomes the basis of the certification step, and in turn of the separate evaluation – the testing – program, to the extent that it is needed. These issues are discussed more fully in the fourth part of this series The certification step functions somewhat as a control step, and it also is the basis for Sarbanes-Oxley Section 302 compliance for this particular process
By documenting the control activities in a process, you can focus the documentation effort on what is important from the standpoint of control. Doing a top-down risk assessment thus enables you to design and understand the process in terms of its risky activities and their outputs, and the uncertainties about those outputs. By doing this, you can drastically reduce the amount of documentation for SOX compliance. You can reduce the documentation because you only have to document the activities related to risk and control. As the example in the prior paper showed, in the overall accounts receivable process, 25 activities -- 18 of those being outside of the process for calculating the reserve -- affected the accounts receivable reserve, but only seven had medium to high risk profiles, and each of the seven had an associated control activity to reduce the inherent risk in each activity and of the overall process to an acceptable level of residual risk. This being the case, the CFO in the example focused the documentation on design and performance of the control activities on the seven medium-risk activities, and reduced his documentation effort by about 70%. Beginning with an activity focus is consistent with the PCAOB target of top-down riskbased assessment of financial statement accounts at risk. It sharpens your focus by documenting those activities that really can influence the accuracy of financial statements. And, it leads to other areas for improvement. Using the Process-Activity Approach for Improvement Opportunities and Needs Beyond simply documenting only the activities that can cause risk or that can control that risk, you can use a well-developed bottoms-up business process model to improve the ability to analyze work flows and methods – and related resources – for operational improvements and for controls remediation. This clearly supports your business objectives of process and productivity improvement, because the business model connects activities and their controls to their sources. For example, an accounts payable department had been spending an inordinate amount of time obtaining and correcting source documents -- such as approved purchase orders, receiving reports, and vendor invoices. This led to acceptable controls over accounts payable processing; but it distracted from primary efforts and therefore actually increased business risk. Even though correcting source difficulties in this case was not remediation of control deficiencies as such, it was an improvement opportunity that reduced costs, by 70%; and that would have been difficult to address without a processbased bottoms-up business process model in place.
9
Another value of using a business process model is its help in dealing with end-to-end process controls. Many companies have difficulty in managing compliance efforts because they organize them functionally; and then complain about the inordinate costs and uncertainties “at the hand-offs.” A business-focused process design is independent of the functional boundaries in an organization. It encourages you to think of an owner of the end-to-end process, and hence an accountable person for simplifying the functional hand-offs that occur within that process, as well as for certifying that process. Using a process-based technique for documentation also helps to overcome organizing compliance activities as a separate project. By being a separate project, with its own distinctive goals, compliance often is not integrated with other activities of the business. The project might be organized using a cross-functional team, but the project charter usually is focused on enabling compliance, and not on integrating compliance with all other business activities. As a consequence: • •
A set of compliance documentation is developed, and Related sets of documentation are sometimes referenced but seldom integrated.
This leads to redundant documentation and duplicated effort, and to increased costs to maintain synchronized documentation. There is yet another way that good, integrated process design and documentation can reduce cost and risk. This involves using process documentation not only for business operations processes but also for business projects. This is particularly important for managing change, such as with systems projects, acquisition integration or organizational redesign. Good documentation and design of projects will enable control: • • •
At the onset of the change project, During the project itself, and As a condition of completion of the change project.
As a result, the restrictions that some auditors have placed on their clients in regard to the timing of change projects could be eliminated. For example, the CIO of a major communications company was told by the external auditor that he could make no systems changes during the quarter during which the auditor was testing controls and reviewing the management certification. When the CIO presented how he controlled systems projects, from their inception to their cut-over, the auditor relented, and allowed the CIO to make continual changes to his operations, applications and infrastructure. To support the management of change, the activities at risk and the activities controlling them should be well understood, by capturing process and activity characteristics. Capturing Process and Activity Characteristics In general, and in addition to the activities, roles, inputs and outputs being identified through a technique such as IDEF, good design identifies what are the characteristics of each activity whose results are at risk or whose purpose is to provide control.
10
A CFO used the generic template to capture these characteristics as shown in Exhibit 4. Exhibit 4. Characteristics for “Maintain Accounts Receivable Reserves” Activities
S
H M
M S
Certify the ... process
O
Approve posting … to the g/l
O
Post ... to the general ledger
O
Approve ... reserves
Calculate ... reserves
Activity Type -- O(perations), C(ontrol), M(onitoring) Assertion -- Existence/Occurrence Assertion -- Completeness Assertion -- Presentation & Disclosure Assertion -- Rights & Obligations Assertion -- Valuation or Allocation Automation Profile -- F(ull), S(emi), M(anual) BPM Profile -- Client/Control Send/Receive, Other BU Profile -- number of FTEs Change Profile -- C(ost)/M(agnitude)/B(enefit) Control Hierarchy -- E(ntity), C(ompany), T(ransaction) Control Level -- K(ey), O(ther) Control Test Status -- S(cheduled), I(n progress), C(omplete)(E)ffective/(I)neffective Control Type -- P(reventive), D(etective) Control -- Accuracy Control -- Completeness Control -- Compliance Control -- Timeliness COSO Mapping -- C(ontrol)E(nvironment), R(isk)A(ssessment, C(ontrol)A(ctivities), (I(nformation &)C(ommunication, M(onitoring) Cost Design Testing & Monitoring Issues Frequency Profile -- O(ccurrence), P(eriod) Improvement Opportunity -B(usiness)/T(echnology)/M(anagerial) change Performance testing & Monitoring Issues Planned Action -- E(liminate), K(eep), M(odify) Primary Path
Maintain ... credit policies
Activity Attributes
Review economic trends
Activities in "Maintain accounts receivable reserves" Process
C
O M
C
M
M
M
S
S
M
C K
C K
C K
P
P
D
M
M M
M
D M M M M
S
IC
CE
CE
CA
CE
CA
M
PQ
PQ
PQ
PQ
PQ
PQ
PQ
I LL
I LL
I MM
R LL
I MM
R LL
R LL
Process Type -- O(perations), M(anagement), G(overnance) Reason Profile -- V(alue)A(dded), L(egal/regulatory), R(isk mitigation), Q(uality) Remediationo Needed -- P(olicy & procedure), S(egregation of duties), C(ompiance), O(ther) Risk Attribute -- (I(nherent), R(esidual) Risk Measure -- H/M/L, for magnitude/duration Timing Profile -- for touch time and elapsed time
11
This of course can be tailored to your company. In addition to the activity characteristics, the activity resources also can be tailored for the generic template, as they were in the example in Exhibit 5, for the illustrated process. Exhibit 5. Resources for “Maintain Accounts Receivable Reserves”
Role Accounts Receivable Clerk Audit Committee Controller CFO Enterprise Application Software Accounts Receivable System General Ledger System Chart of Accounts Asset: Accounts Receivable Asset: Accounts Receivable Reserves Other Income/Expense Revenue
Certify the ... reserves calculation process
Approve posting … to the general ledger
Post reserves ... to the general ledger
Approve accounts receivable reserves
Calculate accounts receivable reserves
Review economic trends
Activity Resources
Maintain and communicate credit policies
Activities in "Maintain accounts receivable reserves" Process
X X
X
X X
X
X
X X
X
X
X X
X X
X X X X
X X X X
X
A tabulation of this sort can identify segregation of duties, links to financial statement accounts and the systems used as supporting tools. Supporting with Software for Integrated Process Design and Documentation If this management design is applied, using IDEF or a similar technique, then the software technical design features that enable these capabilities include:
12
•
•
• • •
Documenting – and, optimally, being able to rely on the software to assure effectively documenting -- the processes and their activities, and related features including the: - Identity of the person performing the activity - Inputs, including tools and mechanisms (including enabling systems), and constraints and controls - Outputs Cross-connecting and categorizing processes and activities, by: - Aspect – design and control, execute or monitor - Type – transaction, management or governance - Purpose – operations or project Assembling the activities by role, so that task listings associated with position descriptions can be generated Linking processes to accounts Recording the process and activity attributes, for purposes of control, documentation, risk assessment, cost and timing analysis and process improvement
These features are summarized in Exhibit 6, below, and related to features discussed in the previous two papers of this series. Exhibit 6. Software Features for Integrated Business Planning and Management, Risk Management, and Process Design and Documentation
Software Features Recording processes, activities and controls -- end to end, hierarchical, connected -- for role and associated position descriptions, and for inputs, tools and mechanisms, outputs, and constraints and controls Identifying outcomes as sets Aggregating and cross-connecting processes and process aspects, and their outcomes and attributes, for purposes of control, documentation, cost and timing analysis, and process improvement Aggregating "what-if" scenarios Tailoring the included model of activities and risks Ranking risk Aggregating risk Relating process risks, and the processes themselves, to financial statements Identifying risk dimensions Associating inherent and residual risk by activities Identifying accountability for control by role Providing a means to document control procedures Maintaining and connecting source information -policies, procedures, position descriptions, appraisals, development plans, training material, forms and formats, improvements opportunities, and "what-if" depictions
Focus on Business Planning
Beginning With Risk Assessment
X
Using a Process Point of View
X
X
X
X X
X
X X X
X
X
X
X X X X
Some software packages available today support all of these features, and some support only some of them. If the software that you select does not support all of these features, it should at least enable easy upload and download to other applications that do. The model for this risk assessment also should be available with the software, so that your effort is limited to tailoring the model and not creating it.
13
About the Author Malcolm Schwartz is one of the principal contributors to The COSO Report (“Internal Control - Integrated Framework”), and has been on the recent COSO task force providing simplified guidelines for Sarbanes-Oxley compliance. He currently is COO of CRS Associates LLC. He recently retired from PwC, where he was a senior management consulting partner. Prior to that, he had been a senior vice-president and CFO of Booz, Allen & Hamilton; and had held general, financial and operations management and staff positions at Insilco, Westinghouse Broadcasting, and Procter & Gamble. Malcolm can be reached at
[email protected] or 908-273-6967.
About the Sponsor, BWise B.V.
BWise is an enterprise risk management (ERM), corporate compliance, and internal control software provider. BWise delivers solutions to help organizations become “in control” by increasing corporate accountability; strengthening financial, strategic and operational efficiencies; and maximizing performance and ROI. More than 1,000 companies with more than 125,000 users rely on BWise solutions, including VNU, TNT, Connexxion and Crucell. For more information, please, go to: www.bwise.com
About FERF Financial Executives Research Foundation (FERF) is the non-profit 501(c)(3) research affiliate of Financial Executives International (FEI). FERF researchers identify key financial issues and develop impartial, timely research reports to FEI members and nonmembers alike, in a variety of publication formats. FERF relies primarily on voluntary taxdeductible contributions from corporations and individuals. For more information, visit http://www.fei.org or http://www.ferf.org. The views set forth in this publication do not necessarily reflect those of the Financial Executives Research Foundation Board as a whole, individual trustees, employees or the members of the Research Advisory Council. Financial executives Research Foundation shall be held harmless against any claims, demands, injuries, costs or expenses of any kind or nature whatsoever except such liabilities as may result from misconduct or improper performance by the Foundation or any of its representatives. This and more than 80 other Research Foundation publications can be ordered by logging onto http://www.ferf.org.
Financial Executives Research Foundation, Inc., would like to thank and acknowledge BWise B.V. for their generosity and support in underwriting this report.
14
Copyright © 2007 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher and the author. International Standard Book Number 1-933130-43-1 Printed in the United States of America First Printing. Authorization to photocopy items for internal or personal use, or the internal or personal use of specific clients, is granted by Financial Executives Research Foundation, Inc., provided that an appropriate fee is paid to Copyright Clearance Center, 222 Rosewood Drive, Danvers MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-750-8400. For further information please check Copyright Clearance Center online at: http://www.copyright.com.
15