Process Master Ltd

  • Decrease font size
  • Default font size
  • Increase font size
Compliance Issues

Compliance Issues and the need for Business Process Discovery & Capture

Sarbanes-Oxley section 404 compliance is a very important issue for companies today. However, it is often quite a difficult matter to define what level of control is really required. SOX compliance can become unwieldy without the proper top-down approach of asking;

  • What control items are we looking to substantiate?
  • How can we achieve these controls?

Well now you can with ProcessPad!

Such controls need to be planned in conjunction with your corporate business process best practice model to keep things in one place. ProcessPad allows you to add control checkpoints to your business processes at the activity level.

ProcessPad offers an efficient and cost effective solution

There have been many reports that companies have spent considerably more than they had budgeted on SOX 404 compliance.

Moving forward, companies are looking to find ways to make compliance with SOX sustainable at lower costs.

In the early stages of SOX 404 compliance;

  • Expensive external consultants were typically hired to bring specific expertise not present in the company
  • Internal consultants were added to the SOX team so as not to strain internal resources too much
  • Accounting firms were used to audit the compliance efforts
  • Internal management were also heavily involved, often at a considerable cost to the overall business performance

Standardized tools were often not used

While such an approach may have been useful in the "honeymoon" period of SOX compliance, a more sustainable long term solution needs to be introduced.

The Process Master Approach

While we still need the centre of excellence of a SOX internal specialist and certainly internal/external auditor review, the Process Master approach is that many aspects managed by a separate and dedicated team can become part of the way of doing everyday business.

In this way, process owners become responsible for a large majority of the compliance documentation and testing of controls. The internal audit staff or SOX specialist will oversee the SOX compliance initiative and will be responsible for managing the quality of the process by conducting high level reviews to make sure controls and procedures are effective.

Another advantage of this approach is that process owners start to understand their processes better and so instill the concept of business process re-engineering or transformation into the organization.

Let's now see how you can implement such an approach

  1. Adopt ProcessPad as your Standardized tool
    First you have to have a standardized tool for process definition which is easy to use and deployed across the organization. Such standardization ensures that process definitions and controls can not be misinterpreted by different process teams within an organization, as the documentation / testing responsibility shifts to process owners.

    ProcessPad has the benefit of being an easy to use tool which complies 100% to the international BPMN standard so all company process documentation is developed to an accepted standard.

  2. Train your employees
    Train your employees so that process owners can document their own processes and importantly, to the right level of detail. This is easy with ProcessPad. You can be sure that all employees will document processes in the same way as well. Without the need of a training course, your employees can be documenting processes to the international standard. All the graphical elements are strictly controlled and defined. Documents and specifications can be captured as well.

  3. Document control
    Your company needs to implement comprehensive document control with a well defined review process to ensure only people with the right authorization can update and review the documents. This is the benefit of the ProcessPad Repository, and is essential for ensuring process and control documentation is always correct. Such process documentation can be easily put into a repository if required for version control. This acts like an electronic data vault and is useful for larger organizations in particular. Updates to documentation can be strictly controlled and are checked in with full audit control. ProcessPad has an easy interface to almost any CMS/DMS repository, with simple check in/check out commands.

  4. Define the controls
    After process documentation is in place, we need to add controls to this documentation. This is where the internal SOX experts will be essential to give top down guidance and training to the process owners on what type of controls are necessary and how to test these internal controls. It has to be remembered that SOX is about control points and not just documenting procedures. ProcessPad allows you to highlight these control points and document the control procedures.

    In the past many companies implement too large a number of SOX controls and assessments. This is why the top down approach is necessary to determine exactly what type of controls are necessary. ProcessPad allows controls to be introduced at the activity level.

  5. Review of controls
    After training, process owners will be able to recognize good and weak internal controls or good/unsatisfactory documentation. They should have a clear understanding of all the process documentation requirements and knowledge of all the internal controls for the process they manage. A procedure should be in place to improve the compliance process, normally by reviewing with internal auditor and SOX specialist. Training for process owners and team members should be triggered off automatically when deficiencies are identified in internal controls for that process or a certain time period has elapsed since the last SOX training.

  6. Testing of controls
    ProcessPad has enables process controls and a sub-process can be used to generate test results to ensure that internal controls are tested in a consistent manner across all operations within the company and over time. This requirement is critical to successfully installing the compliance process within the business. Only authorized people such as the internal audit staff or process managers should be authorized to update these tests. Once a test for internal control is updated, only the latest version should be allowed to be used for testing that internal control across any operation within the company.

  7. Visibility of test results
    ProcessPad allows you to use a sup-process to create easy visibility within (say) Excel of below threshold scores for internal controls. These can be automatically flagged as deficiencies by the companies SOX specialist for tracked within the company. Key process owners and internal audit staff can have visibility into such deficiencies as the SOX specialist defines.

  8. Corrective Actions
    A process for corrective actions for any below par controls can be constructed as these need to tracked within the organization to ensure that the deficiencies have been corrected in an agreed time frame.

ProcessPad SOX capable features

  • High Functionality
  • Risks at various entity levels
  • Table
  • Audit trails
 
[ Back ]