Build Controls, Test Controls,By Anna Maria Virzi | Posted 2005-09-07 Email Print
The maker of Kleenex tissue and other products faced a daunting task: Document 4,000 different financial controls. It could have been worse.Automate Controls. Easy, Right?">
Identifying and documenting controls is only one hurdle. After that, an auditor tests a sample of those controls. If an auditor finds that a control isn't being followed, e.g., a supervisor had not signed off on a sales order, that finding is recorded as an "issue." The problem is investigated to determine the cause, and a correction plan must be developed, executed and, last of all, documented.
As Rehfuss and his team identified controls, they sized up software to store documents and keep the project on track.
In late 2003, Kimberly-Clark chose Paisley Consulting's hosted version of a Web-based document management application called Risk Navigator over products from SAP and PricewaterhouseCoopers.
Paisley's product is easy to customize, according to Frank Molina, senior project analyst at Kimberly-Clark for the Sarbanes-Oxley project. "With some systems, you have to change your project to fit the system," he says, adding that Kimberly-Clark didn't have to change its project.
For instance, the manufacturer could set up the software to reflect its organizational structure, showing the processes tracked by each of the 2,000 control owners.
And, access to the Risk Navigator database can be restricted based on an employee's duties. A worker responsible for five controls, for example, can enter reports for only those activities in his purview. Or a regional manager can review the Sarbanes-Oxley work of any or all control owners in his region, and find out if those controls were tested by an auditor, if problems were discovered, and if documents describing the remediation action were filed.
For an overview of the compliance work, senior managers can choose to see a list of reports identifying problems with internal controls for the entire company or a single division, and monitor what action has been taken to resolve these issues.
Using Risk Navigator, e-mail can be sent to control ownerswho hold positions such as customer service manager or accounting supervisorreminding them to complete their documentation.
Kimberly-Clark's external auditors have read-only access to the system so they can review completed reports "to make sure we've done what we've said we're going to do to fix a problem," Molina says. But the auditors cannot change the controls.
Kimberly-Clark did not uncover fraud during its examination, but it discovered that some controls were not always being followed. "Because of our high standards, we had hundreds of exceptions and hundreds of issuesmany of which were very easy to address," Rehfuss points out. "In some cases, it might be a reminder to certain employees, 'You have to review this and sign this every time.'"
Most oversights were chalked up to "human error," he says, such as a new employee, maybe someone filling in on a temporary basis, who was not aware that he had to electronically sign off on an invoice created by another employee.
An eye-opener for Rehfuss: the impact and pervasiveness of controls that involve information technology. "You could create the potential for widespread errors and, in the worst case, intentional fraud [without proper control over access] because so much of our business and transactions are run by computers," he says.
Documenting controls limiting access to computer systems, and then auditing them, proved to be a major task. That's because thousands of employees have access to software applications and computer systems.
Approaches to documenting and storing information about employee access to computer systems varies from department to department at Kimberly-Clarka process that Mike Grill, leader of the company's information-technology internal control team, and Jolene Meissner, a senior analyst in the information-technology services unit, are working to make uniform in the coming year. "Someone might print ane-mail and sign it.
Someone else might put that in a spreadsheet with an electronic signature. We want to do that in a common way," Meissner says, so it's easier to audit or test whether policies are being followed.
Limiting access to computer systems turned out to be a top challenge for other companies as well, according to Larry E. Rittenberg, an accounting professor at the University of Wisconsin and co-author of a January 2005 report on Sarbanes-Oxley's impact on companies. "Controlling access sounds simple," he says. "But it requires a lot of diligence on the part of everyone in an organization to map out what rights each individual should have to data. And make sure when someone changes a position [within a company] or leaves, those rights and privileges don't go with the employee. It's basic blocking and tackling."