Getting Employees in Line

By Deborah Gage  |  Posted 2006-06-06 Email Print this article Print
 
 
 
 
 
 
 

Here's how business is tackling three of the biggest I.T. compliance challenges.


NO. 1 CHALLENGE: GETTING ALL EMPLOYEES TO PROPERLY TRACK BUSINESS PROCESSES

  • Company: Sky Financial Group
  • Business: A $1.04 billion financial holding company
  • Regulation: Sarbanes-Oxley
  • Software solution: OpenPages SOX Express, from OpenPages, Waltham, Mass.

    The Sky Financial Group is no stranger to regulation. A $1.04 billion financial holding company headquartered in Bowling Green, Ohio, it operates regional banks, ATMs and insurance agencies throughout the Midwest.

    But complying with Sarbanes-Oxley has been different than complying with other mandates, says senior vice president of finance Donald Hileman. The law reaches more deeply into the organization than any other mandate, and it has forced the company to make sure that everybody involved understands how to comply.

    Sky Financial's auditors were familiar with Sarbanes-Oxley's idea of internal controls from using a risk management framework created by COSO, a commission sponsored by five U.S. accounting organizations that was formed in 1985 to clean up fraudulent financial reporting. The company was able to use that knowledge to help create controls for the new law, Hileman says. But teaching employees about testing and documenting those controls—creating repeatable, auditable processes so that every loan had the right approval signature, for example—involved extra steps.

    For example, one test of a Sarbanes-Oxley control is that a loan has to be signed for by an appropriate supervisor. If auditors pull out a sample of 25 loan transactions and one signature is missing, those signatures can't be used to support the integrity of financial statements.

    "Documenting test plans [for controls] was a challenge," Hileman says. "We had to make sure the tests were doing what they were intended to accomplish."

    During Sky Financial's first year with Sarbanes-Oxley, auditors worked manually to test business process controls and document test plans. Then the company started automating that work, using management software called SOX Express from OpenPages in Waltham, Mass.

    The software, which monitors Sky Financial's test plans and test results, has now been running for two annual financial cycles, Hileman says, and it does help employees document controls to make sure the processes that support compliance don't change from quarter to quarter.

    OpenPages is a former content management vendor that repositioned its products for Sarbanes-Oxley in 2002. It is upgrading, renaming and repositioning SOX Express again this month to appeal to companies that need to comply with regulations globally, a spokeswoman says. Its software is built on Java and integrates with other applications through a Web services Application Programming Interface. It manages documents, monitors workflow and issues reports. Prices vary. Competitors include IBM, Stellent and Paisley Consulting, but there are no leaders in the field, according to research firm Gartner. So far, Gartner says, compliance technology "remains very much a work in progress."

    Having good communication with auditors has been important in getting the company's processes automated, Hileman says. Such relationships can be hard to develop, because Sarbanes-Oxley requires separation between auditors and their clients to avoid gigantic fraud cases like Enron, where auditors were complicit in the fraud. For example, auditors aren't allowed to design controls, although the Public Company Accounting Oversight Board, which inspects public companies for compliance, decided last year that it was OK for auditors to consult with companies on controls.

    To keep its auditors well informed and save time, Sky Financial created a walled-off area of its computer system so they can review controls whenever they wish. The system keeps an audit trail of their activities, Hileman points out, and Sky Financial ends up spending less time explaining things to auditors.

    Next page: Keeping Job Functions Separate



  • <1234>
     
     
     
     
    Senior Writer
    debbie_gage@ziffdavisenterprise.com
    Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters



















     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    Thanks for your registration, follow us on our social networks to keep up-to-date