Part 6 – SOX Sustainability – Testing, Validation & Internal Audit

In our previous installments on implementing and managing a sustainable SOX compliance framework, we discussed several significant success factors including a supportive corporate culture, well designed business processes, and technology. In this installment, we discuss the roll of “Testing” and “Validation”, typically performed by Internal Audit, in managing compliance.

The saying “what gets measured gets done” may be re-worded as “What gets measured and validated can be proven.”  Without embedded testing, validation and feedback systems, compliance projects are seldom optimized.  The compliance initiative(s) fall prey to assumed performance, assumed results and subjective evaluations that don’t properly attribute results and roadblocks where they belong.  Without testing or validation, it will be difficult, if not impossible, to prove to your external auditor that your compliance goals have been achieved.

For sustainability initiatives, testing and validation measures must be designed to outlive the ‘compliance project.’  That is, testing and feedback systems must be incorporated into the business processes that will sustain the enterprise.  At least three different types of indicators and measures should be instituted with the sustainability program.

  1. Measures and indicators regarding the status and effectiveness of the sustainability “project”,
  2. Measures and indicators regarding fundamental business performance that illustrate improvements in daily processes, and
  3. Compliance indicators and measures to track the testing and effectiveness of internal controls to underpin the §404 management assessment

It will require all three of these to manage the initiative, the efficiency goals of the initiative, and satisfy the internal control objectives underlying the initiative.  Metrics will take the form of status indicators, Key Performance Indicators (KPI), Key Control Indicators (KCI), and anything that the enterprise (and management) deems important to manage the business.

Business Performance Management (BPM) is an integral part of creating a sustainable framework.  This is because improved business performance must be the goal of the program, with compliance derived as a byproduct of effective business process.

Enterprises with existing BPM systems and metrics can probably continue to use their existing systems and metrics.  Introduction of the sustainability initiative will probably require supplemental measures and indicators to what the enterprise is currently using, but many or all of the current indicators and metrics should be preserved as the enterprise has acclimated to using them.  The additional tests and validation measures are tied to the goals of the sustainability initiative, and what the organization wants to achieve through the initiative.

Sustainability initiatives typically require from 12 to 24 months to fully implement. Accordingly, it is important to establish metrics and measurements that capture legitimate progress and improvements beginning almost immediately.  This is necessary to reinforce management and organizational commitment to see the initiative through to completion.  Tangible results and data will also be necessary to overcome nay-sayers and doubters who will otherwise obstruct progress for personal reasons.  Metrics and indicators that will track program progress and report early results should be agreed and defined very early in the sustainability project so that they can be captured and reported almost from day one.  Metrics that relate to the performance of re-engineered and optimized processes, etc. may be defined and implemented as and when appropriate.

To track and report progress it may be helpful to establish and communicate “current” performance benchmarks that represent current or recent performance results, and against which future improvements will be measured.  Sustainability initiatives should not be launched without pre-established benchmarks and goals against which tangible progress may be reported.  Without such “lines in the sand” there is too much speculation and subjectivity in evaluating results.  It will be too easy to shortchange the initiative fearing that it is not achieving the desired goals.

Companies would also do well to establish cost tracking and cost saving metrics to capture sustainability initiative costs (outsourced and internal) against the savings attributed to improved process and efficiencies.  Baseline cost benchmarks should not be tied solely to pre-SOX operating cost structures, but should include cost measurements or estimates of the additional compliance burdens imposed by SOX, so that the sustainability initiative is properly comparing end results against a meaningful, starting benchmark.  Presumably without the sustainability initiative the enterprise will incur the compliance costs on an annualized basis going forward as SOX is not an optional cost area.

Measures and metrics must also be designed in view of the existing I/T infrastructure.  A wonderfully conceived metric is useless if the necessary information is not readily available (today) from one database or another.  However, companies are advised not to merely settle for metrics that can be readily supported by today’s infrastructure.  The sustainability initiative should consider and target certain key metrics for reporting and evaluation based on today’s capabilities and identify metrics that represent where the enterprise needs to go.  Future-based metrics should necessarily consider corporate goals and expected changes in culture-process-technology that will occur over the ensuing 12-24 months.

This approach is in keeping with the spirit of the COSO Internal Control and ERM frameworks, not just the letter of them.  Both frameworks call for goal (or objective setting) to establish enterprise direction.  Risks are then defined in context of the established goals, and risk responses and control activities implemented to address the risks.  Reporting systems should be conceived to help support the achievement of established goals (objectives).

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. 

Our Value 

    • Utilizing our proprietary SingleVue™ compliance methodology, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


To subscribe to our newsletter. Enter your Email ID in the box below.

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.