Posted on March 11th, 2010 by Katina »Permalink
In an almost embarrassingly 2010 social media turn of events, we came across @johngillespie on Twitter (via @susanorlean of all people) – and therefore a sort of treasure trove of content on Just What’s Wrong With Boards Today.
Because we love you, we thought we’d share. Gillespie has a good bit (a book’s worth, really) about the reasons why he believes many corporate boards are failing their shareholders. Gillespie has several examples of some rather egregious behavior, and really, there are some doozies. (We can probably all agree that folks with a fiduciary duty to maximize profits for shareholders should perhaps avoid using corporate jets for the private family vacays, yes?)
What Gillespie is recommending is a change in culture on America’s boards, which he says lack “perceptual diversity,” so that groupthink becomes a fact of life and members are afraid to ask one another tough questions.
The NYT has video of Gillespie talking through the issue with columnist William Cohan, and it’s worth checking out. Right around the 2-minute mark is an especially interesting tidbit – mention of a Yale University study by Jeff Sonnenfield that suggests that the answer to making boards operate more effectively isn’t further regulation or a change in our existing rules – it’s enabling a cultural shift on boards such that members are able to ask each other tough questions.
It’s food for thought for sure. The problem as Gillespie sees it is a big one, and it would take a good bit of effort to get over a years’ worth of habits and ingrained behavior and perceptions, if things are as broken as he suggests. One thing does strike us, though. If a key problem with the operation of boards is that it’s hard for folks to ask tough questions, wouldn’t a neutral way of flagging issues (for everyone from board members on down to line managers) seem like a good first step?
I’m asking seriously. Let us know what you think in the comments.
Posted on March 9th, 2010 by Katina »Permalink
Happy Tuesday, everybody. We’re going to kick off this week with some great reading from CFO Magazine – a big piece on just who is (and who should be) responsible for identifying and assessing and mitigating risk in organizations – whether that’s a responsibility best suited for boards or audit committees (or even risk committees, which is one regulatory proposal on the table).
The piece does a great job laying out the risk landscape, the varied stakeholders, and the questions surrounding the best ways to identify (and, critically – disclose) risks from audit to IT to security and beyond.
By prompting companies to define their board members’ responsibilities for overseeing risk, the disclosure could reveal inefficiencies. You could have a situation where the compensation committee, the audit committee, and potentially a risk committee are all addressing similar areas related to risk, says Mark Plichta, a partner at Foley & Lardner. “[Board members] need to understand the boundaries of who is doing what. There are a lot of gray areas and areas for overlap . . . According to a survey of board members and senior executives by KPMG’s Audit Committee Institute, 18% of audit committees are primarily responsible for overseeing strategic risk, and 58% oversee IT security and privacy risks.
There’s a lot of industry back and forth about just who’s equipped to manage risk, and regulatory changes being discussed are adding layers to both the process and the questions about the process.
We’ve said before that it’s critical for decision-makers (whether they be directors or audit committees or line managers) to have real-time operational visibility to guide them in their decision-making and in their understanding of risk exposure. Those are some of the (many) reasons we designed a CCM solution that monitors and correlates exceptions across all major types of controls, across virtually any application.
Having that information at the ready seriously eases the regulatory burden on the folks tasked with reporting on risk – and even more important, when exceptions are flagged immediately and information sent to the business users who can actually do something about them, businesses operate more efficiently, with less risk overall.
One last thing today, head to Compliance Week and check out the CCM whitepaper from Approva’s CEO, John Becker. All the cool kids are reading it . . .
Posted on March 5th, 2010 by Greg »Permalink
Remember the end of ‘National Lampoons Animal House’? A young Kevin Bacon raising his hands trying to calm the crowd at the parade as Delta House crew wreaked havoc? “Remain calm. All is well,” he proclaimed. It’s what I was immediately reminded of as I read the lead article in the Monday March 1, 2010 Money Section of USA Today entitled “Companies are making fewer accounting mistakes”. Matt Kelly had a similar article in this week’s issue of Compliance Week.
The article’s sub headline, “Firms’ financial statements are more accurate now,” details how just 630 companies reported 674 accounting problems serious enough to warrant a restatement, a “dramatic 24% decline from the number of companies reporting problems in 2008.” As a matter of fact it’s the lowest level since 2001 when Enron made the news.
So can we safely say that SOX is working and has been effective? That the crisis has passed and no one has a problem? In short “Remain calm. All is well.”?
The article highlights why Audit Analytics, who produced this study and previous ones on the same subject, believe there is improved reliability in accounting:
• There is steady and ongoing improvement. This primarily refers to the number of restatements being reduced. Little consensus exists regarding the single leading cause of financial restatements because the leading cause changes from year to year. In separate studies revenue recognition was found to be the leading cause for restatements. However, in 2006, expense recognition was the most common type of error, while another study concluded that equity errors were the leading cause of misstatements. Even though causes of financial statements misstatements change from year to year, the main accounting issues causing misstatements have remained fairly stable. The most common types of misstatement, however, are (1) revenue recognition, (2) expense recognition, (3) equity errors and (4) misclassification.
The most obvious implication of restatements is the passage of the Sarbanes-Oxley Act in 2002. Adhering to SOX is clearly a contributor to this benefit in reduced financial restatements. Now, one can ask is the benefit worth the pain (cost), and certainly if you are providing compliance to SOX manually and not automating it, through improved/redesigned process combined with technology, you may be spending more than you need to. In most likely case you are. And you may also be losing your edge competitively as this report shows competitors are clearly figuring out how to comply successfully.
• Mistakes are being caught sooner. As with manufacturing processes, quality cannot be inspected out, it has to be built into the process. Catching these errors early saves money, a byproduct and direct benefit of improved financial controls. That’s what continuous controls monitoring (CCM) and continuous auditing is all about. If we wait until the end of the quarter or the end of the year to catch these errors they are simply more costly. Period. The Audit Analytics reports shows the time period for finding errors is down from two years to a year and a half. So we are moving in the right direction. But again, ignoring the problem of finding errors or saying it costs too much to uncover now versus later only allows the risk to fester, so it explodes when uncovered.
• Restatements are less serious. Duh! Of course they are! This follows from the two earlier points about reducing restatements. Since companies have changed and improved their process (and hopefully automated it so the benefit outweighs the costs), they are finding mistakes earlier…and PRESTO! The errors you catch have less of an impact. Awesome. Audit Analytics (I hope they don’t go by AA) shows a two year reduction in the millions – from $7.2M to $4.6M. That’s a 56% improvement. Huge. I can guarantee you that the investment in new processes and technology that companies spent to adhere to better access and process controls are on average less than the $2.6m in the same 1 year + time period.
Cindy Fornelli is Executive Director of the Center for Audit Quality, a Washington-based public policy organization. She points out in a recently published article in The Deal magazine a few other facts from Audit Analytics:
• A November, 2009 study by Audit Analytics suggests that companies that have not yet had auditors review their internal-controls reports have a restatement rate that is 46% higher than larger companies, despite claiming they have effective controls.
• There is an expense associated with conducting an audit of a company’s ICFR, a Securities and Exchange Commission study found that companies with market capitalization below $75 million that were required to comply saw costs decline 42% between 2006 and 2008.
The financial exposure to ignoring solid internal controls is real but the perception that the costs outweighs the benefit is just old fashioned denial.
SOX is proving its benefit as demonstrated by reports like these. But it is just the tip of the iceberg. SOX has established the base line for internal controls, that if done properly, deliver on the primary benefit of investor confidence. But don’t overlook what else can be done — particularly as SOX is demonstrating success.
All is NOT well. Don’t remain calm. There is more to do. While automating internal controls for user access to financial systems is old hat to many, it is just one area of ‘improved quality’ that reduces costs, reduces risks and increase operational efficiencies. Continuously inspecting the processes by which your financial processes work – procure-to-pay; order-to-cash; record-to-report – all of these areas can benefit organizations if attacked in the same manner. And if we do it well, we won’t have a “food fight”.
Posted on March 4th, 2010 by Katina »Permalink
So, the most attentive of our readers just may have noticed that we at Approva are a wee bit excited about our groundbreaking release, Approva One. If you happen to have missed the post about it, (or the press release, the tweets and the video), feel free to check out WebCPA’s lovely write-up on it.
At the risk of repeating ourselves, we’ll just mention that Approva One is the industry’s first complete Continuous Controls Monitoring (CCM) Suite. That means we offer unparalleled visibility into operations across business functions – so that potential issues can be addressed before they turn into problems.
We’re thrilled about it, and our clients are over the moon (more on that soon). And it’s great to see we aren’t the only ones excited by the potential that complete CCM programs offer for improving business processes.
Over at ITKnowledgeExchange, Linda Tucci has an interesting piece on CCM’s status on GRC agendas (along with, we’ll admit it – some good quotes from an upcoming Compliance Week piece by Approva CEO John Becker).
And Martin Kuppinger’s also got an interesting take on CCM. Blogging on the links (no pun intended) between GRC and IT security, he hits on one of the essential issues with incomplete CCM solutions —
“Very seldom will you find organizations that have a well-defined GRC strategy and roadmap, covering the organizational as well as the IT aspects of GRC, and supporting an evolution towards an integrated GRC approach including the organizational structures and processes, control frameworks, supporting technology and so on.”
As we keep saying — with apologies for the broken-record resemblance, but this is important – truly complete CCM solutions must bring together varied functions to manage risks in a global scale, so that operational boundaries aren’t barriers to efficiency and breeding grounds for costly errors (or worse).
Stay tuned, people. We’re going to be downright prolific on this stuff.
