Managing the MuddleBy Elizabeth Bennett | Posted 2005-09-07 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce REGISTER >
Following its much anticipated IPO, the mattress maker had barely a year to document its policies and procedures for a SOX audit.
Managing the Muddle
With excruciating detail required at each step of the way, Tempur-Pedic needed a method to manage all the documents that it would produce to describe how it conducted and tracked its financial reporting processes. It had none.
So it took Deloitte's advice and put all of its controls and testing information into a Deloitte-developed program called the Risk and Control Tracking System (RCTS). Then, it put the documents on a portal, using Microsoft SharePoint software. That meant the steps of any control could be retrieved by any manager anywhere at any time.
Tempur-Pedic allowed Deloitte to deploy the application because the office staff in corporate headquarters could administer it without the help of the 22-person information-technology team, which was tied up documenting how the company maintained and controlled access to its information systems.
Commercial SOX compliance software was in its infancy in early 2004. There are now more sophisticated products on the market, from suppliers such as OpenPages, Paisley Consulting and IBM. Today, Deloitte no longer even recommends its homegrown application to new clients, says Lee Dittmar, a principal at Deloitte and co-leader of the consultancy's SOX practice: "We're not a software company."
A repository for controls and a workflow tool, Deloitte's program is designed to track the status of a control—whether it's been documented, reviewed and has passed its tests. If it hasn't passed muster—requiring, say, just one signature on a purchase of more than $1 million—it is flagged. Instead of only a regional director's signature for the purchase, the control might be updated to require a vice president's signature, too. Ernst & Young reviewed RCTS reports at the end of the year to verify the status and history of controls.