Archive for the ‘Post of Note’ Category
Posted on May 1st, 2008 by Julie Garland McLellan »Permalink
This is the most important aspect of board governance. The oversight function is the absolute minimum that investors and owners have a right to expect from boards. Some boards are too focused on simply providing the minimum.
Board members should, individually and collectively, have experience of business and community life that will enable them to add value to the organisation as well as to effectively monitor its operations. They add this value by the insights they bring.
Oversight is looking at a function and asking the compliance related questions:
• Should we be doing this?
• Are we doing this correctly?
• Are the right people doing this and do they have the right tools and training?
Insight comes when the board start ask questions about performance such as:
• Are these activities the best activities for generating the results we want?
• If they are the best activities, could we do them more effectively or efficiently?
• What would help our people to be more effective?
• Who does these activities better than we do and what could we learn from them?
An insightful board will challenge and support the President or CEO by helping to keep the organisation focused on outcomes rather than processes.
Foresight comes when the board can predict aspects of future performance by monitoring current KPIs. A board with foresight is able to look at the evolving corporate landscape and ask questions such as:
• What activities will be required in the future?
• What must we learn now to be more effective in the future?
• How will we track that our people are learning the required skills?
• When should we start to deploy new activities?
It is important to remember that the oversight role is the foundation for the insight role. No board can sensibly offer advice on improving performance if there is any doubt about the veracity of the information they are basing their insights upon. Similarly the board must have appropriate good quality data from their performance insight to be able to make any use of their instincts regarding foresight. Attempting to move to a higher level without the data from the lower levels is dangerous; it can leave a board exposed to making decisions that do not stand the test of later analysis.
Attempting to govern a successful company without progressing from oversight to foresight is also dangerous. The board can become trapped in old paradigm thinking and performance can deteriorate to a point where future options are limited by lack of resources. Boards must have confidence in their data to be able to move successfully through from oversight to insight and then to foresight so that their organisation moves from compliance to performance to sustained competitive advantage.
Tags: corporate boards, risk management, compliance
Posted on April 28th, 2008 by Audit Trail »Permalink
We just returned from a very busy week at COLLABORATE 08 and wanted to share some thoughts on what we saw and heard in Denver. The conference was very impressive – some 7,000 attendees, hundreds of vendors, and thousands of sessions.
It was clear to us early-on in the conference that interest in internal controls has grown well beyond simple user access. While user access and SOD are still priorities, the people we encountered were most interested in the ability to implement controls over things like systems settings and transactions – and in risk management, data privacy, and fraud prevention.
There also seemed to be a mad rush to upgrade to newer, more current versions of Oracle and PeopleSoft. We found ourselves talking a good bit about the need to set up controls appropriately within upgraded systems.
Our own sessions drew a healthy audiences – in fact, our session on strengthening data privacy in Peoplesoft (live-blogged here) ultimately got so full that folks were being turned away. While we’d like to credit our fabulous presentation skills, the truth is that more and more businesses are interesting in leveraging controls and compliance efforts for broader business goals, and data privacy is a top concern for many we encountered – regardless of role or business size.
We talked to everyone from business professionals, IT staff and controls/compliance and audit folks about this issue, from companies small and very, very large, and these issues were at the forefront for nearly all of them* as we discussed risk, controls, and compliance.
*We said “nearly” for a reason. Almost everyone wanted to talk about SOD, user access, data privacy or something related, but as happens at every event, several just wanted to talk about how they Love A Good Audit and take home an Approva or button or two. We even met one woman who’d made her own I Love a Good Audit button! Now that’s dedication.
Tags: COLLABORATE 08, Peoplesoft, Oracle, data privacy, controls intelligence
— Monica Elliott and Brian Groves
Brian Groves is Senior Director, Product Marketing, Oracle at Approva.
Monica Elliott is Manager, Product Marketing, PeopleSoft at Approva
Posted on April 24th, 2008 by Julie Garland McLellan »Permalink
Have you recently read any articles about what your board should be focused on? Was it bird-flu, Internet portals, Terrorism or some other fad?
I wish I had a dollar for every article on the latest buzz-word that every board should worry about. Or fifty cents for every list of twenty questions board members should ask about the craze. I would hate to be on a board that was so easily sidetracked from their real concern; running the company so that it achieves what it was set up to achieve.
In some great research from Australia, Neil Buck surveyed real company directors on what risks they thought most likely to impact their companies. His initiative revealed 16 categories of risk which, when read by company directors, were recognised as things they worry about.
I have followed up on that research and interviewed 241 company directors on the big risks facing their company. Unsurprisingly the number one risk was financial but (sad news for the audit community) it was not financial statement misstatement or fraud, but simple cash flow risk that kept directors awake at night. Fixing this is a question of strengthening the business. Improving reporting or ticking boxes in the board room won’t help.
Directors the world over are focused (as they should be) on running businesses to generate wealth (or benefits in a not-for-profit context) in an environmentally and socially acceptable manner. If bird flu is important for the business they will focus on that. If not, they should focus on what is important for their business.
Directors can rely on their own judgement to help them to evaluate such things. They may get it wrong occasionally (all boards, when they are being honest, have a decision they regret in their history) but it rarely is so wrong that they can’t fix it. Unless, of course, they are rushing from one fad to the next without pause for thought.
Anyone who suggests that every possible risk should be a board focus is either totally inexperienced in the board room or hoping to sell your board something. For optimum results, focus your board on what is important for your organisation by holding an annual discussion of strategic aims and current targets. Forget the current fashion and just talk about what the organisation needs to achieve and what are the risks that threaten that achievement.
You will be amazed by the power that the board can generate and the value that they can add.
Tags: corporate boards, risk management
Julie Garland McLellan is a professional company director and corporate governance consultant. Her book “All Above Board” is a practical manual for government sector boards. Julie delivers practical boardroom training and performance assessments that empower boards to achieve results. Readers are invited to subscribe to her newsletter ‘The Director’s Dilemma” free of charge until 1 January 2009.
Posted on April 17th, 2008 by Julie Garland McLellan »Permalink
Governance relies on culture, and establishing an appropriate culture is one of the most important jobs for a board. Checking that the culture the board wanted is the culture they actually have is also important.
The board will get some idea of the culture within the organisation by observing the behaviours of the CEO and senior executives. Behaviours that are rewarded and recognised will be emulated and repeated and will eventually coalesce into ‘the way things get done round here’ or the basic culture of the organisation. Different departments will have slight variations on the basic culture but these must never stray so far from the norm that they become alien to the rest of the organisation.
A good indicator for boards is the relationship between the support and control functions and the line management within the core operations. If risk management, internal audit and human resources are generally welcomed as ‘people who help us get our jobs done’ then the culture is likely to be reasonably compliance focused. If there are strong tensions or a dramatic divide between “us” and “them” then the culture is probably not right. The board can find this out by seeking opportunities to meet staff from the support functions and asking these staff how they feel they are viewed by their colleagues in the line functions. This can happen in the boardroom.
First hand experience is better than any indicator. Boards should get out and about within the organisation as much as they can. Talking to staff about the control system and why it is important will reinforce the value of compliant behaviour and demonstrate that the board is genuinely interested in compliance.
There is a good reason that sayings such as “whatever interests my boss fascinates me” and “what gets measured gets done”; they are true! Boards need to show they are interested and measure compliant behaviour so that the staff are aware that their compliance is monitored.
Boards also need to pay attention to the mythology within the organisation. What are the things that make an employee a hero or heroine in the eyes of their colleagues? If gung ho risk taking and non-compliant behaviour are stuff that heroic reputations are built upon the board is not going to get much compliance from the best and brightest members of staff. Boards should be careful that they reward compliance as well as performance. Whilst many boards are wary of introducing complex reward systems if a company has a good controls system and monitors compliance it will be easy to pick an objective quantifiable indicator of good compliance and to build that in to the reward system.
Rewarding a manager, for example, on the reduction in non compliances by his or her direct reports will soon have managers focused on reinforcing the control system or changing it when it needs to be changed to support a better performance outcome. When the control system is viewed as something that prevents performance good managers will naturally try to find a way to operate outside the fetters the system imposes. When the system is designed to support performance and when rewards are attached to supporting and working within the system then the board can rest assured that the culture will have an adequate focus on compliance.
Julie Garland McLellan has over 20 years experience in strategic business development in resources, utilities and energy industries. She is currently a corporate governance consultant with Blackrock ITS, a leading Australian IT services and solutions firm. Previously, she served as associate director with McLennan Magasanik Associates, and a board member of the Victorian Minerals and Energy Council, the Victorian Energy Networks Corporation (VENCorp), the Melbourne University Engineering Foundation and City West Water. Julie has an honours degree in civil engineering from City University in London, an MBA from the leading Spanish Business School (Instituto de Empresa in Madrid) and is qualified in finance and corporate governance.
Tags: corporate governance, compliance
Posted on April 11th, 2008 by Priya Ramesh »Permalink
Today we’d like to focus on a company we’ve been working closely with – a Fortune 100 retailer with billions in revenue, nearly 100,000 Employees, PeopleSoft Financial Management System (FMS) v.8.4 – and concerns about how to reduce risk, rein in compliance costs and improve efficiency in their operation.
The challenges facing the company were serious. There was no cost-effective way to test, monitor and enforce existing financial controls – and employees were circumventing the process to make manual journal entries & update the chart of accounts. Controls required extensive effort by Internal Audit to manually test on an ongoing basis. Manual queries had to be written, updated and executed. Results had to be manually reviewed. And too much time was being wasted researching financial anomalies for audits.
One of our contacts at the company summarized the situation this way, “Misrepresenting our financial results would have had disastrous implications, but it just wasn’t feasible to continuously monitor every control.”
We worked closely with our client to develop a system for them to monitor their financial controls, and we’re pleased to report that the results have been very positive.
The client is now using customized, automated controls to monitor 16 specific financial configuration and transaction-related controls. Key personnel are now automatically alerted to issues such as backdated journal entries, unusual debits and credits, reversed transactions, revenue entries after period close, unauthorized master data changes, and unusual trending in key accounts. Once alerted, they can investigate further to see what action, if any, is needed.
By focusing on key risk areas and implementing customized controls to address them, the retailer has reduced the risk of fraud and financial misstatement – and eliminated errors resulting from employees circumnavigating existing financial controls and policies.
And there have been broader benefits to their business, as well, in terms of resources saved as processes have improved. Time required for the internal audit team to test controls has been reduced, as has the time required to respond to external audit requests. Travel costs and expenses for the internal audit team have also decreased. And eliminating low-value tasks from the responsibilities of internal audit and finance staff has improved utilization and retention.
All in a day’s work.
Tags: financial controls, controls intelligence, risk management
Posted on April 4th, 2008 by Julie Garland McLellan »Permalink
I so often hear (from auditors) that boards don’t listen to their auditors or (from boards) that auditors don’t talk in a way boards can understand or use. It really is sad that such an important conversation so frequently leaves both participants unsatisfied.
The best way to get the conversation started, in my experience, is for the parties to come together to discuss what are the key strategic risks and then what are the likely best key performance indicators (KPIs) to monitor these risks. As a general rule directors are more interested in the strategic information that will affect future performance than in the financial information that depicts past performance. Unfortunately most of the information directors get given by auditors or risk managers seems to be past oriented and financial rather than future oriented and focussed on the activities that will cause the financial performance.
Starting the conversation as an inquiry with both sides suggesting things topics for investigation and KPIs that would provide a meaningful indication of likely future performance is far better than starting the conversation with one party reporting to the other.
It is healthy for the audit committee or board to meet with the auditors and internal auditors without management being present. This does not mean that the board distrust management just that the conversation is different when management is not present. Simple measures such as inviting the internal auditor to accompany the board when they make a visit to an operating site will help to build shared understanding and common values. It is imperative the board meet the internal auditor more than once a year and that each meeting is constructed to achieve specific outcomes rather than just to wade through specific reports.
Tags: auditors, corporate boards, KPIs
Julie Garland McLellan has over 20 years experience in strategic business development in resources, utilities and energy industries. She is currently a corporate governance consultant with Blackrock ITS, a leading Australian IT services and solutions firm. Previously, she served as associate director with McLennan Magasanik Associates, and a board member of the Victorian Minerals and Energy Council, the Victorian Energy Networks Corporation (VENCorp), the Melbourne University Engineering Foundation and City West Water. Julie has an honours degree in civil engineering from City University in London, an MBA from the leading Spanish Business School (Instituto de Empresa in Madrid) and is qualified in finance and corporate governance.
Posted on March 25th, 2008 by Monica Elliott »Permalink
The past week has been a fascinating one for data privacy breaches. First, we have the Hannaford Brothers exposé affecting up to 4.2 million customers, illustrating how creative hackers have gotten with “the first large-scale piracy of card data while the information was in transit.” Clearly, the simple act of encrypting data isn’t fool proof at preventing breaches. In fact, 70-80% of data breaches are due to perpetrators on the inside, as opposed to hackers on the outside. This brings us to the second high profile privacy breach this week. Unauthorized insiders accessed electronic passport files of all three presidential candidates: Senators Barack Obama, Hillary Rodham Clinton and John McCain. Fortunately, the State Department’s computer system flagged these incidents, providing details behind the breaches to enable senior management to take disciplinary action. Most organizations, however, are not equipped like our fearless leaders in Washington with automated tools to flag instances of inappropriate user access to sensitive information.
ERP systems are the lifeblood of most companies and contain countless records of sensitive information such as vendor bank account numbers, customer credit card numbers, employee salaries, social security numbers and identification numbers. Out of the box ERP systems often don’t prevent access to this information, leaving it up to the IT folks to adequately restrict access through user profiles or other access-related controls. With 85% of companies indicating at least one known data security breach in a survey conducted by the Ponemon Institute (May 2007), companies need to get a handle on privacy risks in their ERP systems before they become the next embarrassing headline.
Our auditor friends have taken note and responded to the problem of growing data privacy breaches. They’ve created the Generally Accepted Privacy Principles (GAPP). We have a lot of fun explaining how GAPP is related to, but separate, from the Generally Accepted Accounting Principles (GAAP). It’s great cocktail party conversation. The privacy framework, GAPP, was the outcome of a joint task force created in 2001 between the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). GAPP represents the best of the best privacy requirements pooled across myriad regulations, ranging from domestic ones such as HIPAA, to international ones such as the European Union (EU) Directive. According to Computerworld in December 2007, “If you haven’t heard of the Generally Accepted Privacy Principles (GAPP), take stock: They’re likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley… GAPP is the best international framework for assessing the privacy health of an organization.” In fact, GAPP has given rise to the term Continuous Privacy Monitoring (CPM) which auditors coined to describe the most optimized method to minimize breaches. We like the term because it’s the first cousin to Continuous Controls Monitoring (CCM).
One of Approva’s own, I was a victim of identity theft resulting from an employee of a Fortune 500 company having unauthorized access to my social security number in the company’s ERP system. Together with Joel Hutchison, Approva’s PeopleSoft solutions architect, I recently penned a white paper which I’ll shamelessly promote here. It highlights GAPP, CPM, and how organizations can tackle PeopleSoft privacy risks head on. Click here to download a copy. You can also look for us at these two upcoming events.
· Privacy Summit in Washington DC, March 26-28. Together with Sunera.
· Collaborate in Denver CO, April 13-17. Stop by booth 1148 or our session, “Strengthening Data Privacy in PeopleSoft,” co-presented with Dr. Marilyn Prosch, CIPP, Associate Professor of Accounting at Arizona State University.
Tags: data privacy, continuous privacy monitoring, Generally Accepted Privacy Principles
— Monica Nelmes Elliott, Manager, Product Marketing, Approva
Posted on March 18th, 2008 by Julie Garland McLellan »Permalink
The main requirements for an audit committee are members that understand what they are auditing and that are independent enough to give an unbiased opinion of the results of their audit.
Most global corporate governance codes call for the audit committee to be comprised of a majority (and preferably entirely) of independent non-executive directors. In particular it is considered inauspicious if the CEO, President or Chairman is an audit committee member. Some codes call for the committee to be chaired by an independent financial expert and generally define this expertise as that of a person who regularly and recently has prepared or audited company financial statements.
These requirements can be hard for government agencies and smaller companies to meet. That does not mean that the audit committees in these companies are ineffective. Most are highly effective because they are comprised of ‘good’ people. However it is worth looking closely at the mechanisms that have been put in place to remedy the lack of independence in the structure. These must bear up well under detailed scrutiny if the board is to be able to take any assurance from the committee’s operations.
The most crucial issues are independence of mind, an understanding of both the business and the financial statements and a willingness to follow investigations through to their complete conclusion.
A good audit committee member will have an abundance of curiosity about how results were generated, what reporting processes were used and where the human intervention points could alter the results. With these attributes and good monitoring tools a committee can gain very valuable insights and can customise controls to optimise expected performance.
Tags: audit committee, independence, corporate governance
Posted on March 7th, 2008 by Priya Ramesh »Permalink
Ladies and Gentlemen, our very special guest blogger is here — none other than Corporate Library co-founder and “Corporate Governance Queen” Nell Minow. Nell has been kind enough to join us fresh from her testimony today at the U.S. House of Representatives, and she offers a great window in to just what went on. Without further adieu, we’ll turn things over to Nell.
This morning, I testified before the United States House of Representatives Committee on Oversight and Government Reform, chaired by Henry Waxman (D-California). I have appeared before Congressional and Senate committees many times, frequently about executive compensation issues, but this one was the wildest, the most high-profile, and the most fun. It wasn’t because of my panel, two quiet economists, a state official, a mayor, and me. It was that second panel, the one I refer to as the three tenors of the subprime opera: Charles Prince, Former Chairman and CEO, Citigroup, E. Stanley O’Neal, Former Chairman and CEO, Merrill Lynch, and Angelo R. Mozilo, Founder and CEO, Countrywide Financial Corporation. All are out or soon to be out of their jobs due to massive misjudgments on subprime loans and the resulting massive losses and write-downs.
What made the hearing especially meaningful was that for the first time in my memory it included not just the CEOs but the real culprits, the compensation committee chairs from their boards: Richard D. Parsons, Chair, Personnel and Compensation Committee, Citigroup (and former CEO of Time Warner), John D. Finnegan, Chair, Management Development & Compensation Committee, Merrill Lynch (and CEO of Chubb), and Harley W. Snyder, Chair, Compensation Committee, Countrywide Financial Corporation (and President of HSC, Inc., a real estate development company).
It was more partisan than I expected, with the ranking minority member, Tom Davis (R-Virginia) leading off by comparing the hearing not just to scapegoating but to the sacrifice of virgins(!). Several of the Congressional representatives, mostly Republicans but some Democrats, too, all but fell over themselves congratulating the CEOs on their fabulous American dream success stories and reassuring them that they did not mean to imply that they had done anything wrong.
I had no such compunction.
I cautioned the committee not to be persuaded or distracted by the claims by the executives and their board members that CEO pay is set by the market. Compensation consultants have lots of pie charts and bar charts and comparables, but the question (as I explained many times to my children when they were in middle school) is not what everyone else is getting but what works the best. CEO pay is like any other asset allocation made by the board. It must be evaluated in terms of return on investment. The return on investment of the tens and even hundreds of millions of dollars paid to these three CEOs was less than a piggy bank.
My long-time colleague Robert A.G. Monks says in his new book, Corpocracy:
“The simple fact is that the CEO market that the business Roundtable loves to cite was contrived by the chief executive officers operating through their lobbying wing. It is a market that has been polluted by the secrecy that surrounds the cost of option grants, the lack of any disclosure of even the most enormous retirement benefits, and, recently, the obfuscation of the date when options were granted and became effective so as to fix a price.”
Our shareholders, our employees, our communities, and the working people of this country deserve better. In our increasingly global markets, if they do not find credible business leadership here, they will send their capital elsewhere. If we want our capital markets to be credible and competitive, we must stop over-compensating executives who destroy shareholder value.
Tags: executive compensation, Congressman Waxman, subprime mortgages
Nell Minow
– Nell Minow, Editor and Co-Founder, The Corporate Library
Ms. Minow was named one of the 20 most influential people in corporate governance by Directorship magazine in 2007 and was dubbed “the queen of good corporate governance” by BusinessWeek Online in 2003. Prior to co-founding The Corporate Library, Ms. Minow was a Principal of Lens, a $100 million investment firm that took positions in underperforming companies and used shareholder activism to increase their value. Her other professional experience includes serving as President of Institutional Shareholder Services, Inc. and as an attorney at the U.S. Environmental Protection Agency, the Office of Management and Budget, and the Department of Justice. She has authored more than 200 articles and co-authored three books with Robert A.G. Monks, most recently the 4th edition of an MBA textbook called Corporate Governance, published in 2008. Ms. Minow is a graduate of Sarah Lawrence College and the University of Chicago Law School.
Posted on February 28th, 2008 by Julie Garland McLellan »Permalink
PV Boccasam caused a minor sensation when, during a visit to Australia, he likened controls to the brakes on a car and explained that you needed good controls if you wanted to go fast. In Australia at the time, the prevailing sentiment was that controls were more like seatbelts; all about restraint and nothing to do with performance.
Good controls, like good brakes, are essential, but you don’t want them fully on all the time. You just need to apply them at the critical moments.
For a board, or audit committee, understanding the controls environment can only occur if the members understand the business. It is important to know what are the key drivers of success and what, if done poorly, will prevent success; controls should then be focused on the activities that will make the most difference.
Although there are some areas, such as invoicing and cash handling, where good processes are necessary, in all companies there are others where lower controls will give higher performance.
A good case in point is a not-for-profit company that recently employed an excellent IT manager. The new manager came from a competitive environment where data security was a major issue. He immediately established controls to prevent data being removed from the company’s servers.
Unfortunately, this company relied on volunteers giving presentations to educate people about the risks of diseases. When the volunteers could not access the presentations because all the disk drives and USB ports had been disabled, the company’s operations were brought to a standstill and, worse, some volunteers used old, out-of-date presentations with incorrect information whilst waiting for the situation to be resolved.
This could all have been avoided if the IT manager had been properly briefed on the risks and sensitivities of this business and designed controls accordingly. Controls with an eye only toward restraint and not toward performance often end up slowing everyone down.
Tags: corporate governance, controls, compliance, audit committee
Julie Garland McLellan has over 20 years experience in strategic business development in resources, utilities and energy industries. She is currently a corporate governance consultant with Blackrock ITS, a leading Australian IT services and solutions firm. Previously, she served as associate director with McLennan Magasanik Associates, and a board member of the Victorian Minerals and Energy Council, the Victorian Energy Networks Corporation (VENCorp), the Melbourne University Engineering Foundation and City West Water. Julie has an honours degree in civil engineering from City University in London, an MBA from the leading Spanish Business School (Instituto de Empresa in Madrid) and is qualified in finance and corporate governance. We’ll let Julie take over from here.
