| Photograph by Chris Callis |
It wasn’t so very long ago, and it wasn’t in a land very far away, that the professional life of the average chief financial officer was akin to a fairy tale — a fable we might call “Jack and the Bean Counter.” In those days, a company’s chief executive (that would be Jack) could count on steady incremental growth coming from predictable sources. His CFO (that’s the bean counter) helped tally and report the revenues and profits.
As in most folk stories, a big, stomping giant showed up — several, in fact. The Sarbanes-Oxley Act, globalization, and the information technology revolution, to name three behemoths, have changed the face of the modern corporation. Beset by complexity; confronted by disruptive innovations from outside the conventional value chain; challenged by fickle shareholders, national and transnational regulatory bodies, and capital markets in a constant state of upheaval, the contemporary company is no fairy tale. The CEO is no longer a carefree Jack.
And the CFO, needless to say, is no bean counter.
Few business roles have changed as dramatically during the last generation as that of the chief financial officer. The classic model — the CFO as chief accountant and technical expert focused narrowly on the firm’s financial statements and capital structure — has been passé for a decade or more. The CFO has long since operated as more of a business partner with the CEO, closely involved in designing and overseeing strategy, operations, and performance.
Over the last few years, however, the pace of that evolution has accelerated sharply. Firms are eliminating the position of chief operating officer; a study of 300 publicly traded U.S. companies, published by the National Bureau of Economic Research, found that 20 percent abolished the COO position between 1986 and 1999. As more business unit general managers report directly to the chief executive, many of the COO’s managerial duties are being reassigned to the CFO, who also increasingly finds himself or herself a vital part of the corporation’s leadership team, with such a profound combination of staff responsibilities — and even line responsibilities — that the title “chief financial officer” seriously understates the actual position. No longer mere business partners, leading CFOs have become active, innovative, and independent transformation agents.
“When most people think about a chief financial officer, they’re still thinking about your father’s CFO — an accounting role, maybe expanded to tax and treasury,” said David L. Shedlarz, the chief financial officer of Pfizer Inc., one of 17 CFOs of leading global corporations we interviewed for this new, cross-industry study of the evolution of the chief financial officer role. “When you take a look at a CFO’s responsibility today, you also have operations planning and analysis, information technology, strategic planning, and M&A. As a member of the senior management team, you have to be able to take off your technical hat when you walk in the room.
“Chief accountant is very important,” Mr. Shedlarz added. “But you’ve got to be a lot more than a chief accountant as a CFO.”
| A Public Voice |
The interviews we conducted during the summer of 2004 with the senior financial officers of Pfizer, FedEx Express, Johnson & Johnson, BASF, Procter & Gamble, Deutsche Telekom, and 11 other U.S. and European companies, have been published in the book CFO Thought Leaders: Advancing the Frontiers of Finance (to order a copy, click here). The conversations revealed that CFOs of leading global corporations spend half or more of their time on activities outside the traditional boundaries of the position. Far from being overwhelmed by Sarbanes-Oxley and the intensifying scrutiny of corporate governance and compliance, they are playing jujitsu with the new regulatory and shareholder attention, using it both to strengthen internal reporting systems and to align them with company strategy.
Indeed, today’s CFOs see themselves as strategic activists. “The growth agenda is of equal or even greater importance” compared with solid cost management, Johnson & Johnson CFO Robert J. Darretta Jr. told us.
Our study shows that, to a large extent, chief financial officers are now viewed by their chief executives as CEOs’ primary aides in driving company-wide transformation efforts. Although this development has occurred over a period of a decade or more, we observed at least eight trends that underscore how profound that evolution has been:
• CFOs are more closely engaged than ever in designing, adapting, and implementing their organizations’ business models. “I am involved in all important operational and strategic group planning decisions,” said Karl-Gerhard Eick, who is both CFO and deputy CEO of Deutsche Telekom, the German telecommunications company.
• With capital markets now as global as companies, CFOs increasingly take lead roles in tying their firms’ business strategies more closely to models of shareholder value. “We have had to spread this culture of how to create value, how to get the best return on assets, throughout the company,” said Renault CFO Thierry Moulonguet, a member of the multinational management team that helped revive the Japanese automaker Nissan.
• To ensure strategic alignment, finance chiefs find themselves serving additionally as “chief metrics officers.” Robert L. Lumpkins, CFO of the food and agriculture giant Cargill, said, “Measurement drives behavior, and we need to know that we’re getting the behavior that we want and that people are focusing on the right things. That’s part of the job of the CFO.”
• Chief financial officers say their role includes more and more performance management, as they work toward the goal of securing what Robert J. Dellinger, CFO of the telecommunications company Sprint, called the “execution premium” accorded by shareholders to top performers.
• CFOs increasingly are taking line management responsibility in operating businesses. For example, in addition to overseeing the finance organization, Caterpillar Group President Douglas Oberhelman manages the Peoria, Illinois, manufacturer’s diesel engine business.
• The ability to communicate to various internal and external constituencies is now a critical competency for chief financial officers. The CFO “should be half accountant and half strategist and, to an increasing degree, an efficient communicator in both roles,” said Siegfried Luther, finance chief at Bertelsmann AG, the German media firm.
• CFOs are consumed with creating finance organizations stocked with men and women proficient in nontraditional skills, including experience in operations, in addition to traditional finance experience and acumen. “I encourage people within finance to leave the division and work elsewhere in the company,” said Cathy Ross, CFO of FedEx Express, the largest division of Memphis-based FedEx Corporation. “It helps the company, and it broadens the individual.”
• Finally, with senior managers and boards of directors taking a more expansive view of risk, chief financial officers are overseeing the increasingly tight linkage of risk management to the firm’s strategic agenda. “A more appropriate notion of value creation — post-9/11, post-Enron, post-WorldCom, post-Tyco, and so on — starts with the realization that risk matters as much as return does,” said Thomas A. Fanning, the CFO of Southern Company, the U.S.’s second-largest electric utility by market capitalization.
Perhaps the greatest transformation in the CFO role, however, is a transcendent one. As Pfizer’s Mr. Shedlarz put it: “People are asking the CFO, as well as the rest of the management team, to act as change agents.”
New Dynamism
Certainly, the chief financial officer position has grown more pressured in recent years. Well more than 10 percent of Fortune 500 CFOs have left their jobs during each of the past two years, according to the executive search firm Spencer Stuart. While some of that attrition may reflect natural transitions, there is abundant evidence that post-Sarbanes-Oxley stresses have contributed to greater turnover than the position experienced in the past.
In a 2004 survey conducted by CFO magazine, fully 68 percent of finance executives said they had experienced more job pressure during the past two years than before. Sixty-three percent said job stress had negatively affected their health.
But beneath what the New York Times has labeled “a steady drip-drip-drip of corporate announcements of CFO departures” is another story: the rising importance of the role within the hierarchy of the average large company, the improved qualifications of the men and women sought for the position, and the consequently enlarged expectations CEOs and directors have for their chief financial officer.
Consider the case of Nissan. Mr. Moulonguet, currently the chief financial officer of Renault, was a member of the management group that Carlos Ghosn brought to Japan in 1999 to turn around Nissan Motor Company. That turnaround team prescribed and applied shock-therapy treatment that combined strong growth targets and strict cost containment. “When we started the process,” Mr. Moulonguet recalled, “financial discipline was something we implemented overnight.” The revival of Nissan by Renault, which now has a 44.4 percent stake in the Japanese automaker, has become a well-recognized case study in successful change management.
| The Explicit Strategist |
Another example of nontraditional CFO activism is FedEx. Following the general business slowdown that began in the U.S. in 2001, FedEx devised a transformation program, called I-Service, to realign business processes and improve profitability and staff efficiency in the U.S. organization. In 2003, the company announced two voluntary incentive programs for eligible U.S. salaried staff and management employees, and took other steps to further reconcile expenses with revenues, such as reducing aircraft orders, consolidating facilities, and limiting hiring and discretionary spending. FedEx Express CFO Ms. Ross said the finance organization was deeply involved. “We’re right in the middle of transformation, and often we are driving it, because we have the tools, the resources, and the mandate to look out beyond the here-and-now,” she said.
As the business environment has begun to improve over the last two years, CFOs’ priorities have shifted. At FedEx, with the I-Service reorganization well under way, Ms. Ross said, “I would identify my role more as managing growth: Where is our next growth opportunity coming from and how do we capitalize on that?”
| Board of Leaders |
Clayton Daley, the chief financial officer of Procter & Gamble, has experienced a similar reorientation in his role. “I consciously think of myself as wearing two hats,” he told us. “I am responsible for traditional accounting issues: cash flow, capital, and cost structures. But my role is increasingly linked with strategy and operations.”
Value Creators
In years past, most CFOs of large companies completed a successful transition from being stewards of value preservation to being business partners in value creation. Today, the increasingly determined focus on creating shareholder value is yet another prompt that encourages a chief financial officer to elevate his or her identity from reporter to executor.
Construction and mining equipment manufacturer Caterpillar initiated a new style of management reporting last year. Called Transparent Financial Reporting, it aligns the company’s internal management reporting system closely with shareholders’ returns. “It’s much more ‘live’ in terms of what’s actually happening as a shareholder would see it,” said Mr. Oberhelman, the group president of Caterpillar with oversight of the finance operation.
Another Caterpillar initiative matches the objectives and financial rewards of each of the company’s business units with shareholder value creation. One of the goals at Caterpillar, whose industry and business have always been cyclical, has been to remain profitable at the bottom of the cycle, and “attractively profitable” at the top. From now on, the goal is to ensure that the next cycle’s bottom is higher than the last one’s. By ensuring that the internal reporting and the business units’ common goals correspond to the shareholders’ rewards, said Mr. Oberhelman, “We have a real running chance to better our game all the way through.”
| Rock the Boat |
Procter & Gamble uses a model of shareholder value called Total Shareholder Return (TSR) as a strategic tool and as a method for evaluating management performance and calculating bonus payments. The performance model has become institutionalized, said Mr. Daley. “You could walk into any general manager’s office in this company and ask somebody about TSR and they could tell you what it is and how they think about it,” he said. Mr. Daley credited this focus on shareholder value as a major reason that capital spending as a percentage of sales has declined at P&G from 6 percent to 4 percent. “I never thought I’d live long enough to see this company’s capital spending go below 4 percent of sales,” said Mr. Daley, who joined Procter & Gamble in 1974. “TSR has been an enabler to get the line management focused not just on the income statement, but on the balance sheet and operating cash.”
CFOs uniformly rank talent identification and organizational development as two of their top agenda areas. Mr. Darretta, CFO at Johnson & Johnson, for example, considers “people development” his No. 1 focus. J&J’s businesses in consumer products, pharmaceuticals, and medical devices and diagnostics include more than 200 operating companies, each with its own chief financial officer. Mr. Darretta himself and Johnson & Johnson as an organization put enormous time and effort into the process of selecting these individuals, beginning with college recruitment.
| Business Influence |
New hires at J&J go through a two-year finance leadership program, culminating in an elaborate, formal process intended to identify future CFOs. Among the attributes sought are a focus on customers, understanding of the marketplace, an aptitude for teamwork, innovativeness, and the ability to be a positive change agent. “What we do over the course of their career development is to make sure it’s the business first, the finance function second,” said Mr. Darretta.
Other CFOs also expressed a preference — in many cases, an insistence — that up-and-coming finance executives spend time working with their companies’ business operating units. Kurt Bock, CFO of BASF, the world’s largest chemical company, based in Ludwigshafen, Germany, noted that it’s not enough for a senior executive to have expertise in a specific field such as finance.
“At some point, you have to try to broaden people,” said Dr. Bock. “That development process helps us identify our future leaders. Who is capable of becoming an entrepreneurial managing director, and who will be successful leading a business-enabling function? That’s the way we develop people in finance. After five, six years in a staff function, we try to move them out into a completely different area of responsibility, very often including an international appointment.”
Evolving Risks
Risk management is looming ever larger on most companies’ — and most CFOs’ — agendas. Certainly, the Sarbanes-Oxley legislation in the United States, which strengthened regulatory oversight of compliance, control, and governance programs, and increased the need for strict attention to P&L, balance sheet, and capital structure, has contributed to risk management’s higher profile.
“If you talk to a CFO of a publicly traded company who doesn’t have Sarbanes-Oxley as one of their top five agenda items, there’s either a problem or they’re about to go private,” said Dianne Neal, chief financial officer of Reynolds American Inc., the company formed in July 2004 by the combination of R.J. Reynolds Tobacco Company and the U.S. operations of Brown & Williamson Tobacco Corporation.
Yet overwhelmingly, the CFOs to whom we spoke said that Sarbanes-Oxley (SOX, in finance-speak) has been a less important factor in the evolution of the definition and control of risk than has the pace of change, driven by globalization and technology.
Cargill, for example, has long had a reputation for sophisticated risk management. “This is a core capability of Cargill,” said Mr. Lumpkins. “It’s a part of the mind-set of the company.” But the changing nature of the Minneapolis-based food and agriculture firm’s business, especially its rapid international growth, is compelling managers to think about risk in a wider context. Although Cargill has been a global business for decades, in just the past few years vast new areas in Eastern Europe and Asia that were once fenced off to U.S. companies have opened up. Today Cargill is operating in Romania, the Ukraine, and China, and further geographical expansion is envisioned. Increasing globalization, Mr. Lumpkins said, has brought with it increased attention to both risk assessment and compliance issues.
| Continuous Improvement |
Cargill created an independent risk management function in 1999 in the wake of the Russian debt defaults, and its scope has increased since then, as has investment in risk assessment technology. The company now has a group of analysts and former traders who report to the treasurer, separate committees dealing specifically with commodity and financial risks, and a global risk management oversight function.
For other companies, managing risk is a central component in delivering shareholder value. Mr. Fanning, the CFO of Southern Company, which provides electricity throughout the southeastern United States, pointed out that a traditional way to look at shareholder value creation “would center on delivering net income, earnings per share, or return on equity.” But in the energy industry, whose colossal risks range from the uncertain future of nuclear power to the effects of potential environmental regulations, risk and return cannot easily be divorced.
“In 2003, we saw all kinds of indications that interest rates were going to go up,” said Mr. Fanning, to illustrate Southern Company’s risk management process at work. “That is generally a bad signal for utility stocks, which tend to be yield-oriented investments.” Southern Company acted quickly, prefinancing five years’ worth of equity, taking the company’s equity ratio from 38 percent to 41 percent by the end of the year, and reducing short-term debt from more than 10 percent of debt capital to about 5 percent. At the same time, Southern Company increased the average life of the long-term securities it sold, from eight years in 2002 to 23 years in 2004.
Nearly all the CFOs with whom we spoke felt similarly about the challenges of keeping pace with the increased complexity that accompanies growth. And they pointed out, as well, that technological advances have contributed to complexity even as they have revolutionized information technology and business processes.
At Pfizer, for example, revenues have more than tripled and the head count has more than doubled over the last five years, because of a combination of core growth and acquisitions. The result, said Mr. Shedlarz, has been “an exponential increase in complexity.”
| Evolution of Risk |
The rapid advances in information technology for business processes present a quandary for CFOs, said Caterpillar’s Mr. Oberhelman. “That to me is the part of the accounting and financial operations function that really is our single biggest challenge,” he said. “How do I make sure we get good management reporting back to our divisions to give them all the tools they need to take advantage of all the things they can take advantage of today? Few companies can take advantage of all the technology that’s available today without significant cost and change. How do we balance that?”
Raising the Bar
It should be clear that the bar has been raised substantially for the CFO. But although the challenges are large, the potential rewards are even more substantial, for individuals and for their organization. In an environment in which investors demand sustainable growth, precise forecasts, and earnings reliability, executives who can help their companies achieve these goals quickly become valued players. The old CFO model simply won’t do in this era. Only the transformational CFO can meet the requirements of the modern corporation.
Fortunately, the CFO is well positioned to play this more dynamic role. As the interviews in this book make clear, the traditional tasks give the chief financial officer a unique vantage point from which to address the new challenges. A view of the organization from 30,000 feet above ground provides the CFO with an enterprise-wide perspective; indeed, good chief financial officers seem to have an innate ability to understand what makes each business in the portfolio tick. In addition, the CFO’s traditional responsibilities in accounting and compliance give a tremendous amount of independence and objectivity to the position.
The CFO has only one core constituency: the shareholder. This fact, combined with the trusting relationships CFOs develop with senior business executives, allows the CFO to move seamlessly into a more transformational role. That role, we discovered, is no fairy tale, but the new reality for chief financial officers around the world.
Vinay Couto (couto_vinay@bah.com) is a vice president with Booz Allen Hamilton in Chicago. He works with Fortune 500 companies on restructuring their organizational models and business processes in response to major strategic shifts, such as acquisitions, spinoffs, and globalization.
Irmgard Heinz (heinz_irmgard@bah.com) is a vice president with Booz Allen Hamilton based in Munich. She works in the telecommunications, transportation, and energy industries, specializing in organizational, performance, and financial issues.
Mark J. Moran (moran_mark@bah.com) is a vice president in Booz Allen Hamilton’s Cleveland office. A specialist in strategic leadership, he helps clients design and implement management systems that improve corporate performance.
This article is adapted from CFO Thought Leaders: Advancing the Frontiers of Finance, edited by Rob Norton, with an introduction by Vinay Couto, Irmgard Heinz, and Mark J. Moran (strategy+business Books, 2005). To learn more or order a copy, click here.
Vol. 7, October 1, 2004
Mapping COSO and CobiT for Sarbanes-Oxley Compliance
By Sally Chan, CMA, ACIS, PADM
RBC Financial Group
Two control frameworks have been widely adopted by public companies subject to the requirements of the U.S. Sarbanes-Oxley Act of 2002: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework, released in 1992, and the IT Governance Institute's Control Objectives for Information and Related Technology (CobiT). Although the U.S. Securities and Exchange Commission (SEC) suggests that public companies consider the control components of COSO when seeking Sarbanes-Oxley compliance, neither the SEC nor the U.S. Public Company Accounting Oversight Board has openly endorsed a specific information technology control framework. Interestingly, as companies subject to the act's requirements get closer to first-year certification, more practical questions are being raised about the relationship and alignment between the COSO internal control framework and CobiT objectives.
UNDERLYING CONCEPTS AND CONTROL OBJECTIVES
COSO internal control framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. CobiT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes.
COSO control objectives cover effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. Its primary role is fiduciary. On the other hand, while the IT Governance Institute — which is affiliated with the Information Systems Audit and Control Association — acknowledges and makes explicit reference to COSO's fiduciary role, it extends CobiT's role to cover quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. These categories form the foundation of CobiT's 34 control objectives within its four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.
COSO and CobiT cater to different audiences. While COSO's target audience is management at large, CobiT is intended for management, users, and auditors (mostly IT auditors). Both COSO and CobiT view control as an entitywide process, but CobiT specifically focuses on IT controls. This distinction in effect defines and determines to a large extent the scope of each control framework.
Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four CobiT objective domains. The purpose of the following high-level mapping is to give auditors a COSO point of reference when discussing the role of technology in the assessment of internal controls for financial reporting. Auditors can then select the relevant CobiT control objectives for Sarbanes-Oxley under the four domains when mapped to the COSO internal control framework.
AN ALTERNATIVE MAP
Below is an alternative view of the COSO-CobiT mapping depicted in the IT Governance Institute's document IT Control Objectives for Sarbanes-Oxley [PDF], which was released earlier this year. That document presents the relationships between COSO, CobiT, and Sarbanes-Oxley Sections 302 and 404 as horizontal layers of a three-dimensional cube. In reality, the nature and extent of this tripartite relationship is neither equal nor direct — processes take place in a continuum. Mapping CobiT to COSO's internal control framework can only capture a high concentration of the associated processes.
| COSO Internal Control Components | CobiT Domains With sample control objectives relevant to Sarbanes-Oxley. |
|
1. Control Environment |
Planning and Organization (PO):
|
|
2. Risk Assessment
|
Planning and Organization (PO):
|
| 3. Control Activities |
Acquisition and Implementation (AI):
Delivery and Support (DS):
|
| 4. Information and Communication
|
Planning and Organization (PO):
|
| 5. Monitoring |
Monitoring (M):
|
The fact that CobiT does not map 100 percent to COSO should not deter auditors from using these existing frameworks alongside each other. Organizations can treat these frameworks as essential reference material and as a sound basis for formulating their own integrated and customized control framework for Sarbanes-Oxley.
COSO ERM AND COBIT
With the recent release of the COSO Enterprise Risk Management (ERM) — Integrated Framework, which identifies interrelationships between risk and risk management, organizations and auditors should consider whether it is warranted to map CobiT to COSO ERM, as well. COSO ERM takes a broader view of risk that the risk-assessment component contained in the COSO internal control framework. In CobiT, risk assessment is a process — not a distinct and separate domain — therefore, it may be more appropriate to compare COSO ERM to the IT Governance Institute's Board Briefing on IT Governance. Regardless of the outcome of any comparison, COSO ERM is expected to further expand auditors' focus towards disciplined risk management. As a result, auditors should critically assess whether COSO and CobiT provide sufficient risk coverage as stand-alone control frameworks for the 21st century auditor.
Even before the final COSO ERM recommendations were published, there was already an increased sensitivity and a growing trend towards addressing risk issues upfront as a condition precedent to control issues at both the entity and activity levels. After all, controls are risk-driven, so understanding risk is a prerequisite to the appreciation and application of control. Understanding the risks in an organization's business environment makes control design more effective and reduces the effort required to remedy control deficiencies in both manual and automated environments. From a Sarbanes-Oxley perspective, the highly publicized significant deficiencies and material weaknesses in internal control reported by external auditors at many companies have added yet another challenging dimension to financial reporting and a new meaning to reputational and compliance risks, according to Compliance Week. There are already emerging views that suggest building ERM on the foundation laid by Sarbanes-Oxley.
USE COBIT SELECTIVELY
Because Sarbanes-Oxley Section 404 is strictly focused on internal controls over financial reporting, any user of CobiT must first determine the relevance of a significant IT process or IT-dependent process by assessing its primary contribution to internal controls over financial reporting rather than to the broad spectrum of IT control processes encompassed by CobiT. One way to ensure that IT is properly anchored to a significant account, business process, or major class of transaction is to critically question the role of IT in risk mitigation and in enhancing the integrity of financial reporting and financial-statement assertions. IT auditors have a new opportunity to add value by evaluating the design and operating effectiveness of automated application controls end-to-end in addressing fraud, yet this scope is not explicit in CobiT.
It is important that auditors select relevant IT control objectives from CobiT when defining their Sarbanes-Oxley scope. IT's unique contribution centers around its ability to enhance the integrity, security, and availability of financial information within those identified business processes, as well as the safeguarding of assets — especially information assets.
For internal auditors, COSO is the primary Sarbanes-Oxley reference and CobiT a secondary resource, but for IT auditors, understanding COSO is only the beginning. IT auditors should start with COSO and selectively adapt CobiT for Sarbanes-Oxley without excluding other established IT control models such as the ISO/IEC 17799 Code of Practice for Information Security Management, established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). For a broader overview of IT guidance, readers can refer to the IT Governance Institute's research paper CobiT Mapping – Overview of International IT Guidance [PDF], which maps several commonly used IT standards and guidance against the CobiT framework. That publication maps the COSO internal control framework from the vantage point of CobiT in the pre-Sarbanes-Oxley environment.
FOR MORE INFORMATION
Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org
IT Governance Institute, www.itgi.org
The findings, interpretations, and opinions expressed in the published materials are those of the author of the work only.
Tell us what you think about this article
Visit the Bulletin Board
Tell the Editor
Vol. 7, October 1, 2004
http://www.iiaindia.org/knowledge_links.asp
In the wake of Enron and WorldCom the role of internal
auditors in corporate governance has taken on a whole new meaning. The
passage of the Sarbanes-Oxley Act and actions by the U. S. Securities and
Exchange Commission imposed new requirements on auditors, corporate boards
and management. This section of AuditNet® provides tools and
resources for internal auditors to acquaint themselves with the new rules
and share guidance and best practices for partnering with audit committees.
Internal auditors now have a unique opportunity to work together with audit
committees to help in the corporate governance mandate. If you have
resources or links you would added to this page please
contact us.
Information
Nation:
Seven Keys to Information Management Compliance
Randolph A. Kahn, ESQ. and Barclay T. Blair
AIIM International
Available March 1, 2004
Paperback
Approx. 300 pp.
Click
here to purchase Information Nation.
Read Information Nation's
introduction.
Go to the Information Nation table
of contents.
Send Randy and Barclay feedback
on Information Nation here.
Praise for Information Nation
- Kahn and Blair have managed to craft
into one superb, readable book the information both the novice
and specialist need to create an effective Information Management
Compliance program. Information Nation is one of the best resources
on compliance, in any risk topic, that I have ever read.
Win Swenson, Former Deputy General Counsel and Chair of the
Organizational Guidelines Working Group, U.S. Sentencing Commission;
Partner, Compliance Systems Legal Group
- Managing information to support compliance
is a monumental challenge for business and IT professionals today.
This book provides straightforward guidelines to help them meet
this challenge.
David B. Wright, President, LEGATO Software
- A practical roadmap for implementing
a successful compliance program. It completes the picture on information
use in commercial enterprises by laying the foundation for good
corporate governance, now a key strategic initiative for competing
in today’s global business environment.
Andy Lawrence, Eastman Kodak Company, One of Business Ethics
“100 Best Corporate Citizens for 2003”
- Many companies overlook the importance
of data management. Information Nation is a wake-up call that
reminds us all that improperly managed information is a huge liability.
The book is a great starting point for those that are just beginning
to put a policy in place, and for those experienced individuals
who are interested in performing a reality check on their existing
Information Management Compliance methodology.
Paul Butticaz, Vice President, SunTrust Robinson Humphrey
- At a time
when there is a pressing need to improve the way information is
managed, Kahn and Blair’s message and methodology are right
on. This book is much more than a “must read.” It
is a “must do” action plan for achieving compliance
and mitigating risks in today’s new world.
Robert F. Williams, Cohasset Associates, Inc.
Book Overview
Information Management has entered a
new era. An era shaped by headline-grabbing business failures and
scandals where information destruction and mismanagement played
a starring role. An era defined by tough new laws and regulations
that threaten to send executives to jail for information mismanagement.
An era where organizations are struggling to control and leverage
an ever-expanding body of business information, while reducing the
bottom line.
How can organizations respond to this new era in a manner that will
promote and protect their business and legal needs? How does the
mantra of corporate accountability and transparency translate to
the real world of tight budgets, fast-paced technological change,
and a constantly-shifting shifting legal and business landscape?
Information Nation provides
answers to these and many other critical questions faced by today’s
organizations. The authors introduce Information Management Compliance
(IMC), an exciting new concept that brings the tools and principles
of the compliance world to bear on Information Management. Each
of the Seven Keys to IMC are packed with practical insight and real
world examples that organizations large and small can use to evaluate,
design, or improve their current Information Management practices.
Written in plain English, and incorporating the latest developments
in law, technology and business practice, Information Nation is
required reading for anyone who shares responsibility for managing
information in their organization.
Table of Contents
Forward by Jay Cohen, ESQ. ...xi
Preface by John F. Mancini ...xv
Introduction: Welcome to a New Era of Information Management...1
PART 1 Laying the Foundations of Information
Management Compliance...7
Chapter 1 Why Information Management Matters...9
Chapter 2 Building the Foundation: Defining Records...17
Chapter 3 An Overview of Records Management...31
Chapter 4 Information Management Compliance (IMC)...43
Chapter 5 Achieving IMC: Introduction to the Seven Keys ...57
Chapter 6 Sarbanes-Oxley and IMC...65
PART 2 Seven Keys to Information Management Compliance ...75
Key 1 Good Policies and Procedures...77
Chapter 7 The Purpose of Policies and Procedures...79
Chapter 8 Making Good Policies and Procedures...89
Chapter 9 Information Management Policy Issues...103
Key 2 Executive-Level Program Responsibility...125
Chapter 10 Executive Leadership, Sine Qua Non ...127
Chapter 11 What Executive Responsibility Means ...141
Chapter 12 IT Leadership ...147
Key 3 Proper Delegation of Program
Roles and Components ...163
Chapter 13 Create an Organizational Structure to Support IMC ...165
Chapter 14 A Sample Information Management Organizational Structure...175
Key 4 Program Communication and Training...185
Chapter 15 Essential Elements of Information Management
Communication and Training...187
Key 5 Auditing and Monitoring to
Measure Program Compliance...201
Chapter 16 Use Auditing and Monitoring to Measure IMC ...203
Key 6 Effective and Consistent Program
Enforcement...219
Chapter 17 Addressing Employee Policy Violations...221
Chapter 18 Using Technology to Enforce Policy...23
Key 7 Continuous Program Improvement...239
Chapter 19 The Ongoing Work of...241
Conclusion...259
Notes...261
Index..271
Industry Resources...281
About the Authors...301
Sarbanes-Oxley compliance efforts are eating up CIO time and budgets. Worse, CIOs are being relegated to a purely tactical role. And that may be the CFO's plan.
BY CHRISTOPHER KOCH
When CIOs began installing ERP systems in the '80s and '90s, they unwittingly took something that used to belong to CFOs: financial controls. The things that accountants used to monitor manually—such as making sure that two signatures from the right people went on every check, or reconciling purchase orders against invoices—all became automated inside ERP systems. The meticulous audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace—or at least without being properly documented, and certainly not to the extent now required by the 2002 Sarbanes-Oxley Act, a.k.a. Sarbox.
Today, CFOs want those controls back. If they don't get them, they believe they could go to jail. Section 404 of the Sarbanes-Oxley Act mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for the processes used to add up the numbers. (See "What Section 404 Says," right.)
Sane people don't want to go to prison. They can even get a little frantic about it.
That's why CIOs perhaps can forgive their CFOs for getting aggressive when it comes to taking control of Sarbanes-Oxley compliance efforts. What CIOs shouldn't forgive, or take lying down, are their CFOs' attempts to freeze them out of the process.
A recent survey by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbox steering committees. Among 75 public companies that Gartner surveyed last fall, just 63 percent said IT was involved.
Partly, this may be because many companies have been slow in getting their Sarbanes-Oxley efforts up and running. Only 65 percent of Gartner's respondents even had a Sarbox steering committee. Twenty-eight percent had no plans to form one.
But some CIOs see a darker agenda at work—a conspiracy. They fear Sarbox has become a stalking-horse that CFOs are using to assert control over IT and displace the CIO as the company's business process expert. Egging CFOs on, this theory goes, are the Big Four accounting firms, desperate to reassert themselves after the Enron debacle (which turned the Big Five into the Big Four after Arthur Andersen bit the dust) and needing consulting revenue to replace what they lost when most split off their consulting divisions. (See "The Revenge of the Bean Counters," right.)
"Finance and accounting organizations have been pushed to the background recently as IT and supply chain have been driving where companies are going," says one disgruntled CIO who declined to be identified. "Sarbanes-Oxley is the revenge of the bean counters. It's a wedge for the accounting profession to get control of the business again."
"CIOs are getting left out of Sarbanes-Oxley efforts, and it's a travesty," says Garry Lowenthal, CFO of Viper Motorcycle and chairman of the Finance and Technology Committee of Financial Executives International (FEI), an association of senior financial executives. (Lowenthal is sufficiently concerned that he is helping to set up a joint session between FEI and the Society for Information Management [SIM] at SIM's annual meeting this September to talk about how IT and finance can work together on Sarbox.) Adds Gartner Research Director Rich Mogull, "I'm hearing stories about CFOs not including CIOs in their compliance visions.
"I think that's a big mistake."
The Dark Agenda
Right now, CFOs are setting up compliance committees, often headed by their controllers and staffed by internal auditors and consultants from the Big Four accounting houses, and sending them out in pursuit of any and all business processes and IT systems that could have any impact on the balance sheet. IT systems across the country are glowing eyeshade green as accountants flock around them to figure out how they work and document those buried controls.
For CIOs, this can be a huge distraction and an enormous energy drain.
"We've taken a substantial productivity hit from this," says Brunson White, CIO of utility company Energen. "We didn't do much besides governance work last January. Sarbanes has pulled some of our best resources and altered our plans for other projects."
Sarbox is also expensive. Another utility CIO, Dennis Klinger of Florida Power & Light, says his company has already spent "multiple millions of dollars" on compliance, most of it on labor. And just as companies are starting to loosen their purse strings, much of that money is coming out of IT's hide.
But where there's pain, there's also opportunity.
If CIOs can take Sarbox beyond mere compliance, and automate and streamline business processes and financial controls so that the cost of compliance goes down over time while business performance improves, they could become heroes. But if they just play a tactical role, focusing only on IT-specific controls and leaving the rest to the CFOs and the accountants, that could fix a hard, clear varnish over the view in many executive suites that IT should be forever subservient to finance.
Which, according to many, is just what finance has in mind. As a former corporate vice president of IT, C. Lee Jones, chairman and CEO of Essential Group, a pharmaceutical services company, has had frontline experience on both sides of the IT-finance battleground, and he says that many CFOs would like to see CIOs left out of the Sarbox equation. Why? Because, he says, "it would give CFOs control over one of the largest fixed costs in the company: IT."
It's beginning to look as if Sarbanes-Oxley will be the greatest test yet of CIOs' standing within the enterprise.
The Sarbox Disconnect
Running Sarbanes-Oxley efforts is not an option for most CIOs. Sarbox is about financial processes. And each year when they sign off on the numbers, it's the CFOs' necks on the line (along with the CEOs'). "Controls and processes around financial reporting indicate the money guy should be intimately involved [in Sarbox]," says AMR Vice President of Research John Hagerty. A recent AMR survey found that 72 percent of Sarbanes-Oxley compliance teams were led by finance, and just 4 percent by IT. (The remainder were led by other business functions, plus legal and the board of directors.) But CFOs will not be able to prove compliance without the CIO. In most cases, the CFO's expertise ends where his numbers feed into information systems.
Most CFOs are aware of that, of course. However, they have options about where to go to get help. They could delegate compliance to internal audit (another group lacking a good understanding of IT issues) or hire external consultants. But if CFOs do an end run around IT and keep Sarbox efforts within the domain of the accountants and consultants, they could lose an opportunity to make the business run better. Hackett Group found that 47 percent of companies it recently surveyed still use stand-alone spreadsheets as part of their financial reporting process, meaning that the controls used to trace and audit the processes are essentially manual. Somebody throws numbers into a spreadsheet and passes them to someone else until they wind up in the annual report. Manual financial controls, as any auditor will tell you, are time-consuming, labor-intensive and costly; they're why companies abandoned those black ledgers in the first place.
"If you can automate it, and make it repeatable, you can know the controls," says Marc West, CIO of video game maker Electronic Arts. "If it's manual, it's more difficult to confirm the process and test it."
AMR estimates that of the roughly $3 billion spent on Sarbanes-Oxley compliance in 2003, about 90 percent was spent on internal staff and consultants. To keep Sarbox from becoming an annual, recurring nightmare, companies need to automate financial controls (documenting them this time) and replace some of the labor-intensive manual detective work with software and hardware. That shift needs a leader. And that leader logically should be the CIO because the CIO will have to maintain and support those automated controls.
But just like Y2K, consultants and vendors are descending upon CEOs and CFOs and selling them magic-bullet software solutions for Sarbanes-Oxley over the heads of CIOs. It's ERP all over again. The financial controls gap inside most ERP systems today is partly the product of the communication gap between those who bought ERP systems (CEOs and CFOs) and those who installed and maintained them (CIOs). ERP projects went sour when business leaders and CIOs could not agree on how best to automate business processes in ways that could be integrated, supported and maintained by IT. Sarbanes-Oxley could easily lead to that same disconnect.
Sarbanes-Oxley means CIOs and CFOs need each other more than ever. Whether they will ever get around to admitting it is another matter. But if someone needs to swallow his or her pride and make the first move, it's the CIO.
The CIO's Dilemma
Today's corporate climate is not, however, conducive to compromise. Consultants and internal auditors are getting in CIOs' faces and demanding tighter controls in IT without deep knowledge of either Sarbanes-Oxley or IT.
"I've been told that I now need to submit every requisition to finance for approval before I can spend my budget," says one angry manufacturing company CIO who declined to be identified. "The CFO has delegated it to the controller, who has hired all these young auditors and consultants who think they're on a mission. They see Sarbanes-Oxley being above and beyond everything else we're doing. It's annoying because there are more important things we should be doing." Even though she is part of the company's Sarbox steering committee, this CIO has given up hope that the project will lead to the kind of process improvement and automation that could provide a long-term benefit to the business. "Everybody will do what they have to do to get through the compliance door, and the funding and overall attention and priority for the other process improvements will go where they always go—to the bottom of the list," she says.
Mostly, CIOs resent Sarbanes-Oxley. IT has been suffering through a funding drought since 2000, and now that corporate revenue is finally bubbling up again, Sarbox has cut to the front of the line. "We haven't been able to get much funded," says Electronic Arts' West. "Now here comes Sarbanes-Oxley and you have to find money in your budget to document processes. It's frustrating."
West is trying to turn that frustration around by using Sarbox as a lever to revamp governance processes across the business and in IT. "I think this will be one of the best things for IT in the long run because it's an opportunity to improve the ways we do things," adds Brad Friedman, vice president of IS for Burlington Coat Factory and the Sarbox point man for Burlington CIO Mike Prince. "You have to brainwash yourself into looking at it like that or you will dread it, because it's not a one-time event."
But Friedman acknowledges that he's having a hard time knowing where to start. Like many IT executives, he is desperately seeking guidance for this brave new world of Sarbox-enabled governance.
"If you read through the control objectives in Sarbanes-Oxley, they're very general," says Friedman. "Trying to burrow down to the detail and understand what will be looked for by the external auditor is very difficult. It's also difficult to draw the line between IT processes, operational processes and financial processes."
The CIO Solution
At utility NStar, CIO Gene Zimon took an early leadership role by suggesting that the company approach Sarbox the same way it did Y2K. Accordingly, NStar created an overall steering committee that meets monthly and includes the top functional executives from around the company. Zimon volunteered his program office director to help coordinate the effort. Working with the finance group and consultants, the project leadership parsed the project into 10 major processes by reverse engineering the balance sheet and income statement preparation process. "We took the numbers and worked backwards to find every system that contributed something to each of them," says Zimon. Each of the 10 processes was treated as a distinct project, each with its own steering committee, a business sponsor, internal audit consultant, and a business and IT lead assigned to do the dirty work of ferreting out the controls, documenting them and resolving any gaps in the process. "The most important thing was defining the areas we wanted to look at, to make it all real and measurable," Zimon says. "Otherwise, it all seems too vague."
At Energen, CIO White is taking the same reverse engineering approach to controls, trying to automate the ones he can. One is change management for Energen's ERP system. Right now, the process for making a change to the system—say a tax rate change or a bug fix—is "arduous and requires many sign-offs," says White. Any changes that can affect financial data will have to be reported under Sarbanes-Oxley, and if, for example, a bug in the ERP software means past financial data was not correct, the company may need to restate earnings. That means change management must be much more carefully documented and monitored than in the past. So White is planning to automate the change request and sign-off processes to speed things up as much as possible. But he's still worried that the new levels of scrutiny—and the coming requirement in Sarbanes-Oxley Section 309 that material changes to financial be reported in real-time—will prevent those changes from happening as fast as some in finance would like. "There isn't a whole lot more time to milk out of the change process," he says. "If it takes a week then that's the way it is. But people are already telling me it's not fast enough."
The Knowledge Gap
Without a good playbook for Sarbanes-Oxley, IT and business executives find themselves dependent for advice upon external auditors and consultants. But according to the CIOs and analysts we spoke to, consultants are also trying to figure out what compliance means. And that's yet another sore point for CIOs.
"I'm not getting any good advice about what I'm supposed to be doing from the consultants or the external auditors," says the anonymous manufacturing CIO. "They have no clue what Sarbox means for IT yet." Adds Gartner's Mogull, "The most common complaint I'm hearing about the auditors is they aren't providing enough clear guidance." When he challenged some of the auditing firms with this, their response was that the rules haven't yet been finalized by the Securities and Exchange Commission. "I said, Well that's fine," recalls Mogull, "but why are you taking people's money then?"
Complicating the situation is the longtime split that has existed between financial auditing and IT auditing inside consulting firms and the Big Four accounting firms. Financial auditors have traditionally focused on controls and overall business governance, while IT auditors have consulted with CIOs on best practices for running IT. And just like the businesses they serve, it's financial auditors, not the IT auditors, who are running Sarbox consulting engagements. This can lead to IT issues being ignored or shoved to the back burner. "They send in financial auditors and IT auditors but they are usually two separate teams that haven't created a [joint] strategy," says Sharon O'Bryan, founder and president of consultancy OAS and a former Big Four IT auditor. This is yet another reason why IT may be left out of strategic planning for Sarbanes-Oxley.
With so much potential for confusion and consequent disaster, all top enterprise executives need to stay in the compliance loop. Even if an internal audit group is charged with leading the day-to-day effort on Sarbanes-Oxley, the steering committee is a place where other, nonfinancial voices can be heard. This will eventually allow internal audit groups to save face when they realize that Sarbox is a much bigger job than they may have originally thought. Energen's White, for example, is part of a seven-member planning group that includes the CEO, CFO, COOs of two subsidiaries, the HR chief and chief counsel. This group doesn't just democratize communication, however. It also demonstrates resolve and commitment from the top. That's crucial in most IT projects, but especially in Sarbanes-Oxley because, as Burlington Coat Factory's Friedman puts it, "There is no value [in Sarbox] as far as the user community is concerned. If you don't have executive pushdown on this one, people are not going to move on it."
The Sarbox Compromise
Most auditors and CFOs we spoke with say that if IT is being left out of Sarbanes-Oxley, it is more a sin of omission, and perhaps ignorance, than a calculated plot. "The extent of IT involvement depends on how intuitive companies have been about technology-enabled controls," says Mark Lindig, a partner with Big Four firm KPMG's IT auditing group. "If there isn't much understanding, then IT might not be there at the beginning. Finance looks at Sarbanes-Oxley and says, 'How can I do this from a numbers focus?' It's like a hub-and-spoke arrangement where finance starts it and brings in other groups as they go."
CFOs are also struggling with how to define other executives' roles in Sarbanes-Oxley. "Who signs on the bottom line?" asks Dennis Cavender, CFO of Essential Group, his voice shaking with emotion. "The CFO and CEO. That's who have to put their names on the line, and that's who it comes back to. I don't see Sarbanes-Oxley as a confrontation between the CFO and CIO; I see it as being a team that has to work closer together, or the processes and internal controls will fall apart."
CIOs could do everyone a favor by defining their role in Sarbanes-Oxley themselves. After companies get over the initial shock of discovering how many manual financial controls they need to document, the CIO eventually will be assigned to automate them to save time and expense in quarterly compliance efforts. "The CIO will become the custodian of controls," says Lindig. "The finance function has to own them because they are the last line of defense before the audit, but as the controls are distributed into the organization, you need to establish custodial and execution responsibilities. That's what Sarbanes-Oxley shines a bright light on. You have to have an accountability model for those controls."
This could be the natural role for CIOs—think access rights to systems, constructing employee portals, and other instances where the CIO already defines and manages automated controls. But it's a short step from there to a much larger role that many CIOs have been reluctant to contemplate: the move from simply owning and maintaining the IT plumbing to becoming accountable for the accuracy and integrity of the data flowing through those pipes—the data controller, as John Lenz, partner at consulting company Tatum Partners, puts it. "Just as we have financial controllers today who assure the accuracy and integrity of numbers, we will have data controllers who assure the accuracy and integrity of data," Lenz suggests.
Some CIOs have already accepted that accountability. Electronic Arts' West signs a certification to his CFO that the data from his financial IT systems is accurate. The CFO and CEO are still ultimately (and legally) accountable if the numbers are wrong, but subcertification puts functional executives' necks on the line internally and in civil lawsuits. Gartner predicts that by next year, 70 percent of publicly traded companies will require their CIOs to do it.
CIOs who say they are currently satisfied with their role in Sarbanes-Oxley have one thing in common: They are defining their role themselves. They are volunteering to help coordinate the effort and offering project management—IT's unique, golden asset—to whomever wants it.
"I got involved and pushed the issue," says NStar's Zimon. "I thought, Better to get involved early than have the business come to me with a list of demands [just before the deadline]." By turning Sarbox into a "project" like Y2K, and volunteering resources to staff it, Zimon got to have more input into the company's governance model. He also gained access to an early warning system that informs him of issues bubbling up. Now he's working on building a joint business and IT group to continue to monitor and support the financial controls after the first round of Sarbox passes.
"I talk to CIOs who say this isn't an issue for them like it is for me," says White.
"I can't help but wonder if they aren't in for a rude awakening."
Executive Editor Christopher Koch can be reached at ckoch@cio.com.
