Being out of financial compliance means being out of financial control -- and this is a bigger problem than imposed penalties and fines. Back when the Sarbanes-Oxley Act (SOX) was becoming a major concern for larger corporations, I did some consulting with Sun Microsystems specifically targeting SOX-related identity and access management controls.
During the process, I uncovered three key observations that still drive my advice for organizations trying to improve compliance through financial controls: purpose, organizational development and process leadership.
Financial compliance should be an intended consequence, not a primary objective, of your business strategy. To build proper executive-level buy-in, you'll likely need to associate financial compliance with a higher purpose. This is much easier than it sounds, but it takes the right perspective.
Most financial compliance is about following best practices. For example, if you examine the actual SOX regulation, it's quite simple. The regulation stipulates that you must be able to demonstrate that you're in financial control, which is as easy as having good financial processes, following them and being able to prove that you're following them.
The egregious corporate and accounting scandals at Enron, Tyco, WorldCom and others were what prompted U.S. Senator Paul Sarbanes (D-Md.) and U.S. Representative Michael Oxley (R-Ohio) to author the SOX legislation, which was designed to make sure that companies were not only acting ethically, but also had some sort of control over their financial procedures.
There's a higher purpose, however, for being in financial control. Consistently following a good set of financial procedures is the hallmark of a well-run company. As a result, the financial compliance objective should stem from the desire to build process competency, not to stay out of trouble with the U.S. government. With this type of objective, it's not hard to get support from the COO, or possibly the CEO -- and that's where support for your endeavor needs to come from.
Building the right financial compliance team
How your financial compliance team is organized has a tremendous impact on your control objectives' success. The team structure I espouse is what I call a finance systems group. This is in deference to the interdisciplinary philosophy of building a compliance team. The concept revolves around not only having the right talent represented on the team, but also making sure each member is cross-trained to the point where everyone is a generalist and at least one person is a specialist in every skill required for maintaining compliance. This includes finance, legal, information systems, project management, process development, business analysis and possibly others.
To support this, your team must have a culture of sharing and learning. Your technology professionals will be responsible for teaching other nontechnical people what they need to know about your systems. They will also be responsible for learning other disciplines like finance and legal. When I was working with Sun Microsystems on its SOX compliance, one of the biggest challenges was corralling all of the silos so they targeted one general purpose. You can avoid this with the proper organization (i.e. all disciplines under the same leadership) and culture (one that's open-minded, collaborative, etc.). If you're a leader, you have the special responsibility of making sure the team is guided and supported in the proper way. As with anything, leadership is paramount and can make or break the success of your financial compliance team.
Financial process leadership
Finally, financial control is ultimately about process leadership, not process management. When it comes to financial compliance, many organizations fall into the process management trap, wherein there's too much focus on the steps and not enough focus on the objectives. Stepping back from the financial processes to clarify objectives is at the heart of process leadership. Producing evidence of compliance -- a key competency of financial control -- is based on outcomes, not steps. You could demonstrate an audit trail outlining the financial process steps, but in the end the evidence most auditors want to see are process outputs like invoices and receipts. This is where good process leadership comes in.
More on compliance strategy
To ensure that you've properly clarified your process objectives, I would suggest some type of audit-driven approach. This will invariably raise questions about your objectives, which you should answer up front, negating the likelihood of ambiguity and inference on developers' part when they build the process steps.
In the process of creating financial compliance, your organization should be building process competency, which serves a much higher strategic purpose. As a consequence, financial compliance should not be an end, but rather a purposeful-but-auxiliary side effect to your business processes. By establishing your higher purpose, putting the right team structure in place and leading your financial process development, your organization will not only obtain financial compliance but also organizational effectiveness.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. Write to him at firstname.lastname@example.org. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.