In an almost embarrassingly 2010 social media turn of events, we came across @johngillespie on Twitter (via @susanorlean of all people) – and therefore a sort of treasure trove of content on Just What’s Wrong With Boards Today.

Because we love you, we thought we’d share. Gillespie has a good bit (a book’s worth, really) about the reasons why he believes many corporate boards are failing their shareholders. Gillespie has several examples of some rather egregious behavior, and really, there are some doozies. (We can probably all agree that folks with a fiduciary duty to maximize profits for shareholders should perhaps avoid using corporate jets for the private family vacays, yes?)

What Gillespie is recommending is a change in culture on America’s boards, which he says lack “perceptual diversity,” so that groupthink becomes a fact of life and members are afraid to ask one another tough questions.

The NYT has video of Gillespie talking through the issue with columnist William Cohan, and it’s worth checking out. Right around the 2-minute mark is an especially interesting tidbit – mention of a Yale University study by Jeff Sonnenfield that suggests that the answer to making boards operate more effectively isn’t further regulation or a change in our existing rules – it’s enabling a cultural shift on boards such that members are able to ask each other tough questions.

It’s food for thought for sure. The problem as Gillespie sees it is a big one, and it would take a good bit of effort to get over a years’ worth of habits and ingrained behavior and perceptions, if things are as broken as he suggests. One thing does strike us, though. If a key problem with the operation of boards is that it’s hard for folks to ask tough questions, wouldn’t a neutral way of flagging issues (for everyone from board members on down to line managers) seem like a good first step?

I’m asking seriously. Let us know what you think in the comments.

Happy Tuesday, everybody. We’re going to kick off this week with some great reading from CFO Magazine – a big piece on just who is (and who should be) responsible for identifying and assessing and mitigating risk in organizations – whether that’s a responsibility best suited for boards or audit committees (or even risk committees, which is one regulatory proposal on the table).

The piece does a great job laying out the risk landscape, the varied stakeholders, and the questions surrounding the best ways to identify (and, critically – disclose) risks from audit to IT to security and beyond.

By prompting companies to define their board members’ responsibilities for overseeing risk, the disclosure could reveal inefficiencies. You could have a situation where the compensation committee, the audit committee, and potentially a risk committee are all addressing similar areas related to risk, says Mark Plichta, a partner at Foley & Lardner. “[Board members] need to understand the boundaries of who is doing what. There are a lot of gray areas and areas for overlap . . . According to a survey of board members and senior executives by KPMG’s Audit Committee Institute, 18% of audit committees are primarily responsible for overseeing strategic risk, and 58% oversee IT security and privacy risks.

There’s a lot of industry back and forth about just who’s equipped to manage risk, and regulatory changes being discussed are adding layers to both the process and the questions about the process.

We’ve said before that it’s critical for decision-makers (whether they be directors or audit committees or line managers) to have real-time operational visibility to guide them in their decision-making and in their understanding of risk exposure. Those are some of the (many) reasons we designed a CCM solution that monitors and correlates exceptions across all major types of controls, across virtually any application.

Having that information at the ready seriously eases the regulatory burden on the folks tasked with reporting on risk – and even more important, when exceptions are flagged immediately and information sent to the business users who can actually do something about them, businesses operate more efficiently, with less risk overall.

One last thing today, head to Compliance Week and check out the CCM whitepaper from Approva’s CEO, John Becker. All the cool kids are reading it . . .

Remember the end of ‘National Lampoons Animal House’? A young Kevin Bacon raising his hands trying to calm the crowd at the parade as Delta House crew wreaked havoc? “Remain calm. All is well,” he proclaimed. It’s what I was immediately reminded of as I read the lead article in the Monday March 1, 2010 Money Section of USA Today entitled “Companies are making fewer accounting mistakes”. Matt Kelly had a similar article in this week’s issue of Compliance Week.

The article’s sub headline, “Firms’ financial statements are more accurate now,” details how just 630 companies reported 674 accounting problems serious enough to warrant a restatement, a “dramatic 24% decline from the number of companies reporting problems in 2008.” As a matter of fact it’s the lowest level since 2001 when Enron made the news.

So can we safely say that SOX is working and has been effective? That the crisis has passed and no one has a problem? In short “Remain calm. All is well.”?

The article highlights why Audit Analytics, who produced this study and previous ones on the same subject, believe there is improved reliability in accounting:

• There is steady and ongoing improvement. This primarily refers to the number of restatements being reduced. Little consensus exists regarding the single leading cause of financial restatements because the leading cause changes from year to year. In separate studies revenue recognition was found to be the leading cause for restatements. However, in 2006, expense recognition was the most common type of error, while another study concluded that equity errors were the leading cause of misstatements. Even though causes of financial statements misstatements change from year to year, the main accounting issues causing misstatements have remained fairly stable. The most common types of misstatement, however, are (1) revenue recognition, (2) expense recognition, (3) equity errors and (4) misclassification.

The most obvious implication of restatements is the passage of the Sarbanes-Oxley Act in 2002. Adhering to SOX is clearly a contributor to this benefit in reduced financial restatements. Now, one can ask is the benefit worth the pain (cost), and certainly if you are providing compliance to SOX manually and not automating it, through improved/redesigned process combined with technology, you may be spending more than you need to. In most likely case you are. And you may also be losing your edge competitively as this report shows competitors are clearly figuring out how to comply successfully.

• Mistakes are being caught sooner. As with manufacturing processes, quality cannot be inspected out, it has to be built into the process. Catching these errors early saves money, a byproduct and direct benefit of improved financial controls. That’s what continuous controls monitoring (CCM) and continuous auditing is all about. If we wait until the end of the quarter or the end of the year to catch these errors they are simply more costly. Period. The Audit Analytics reports shows the time period for finding errors is down from two years to a year and a half. So we are moving in the right direction. But again, ignoring the problem of finding errors or saying it costs too much to uncover now versus later only allows the risk to fester, so it explodes when uncovered.

• Restatements are less serious. Duh! Of course they are! This follows from the two earlier points about reducing restatements. Since companies have changed and improved their process (and hopefully automated it so the benefit outweighs the costs), they are finding mistakes earlier…and PRESTO! The errors you catch have less of an impact. Awesome. Audit Analytics (I hope they don’t go by AA) shows a two year reduction in the millions – from $7.2M to $4.6M. That’s a 56% improvement. Huge. I can guarantee you that the investment in new processes and technology that companies spent to adhere to better access and process controls are on average less than the $2.6m in the same 1 year + time period.

Cindy Fornelli is Executive Director of the Center for Audit Quality, a Washington-based public policy organization. She points out in a recently published article in The Deal magazine a few other facts from Audit Analytics:

• A November, 2009 study by Audit Analytics suggests that companies that have not yet had auditors review their internal-controls reports have a restatement rate that is 46% higher than larger companies, despite claiming they have effective controls.
• There is an expense associated with conducting an audit of a company’s ICFR, a Securities and Exchange Commission study found that companies with market capitalization below $75 million that were required to comply saw costs decline 42% between 2006 and 2008.

The financial exposure to ignoring solid internal controls is real but the perception that the costs outweighs the benefit is just old fashioned denial.

SOX is proving its benefit as demonstrated by reports like these. But it is just the tip of the iceberg. SOX has established the base line for internal controls, that if done properly, deliver on the primary benefit of investor confidence. But don’t overlook what else can be done — particularly as SOX is demonstrating success.

All is NOT well. Don’t remain calm. There is more to do. While automating internal controls for user access to financial systems is old hat to many, it is just one area of ‘improved quality’ that reduces costs, reduces risks and increase operational efficiencies. Continuously inspecting the processes by which your financial processes work – procure-to-pay; order-to-cash; record-to-report – all of these areas can benefit organizations if attacked in the same manner. And if we do it well, we won’t have a “food fight”.

So, the most attentive of our readers just may have noticed that we at Approva are a wee bit excited about our groundbreaking release, Approva One. If you happen to have missed the post about it, (or the press release, the tweets and the video), feel free to check out WebCPA’s lovely write-up on it.

At the risk of repeating ourselves, we’ll just mention that Approva One is the industry’s first complete Continuous Controls Monitoring (CCM) Suite. That means we offer unparalleled visibility into operations across business functions – so that potential issues can be addressed before they turn into problems.

We’re thrilled about it, and our clients are over the moon (more on that soon). And it’s great to see we aren’t the only ones excited by the potential that complete CCM programs offer for improving business processes.

Over at ITKnowledgeExchange, Linda Tucci has an interesting piece on CCM’s status on GRC agendas (along with, we’ll admit it – some good quotes from an upcoming Compliance Week piece by Approva CEO John Becker).

And Martin Kuppinger’s also got an interesting take on CCM. Blogging on the links (no pun intended) between GRC and IT security, he hits on one of the essential issues with incomplete CCM solutions —

“Very seldom will you find organizations that have a well-defined GRC strategy and roadmap, covering the organizational as well as the IT aspects of GRC, and supporting an evolution towards an integrated GRC approach including the organizational structures and processes, control frameworks, supporting technology and so on.”

As we keep saying — with apologies for the broken-record resemblance, but this is important – truly complete CCM solutions must bring together varied functions to manage risks in a global scale, so that operational boundaries aren’t barriers to efficiency and breeding grounds for costly errors (or worse).

Stay tuned, people. We’re going to be downright prolific on this stuff.

Today is a seriously exciting one for the Approva team. We are practically bursting at the seams to be launching Approva One, the industry’s first complete Continuous Controls Monitoring (CCM) Suite. And our customers are pretty excited too based on the feedback we’ve been getting from the beta program. After working with the product one finance director declared that we were going to be “their staff’s best friend.” Another user declared “this is worth running up and down the hallway screaming about.” You get the idea. This is a big release. So big that we’ve given it a new name…Approva One. Take a tour or watch the launch video. We think you’ll agree.

What’s so big? While for one thing, with this release we’re the only vendor to offer a complete CCM solution that supports the entire exception lifecycle process for both continuous monitoring and continuous auditing. With Approva One, we provide one application that flags what users can do, what they have done, and how…through one user interface that lets you identify, investigate and respond to business exceptions…all powered by one platform that allows us to serve the needs of everyone from finance and IT to audit and compliance. There’s literally nothing on the market with the same level of breadth and depth.

You can check out the official press release for the details on all the whistles and bells that come with Approva One – but here’s the short version: while other vendors confine CCM efforts to a single department, a single business process or even a single category of controls, Approva One is able to monitor and correlate exceptions across all of major types of controls – transactions, user access, master data, application configuration – and across virtually any application. We find exceptions immediately and then we quickly get that information out to business users who are in a position to do something about them…all from within a single application. That kind of visibility and usability not only makes life easier for compliance and risk managers it reduces risks and prevents errors by ensuring exceptions are corrected at the source.

Stay tuned to this space for more on Approva One in the coming days – especially as we begin to share stories of just how our customers are putting it to use. In the meantime, we’re holding a webcast on March 16th featuring Approva One, which will be generally available at the end of this month.

There’s a saying that when all you’ve got is a hammer, every problem looks like a nail. Well, when you’re in the business of helping businesses to identify and mitigate risks, you start to see risk analysis everywhere. Only it turns out that risk, unlike nails, really is everywhere.

We’ve talked recently about Malcolm Gladwell’s thoughts on risk in the New Yorker. In a six-degrees kind of twist, an author Gladwell recommends was the latest reason that risk once again interfered with leisure time.

In his Home Game, Michael Lewis talks about how his own risk calculations have changed since the birth of his children. Lewis, a former trader, remembers feeling genuine worry about money for the first time after his children were born, saying that all the fun of stock-market dice-rolls had been lost. And he references a Michigan Medical Journal from some years back that concluded that the Internet Bubble might have inflated so rapidly because large numbers of investors on newly available antidepressants were unable to accurately asses risk. They just got so optimistic that it suddenly seemed believable that prices could rise forever.

It got us thinking (again) about how crucial it is to have accurate assessments of risk – and it’s another reminder that no matter how much U.S. business tends to romanticize risk, it’s important to have strategies in place to manage it on a global scale, lest little things like happy pills or new parenthood throw our judgment out of whack.

KPMG International has published interesting findings from a global study of nearly 550 executives – the majority of whom (some 64%) cited bringing GRC efforts together as a priority for their businesses.

In the press release on the survey, KPMG’s John M. Farrell, its GRC Service Network Leader, does a good job of detailing why – explaining that as regulations have added many layers of compliance processes to businesses, businesses are struggling to keep up with new processes and requirements across various business functions. And the release and survey make a good case for integrated GRC efforts that bring those functions together instead of piecemeal measures in various silos.

But despite the enthusiasm for eliminating dreaded silo syndrome, we’ve got a ways to go in making the case with business leaders on the full value of GRC and CCM investments. According to the full survey, only 39% of respondents believe that convergence helps improve overall business performance, and an even smaller percentage sees GRC spending as an investment, rather than a cost of doing business.

As we’ve been saying for quite a long time now, one of the best things to come of increased regulation is automation of business processes that improves efficiency and helps the bottom line even as it keeps the regulators at bay.

Meeting compliance requirements and reducing risk provide invaluable benefits to businesses, and addressing those concerns is of critical importance. But we as an industry need to do a better job communicating the power that complete CCM initiatives hold for breaking down operational barriers and flagging potential issues and inefficiencies across functions.

Stay tuned in coming weeks as we work to do our part on that one. It’ll be good (and you won’t have to take our word for it).

Compliance Week columnist Richard Steinberg has been writing a very interesting series in recent weeks on the types of information corporate boards need to conduct their business. It’s a great topic to explore, and his piece today on what the C-suite needs to be sure to let boards in on is well worth a read. Steinberg makes some good points about the importance of making sure directors are familiar both with overall policy approaches and with day-to-day operations.

Some excerpts –

“The risk officer should not be held accountable for identifying, analyzing, managing, and reporting risks. Rather, the chief risk officer is positioned to ensure an effective and efficient risk-management process exists in the organization.”

“More and more directors are getting outside the boardroom to gain greater firsthand knowledge about the company, and management can be a catalyst and facilitator to make the time spent most worthwhile. There are, however, some important dos and don’ts. Avoid sending directors to parts of the company pre-selected to provide positive input. This is a recipe for disaster; directors will recognize it for what it is and question their trust in management.”

Being able to provide tangible evidence or risk policies and mitigation strategies is more important now than ever for businesses, and giving visibility to directors into operations is just as important. We couldn’t help but be reminded by another piece on this topic from the Audit Trail archives that deserves another look. In it, Julie Garland McLellan wrote (all the way back in the summer of 2008) about the role that Continuous Controls Monitoring can play in ensuring that directors have the information they need, and how directors can leverage CCM’s real-time operational visibility to guide companies to success.

Finally for today – and in a completely different vein, is there anything in the world more entertaining than accountant humor? I mean, it’s not quite a birthday song and video commemorating the fifth anniversary of Sarbanes-Oxley, but it’s a nice way to end the week with a chuckle or two.

Happy President’s Day, everyone. We trust your Presidential remembrances and/or linen purchasing went well. We’ve got some interesting reading to kick off this, the 47th week of winter (give or take).

Writing for Internal Auditor’s blog, Richard Chambers reviews the biggest trends over the last 10 years in internal auditing and outlines five imperatives for internal auditors to address in the coming decade.

The highlights?

“ * Expand our capabilities to continuously assess risks.
* Enhance our proficiency in data mining and analysis.
* Better integrate the deployment of IT and non-IT audit resources.
* Become more effective in communicating our value proposition to our immediate stakeholders.
* Enhance our coordination with other risk and compliance functions in our organizations”

Sometimes it really seems as if we’re at a tipping point with Continuous Controls Monitoring, where a critical mass is beginning to see what we’ve been saying for a good while about the need for real-time visibility into operations – not only for risk management, audit, compliance and finance (just to name a few) – but for companies as a whole to improve the way they do business. By bringing key functions together to identify risks and outline mitigation strategies – and by enabling transaction inspection and data analysis that highlights issues before they become problems – CCM decreases audit and compliance costs and demonstrably strengthens controls. If our math is right, that gets us to four of the five above. Add in that risk is among the buzziest of buzzwords for boards and investors, and it looks like CCM is five for five.

We may have mentioned a time or two about the power of continuous controls monitoring to reduce risk and improve operational efficiency. But there’s nothing like the news today (via Going Concern) of a $25k expense fraud at KPMG to really drive home the value of real-time visibility into functions like Travel and Expenses. Real-time visibility into rules violations means businesses can respond before exceptions become actual problems. So, for instance, things like gambling runs don’t get approved as business expenses, and companies are $25k or so happier.

There’s a lot more to CCM, of course, than visibility into T&E – so much, in fact, that we’ve developed a webcast chock full of the latest on Approva’s Continuous Controls Monitoring and just how our clients are putting it to work to manage risk and improve operational efficiency. Check out our press release for all the nitty gritty details on just what’s happening February 18th – or feel free to go ahead and register if we had you at “CCM Webcast.”

In other news, CFO has a great piece up now on knowing when to quit an initiative that isn’t working – before it consumes more money and resources. There’s an idea floating around that market volatility is here to stay, and as a result, companies need to get comfortable with frequent assessments of just what’s working and what isn’t. And wouldn’t you know risk enters into this equation, too? Read up for some interesting tidbits on what companies are doing to accelerate risk analysis to keep up with a market that can change on a dime.