ZIFFPAGE TITLEStep by StepBy Larry Barrett | Posted 2004-10-01 Email Print
WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT
How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >
In its race to comply with a Sarbanes-Oxley rule, Ingersoll-Rand found where it had been performing tasks twiceor not at all.
Step by Step
With the management team assembled, the audit services department laid out the groundwork for this corporate process-mapping project by creating what it called a control activity form. These forms, about 100 for the entire company, were distributed throughout the organization in the U.S. and abroad.
Ingersoll-Rand's activity forms were generic templates that allowed managers to first identify and define a process that was to be in control. For example, an accounts-payable manager would identify paying a bill to a materials supplier as a process. The definition would be how the bill was paid. Then, the forms required an assessment of the risks involved with the process. In this case, the main "risk" might have been the person authorizing the payment.
Next, the managers needed to outline how Ingersoll-Rand would mitigate the risk. In this scenario, it would require a supervisor's approval on any payment above $10,000. Another safeguard would be a requirement that the person authorizing the payment could not be the same person requesting payment.
Finally, the form asked for the process to be tested. The accounts-payable clerk and the supervisor would run through the process of creating, validating and approving a payment to a supplier. At the end, the check would be cut.
These forms were distributed electronically in Microsoft Word format to 175 sites throughout the organization. At each site, a Sarbanes-Oxley coordinator, usually a manager for a specific department, unit or region, would complete the form and then electronically file it in the company's Internal Controls Workbench (icw) software.
The icw software, developed by Pricewaterhouse-Coopers, is basically a repository for all Sarbanes-Oxley-related information at Ingersoll-Rand. pwc developed the software years ago for companies to keep close tabs on their internal controls, long before the sec required it.
But this is not a dynamic application. icw is a static collection of forms organized in a way that makes it accessible to both Ingersoll-Rand employees who participated in the compliance process and its independent auditor. This collection of information will be the first stop for the auditor at year-end.
Fletcher says the company set up a corporate intranet solely for the compliance endeavor. At any time, a member of the supervising Sarbanes-Oxley management team, or a coordinator who completed a form, could access the data to review it for accuracy or update it.
New procedures were implemented or refined as a result of the compliance process. For example, large orders of locks or refrigeration units that were delivered in separate shipments are now recorded for the month or quarter in which they're actually shipped, rather than lumping the whole order into one time period. Department heads now upload the pricing file for products to the erp system on a daily or weekly basis.
Every coordinatorbe it the sales manager responsible for selling the popular Bobcat excavation vehicles to dealerships, or the accounts-payable manager in the company's Schlage lock divisionhad six months to complete the activity form.
Finally, the executive management team reviews the compiled forms and tests the processes outlined to make sure they're in control. Once the fiscal year concludes in December, this information will be presented to the independent auditor to sign off on the control report.
Fletcher and his team won't really know if the project has been successful until the independent auditor reviews the internal controls and renders an opinion based on how complete and accurate they are, using generally accepted accounting principals (gaap) as a guide.
On the bright side, Fletcher says that by accurately documenting these processes, the company was able to identify tasks that were being duplicated or performed incorrectly, or not performed at all. He wouldn't comment on specifics, saying it was "basic stuff, the blocking and tackling of the company."
Going through this compliance process also reinforced Ingersoll-Rand's commitment to a major Oracle 11i upgrade for its customer-relationship management and enterprise resource planning software systems. Along with Oracle, the company also has large installations of software from SAP, Baan and Mfg/Pro, thanks to a spate of acquisitions over the past five years.
Complying with Section 404 "provides a powerful incentive to increase the speed of migrating from [old] systems to modern technologies like Oracle that will assist us in growing our business," Fletcher says.