By Michael Rasmussen, Corporate Integrity

Business is global, distributed and dynamic. Organizations of all sizes and industries have global client, partner, vendor and supply-chain relationships. Adding to this complexity is the dynamic nature of business — it is ever changing, with a revolving door of employees, partners, technology, processes, and strategies in an environment where risk, economics and regulations are in a constant state of change. The complexity of today’s global, distributed and dynamic business makes regulatory compliance a challenge.

How does an organization validate that it is current with legal, regulatory and other obligations in the face of an ever-changing business environment?

The era of the corporate bounty hunter

Government is increasingly turning to insiders (e.g., employees), incenting them to report wrongdoing and noncompliance. In the U.S., the SEC and DOJ have extended their compliance monitoring into a firm’s activities by enlisting the eyes, ears, and voice of the organization’s employees. The framework for this is established in the Dodd-Frank Act whistleblower provisions, which entice employees to report violations, such as bribery, corruption, fraud, insider trading, and more to the government. Corporate whistleblowers that provide information which leads to a successful SEC enforcement receive 10 to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for non-compliance, this is a significant concern that keeps executives, the board, legal, and compliance professionals up at night.

The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently.

To mitigate risk in the era of the corporate bounty hunter, organizations needs to:

• Strengthen ethical and compliance culture: This starts with increasing employee comfort to speak up and report issues and incidents.  It is better to have an employee to report internally than have them go to the government bypassing the organization.  HOWEVER, be prepared to respond – officials will throw the book at an organization if evidence is brought forward that an employee did report internally and the organization did nothing about it. To enable a strong ethical and compliance culture requires that the organization has mechanisms in place for employees to report issues, that they are recorded, and responded to.
• Understand risk: An organization needs to understand the risk and exposure to non-compliance. This includes periodic assessment (e.g., annual) of exposure to unethical and non-compliant conduct. The risk-assessment process should also be dynamic — conducted when there is significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets).
• Know who it does business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships. Due-diligence efforts in establishing relationships must make sure the organization contracts with ethical entities. If there is a high degree of risk in a relationship, preventive and detective controls must be established. This means knowing your vendors, partners, suppliers and even your own employees to understand if they are susceptible to corruption and unethical conduct. Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of non-compliance.
• Established and communicate policies and procedures: Organizations must have documented and up-to-date policies and procedures that address compliance. The code of conduct must filter down to address regulatory requirements and obligations. Requirements and processes must be clearly documented and adhered to.
• Effective training: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement compliance-training programs to educate employees and business partners. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
• Manage business change: The organization must monitor the business environment for changes that introduce risk of non-compliance. The organization must document changes to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that change in business, regulations, and the risk environment be monitored by compliance processes to actively address risk of exposures resulting from change.

Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents corruption risk. This requires the organization to implement technology to manage compliance.

Learn more about the role of technology in compliance management at  http://www.doublechecksoftware.com/the-role-of-technology-in-managing-compliance-risk/

Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents risk. This requires the organization to implement technology to manage compliance.

There are two primary models to manage a compliance program aimed at mitigating the risk of the corporate bounty hunter: One approach is build-your-own, ad hoc and ultimately labor-intensive and produces significant manual processes and piles of documents. A more economical approach focuses on software designed to manage these complex and diverse needs. The former approach is prone to failure because of the mountains of documents and scattered information where things slip through the cracks. The latter approach that leverages technology enables compliance processes to be:

• Efficient: Compliance technology lowers cost, reduces redundancy and improves human capital efficiencies by delivering accountability and reporting that is burdensome in manual and document centric approaches.
• Effective: Compliance technology delivers consistent and accurate information about the state of compliance initiatives, to assess exposure. Information is more accurate, current and readily available.
• Agile: Compliance technology improves decision-making and business performance through increased insight and business intelligence so the business can achieve objectives while avoiding loss.

Technology facilitates organizations to manage and monitor compliance by enabling and automating activities, information, processes and reporting. DoubleCheck Software provides the components of technology to manage risk in the era of the corporate bounty hunter. These are:

• Compliance risk identification, assessment and control: Organizations need to understand where they are exposed to risk of non-compliance and implement the appropriate controls to mitigate and monitor risk. Technology allows for the ongoing assessment of the risk and control environment through assessments and reporting so the organization knows where it exposed.
• Policy management and communication: The foundation of protecting the organization from wrongdoing that could be reported to the government is established in strong policies that are adhered to in the organization. Technology enables a policy management platform to create, approve, communicate, manage, and maintain corporate policies and procedures. This includes the ability to publish policies, track communication and training, attestation, and test understanding of policies.
• Investigations and issue management: Bad things happen to the best of organizations. It is important that the organization leverages technology to capture issues and complaints and then investigate them. Technology enables the management of investigations, issues, incidents, events, or cases by providing a platform for accountability, workflow, documentation, and task management. The organization should leverage technology for internal issue reporting to capture and respond to incidents before an employee goes to the government.
• Benchmarking, metrics, and dashboarding: Accountability is central to a strong compliance program aimed at mitigating the risk in the era of the corporate bounty hunter. Accountability on risk, controls, policies, issues, and investigations needs to be clearly tracked. Technology allows for the establishment of compliance metrics to be monitored and overall trending of compliance indicators over time.
• Due diligence: The organization needs to ensure that it is doing business with ethical entities. This includes its own employees as well as its business and vendor relationships. Technology enables an organization to manage the documentation and workflow of the due diligence process to ensure that proper background checks are in place. It also enables the ability to communicate surveys, assessments, and policies to individuals across the business and its relationships to ensure that everyone knows what is right and wrong.
• Compliance forms and processes: Compliance forms can be utilized to request approval to proceed on a certain course of action, to seek approval in areas that need to be tracked as they could land the organization in hot water, or simply provide information about actions being taken. Technology enables the automation and management of forms that would be encumbered in paper trails otherwise. A central repository of requests, approvals and denials provide both an audit trail and reporting system, and configurations to define escalation policies, conditional logic, and workflow allow for efficient monitoring and compliance reporting.

The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently. DoubleCheck Software is here to enable your organization to protect itself in the era of the corporate bounty hunter.

Download This White Paper

Psychologists have shown time and time again that Risk Tolerance is directly related to the perceived likelihood and impact level of a risk event on the person assigning the Risk value.  A classic example of that phenomenon is the reaction called “NIMBY”, or “Not in my back yard”.  Doesn’t matter if you are talking about building a nuclear power plant, airport or halfway house for parolees, the principle still applies.  Build it far away from me…!
 
Corporate environments are no different.  Why would they be; they are staffed by real people.  When you decide you are going to measure the Risk exposure of the entire company, you typically might start with a Risk Assessment across various stakeholders (Note:  I am assuming you have already done your front-end work of developing a Risk process, etc., as the ERM Consultants would demand).
 
As you develop your list of stakeholders to include in the Risk Assessment process, you will likely include Risk Owners, internal Subject Matter Experts (SME), external SME and key senior management.  The list will vary, but you will still oftentimes be left with the familiar conundrum of “Ten blind men and the elephant”.  That is, how they describe the likelihood, and even more importantly, the impact of a risk event is going to be influenced in large part by their point of reference and proximity to the risk event.
 
Just as there are different standards for ERM frameworks (eg. COSO ERM, ISO 31000, etc.), there are different methodologies for the actual scoring of the Risks.  Some of our DoubleCheck™ clients roll up individual Risks to the ERM level by adding the individual Risk scores.  Others use an algorithm that multiplies the likelihood X impact and weight the Assessment responses differently for the different stakeholders.  While there may be general “best practices”, there is no “one size fits all” best way to do this.
 
What does seem important is to not rely strictly on mathematical models, but take into account the human element.  After all, this is what influences the final determination of the “acceptable” level of risk, is it not?  And that brings us to the issue of understanding WHO we have inputting data into the Risk Assessments and ensuring they comprise a representative sample of stakeholders while understanding how their relationship to the risk can influence their responses.  This is much easier to accomplish in a sophisticated, but easy to use, software tool than in Excel.
 
Taking the human pain out of this discussion, I submit that prudent loss control policies and procedures are intended to reduce inherent risk values to “acceptable” residual risk values. The value of “acceptable” is what results in the likelihood/impact of risk events. Putting in place controls typically has a cost (but hopefully net positive value); the minimax of cost/benefit is what leads to the final decision on “acceptable” residual risk (likelihood, impact). 
 
For example, if you lived below a dam (and everyone knows any dam can break) you have accepted catastrophic loss (drowning, loss of home, etc.) as “acceptable” residual risk impact.  However, you have apparently assigned a very very low likelihood value to the risk event occurring.  Not much different than building a plant on the Florida coast (hurricanes) or Oklahoma City (tornados). 

The economic principal of “diminishing return on investment” precludes a business from spending more on prevention than the forecasted cost of the risk event (which can be direct financial impact, loss of corporate reputation, criminal/civil judgements, etc). In the real world, you can minimize risk but you cannot eliminate it.  I’ll apologize in advance if this very apt colloquialism offends anyone, but that reality is why someone made a fortune copywriting the phrase, and printing up tee shirts and bumper stickers with it, saying “Sh-t happens”.  

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
pfine@doublechecksoftware.com
770-565-8616
Atlanta, GA  USA

As a refresher, a proper TDRA hierarchy would include key steps such as:

1. Identifying significant financial reporting elements (accounts or disclosures)
2. Identifying material financial statement risks within these accounts or disclosures
3. Determining which entity-level controls would address these risks with sufficient precision
4. Determining which transaction-level controls would address these risks in the absence of precise entity-level controls
5. Determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls

The application of this change in approach resulted in most public companies being able to significantly rationalize the number of Controls to test through scoping them into Key and Non-Key Controls.  However, a smaller percentage of companies went to the next step of scoping their Key Controls by type (Detect, Prevent or Mitigate).

Why is that important?  First, let’s start with a common definition of these terms.  While COSO or other “official” definitions abound, I find a simple way to do that is through the analogy of a burglar attempting to break into your house:

 1.  Detect Control:  Perimeter alert system (outside lights come on, siren goes off)

2.  Prevent Control:  Locks on the doors (deters opportunistic, low commitment attempts)

3.  Mitigate Control:  Brutus the Pitbull sleeping in the front foyer (self-explanatory)

 Since this is a hierarchy of Controls, you might benefit from understanding what role each of your Key Controls is supposed to play in fashioning an integrated Control framework.  After all, the ultimate goal for SOX 404 is to ensure you can prove you have a functioning set of “internal controls over financial reporting”.  Simply put, if you have an inadequate set of “Detect” controls, your “Prevent” controls will have to be more robust since you may not “detect” gaps or intrusions early enough.  Similarly, if your “Prevent” controls are insufficient deterrents, your “Mitigate” controls better be really strong to reduce the impact of a Risk Event.

 To put this in more official terminology, the series/types of Controls in place are what generates the “step-down” valuation from Inherent Likelihood/Impact to Residual Likelihood/Impact of a Risk Event.  You need a proper balance of the three major types of Controls (Detect, Prevent and Mitigate) to maximize the “step-down” from Inherent to Residual.  The question becomes:  How are you going to do that if you don’t have the ability to scope your Controls into those sets?

 One way to do that is to have a tool that can scope Controls into the three key sets, template them once defined (so unauthorized Control Owners cannot change the scope) and report on them by key set.  If this capability is built into an integrated software platform that also functions as an enterprise-wide electronic data repository, then you will have visibility and access to cross-entity Controls by type and set without having to access multiple tools or modules.  In addition, if you test that Control in one entity, the findings and test results will populate that templated Control in all entities in which it resides within theEnterprise. 

 If your current SOX or Audit tool cannot get that granular, then it is perhaps time to consider one that does.  If you don’t have any tools more robust than standard desktop apps (eg. Excel/Word, etc.), then perhaps you should REALLY consider a Platform truly designed to manage the SOX requirements at your firm.  A chain is only as strong as its weakest link.

 Best Regards,

Paul Fine

Director of Marketing & Business Development
DoubleCheck LLC
Atlanta,GA
Phone:  770-565-8616
Mobile:  678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters/

First, let me state clearly that I have no more information on this disaster than what has been made public to-date. Many other official investigations and reports will be coming out for some time regarding what happened and why. However, I don’t expect them to view this matter from the perspective of Enterprise Risk Management (ERM).

To that end, I will attempt to put this occurrence into the context of known risks, controls intended to mitigate the risks, the testing of those controls and the escalating notifications necessary if those controls fail or are bypassed. There is always the Inherent Risk of a ship running aground; but with the proper ERM processes and controls in place, I don’t believe that should ever be the level of Residual Risk.

To set a point of reference for this analysis, I am defining ERM as a set of processes that allow MANAGEMENT to scope key risks (a ship going aground, for example) and put a series of “detect” controls, “prevent” controls and “mitigating” controls in place to reduce the impact of a Risk Event from the likely high value of the Inherent risk to a Residual risk value as close to zero as possible given the laws of diminishing returns on investment.

As a point of reference, when a plane veers off its assigned route, the standard ERM process in that industry has a number of “detect controls” in place. A co-pilot who can question the pilot about the change (direction or altitude), an independent air traffic controller who is tasked with monitoring the location of the aircraft and questioning the pilot if anomalies are observed and usually automated alarms on the plane that are triggered under certain adverse circumstances.

What ERM processes were in place on the Costa Concordia? We know there was a 2nd officer; why did he allow the Captain to make unauthorized changes to the route without questioning his actions (Detect and Prevent Control)? Was no one on shore (Port authorities) aware of the change of course of the ship? Was no one at Costa Cruises headquarters monitoring the route of the ship real-time via GPS? I don’t know the answers to these questions, but I will bet the lawyers for the passengers and victims will be asking those questions later.

Once the ship went aground, why weren’t there sufficient “mitigating controls” in place and working? Leadership and correct information from management to the crew (“oh, it was just a loss of electricity”) would have mitigated the confusion and counter-productive direction to the passengers (eg, “go back to your cabins and await our instructions”); automated alarms THAT SOUND AT HEADQUARTERS, not just on the ship, when the hull is breached are just few of the breakdowns in a proper ERM process.

Even if it is determined that the primary fault lies with the actions of the Captain, the company is responsible for not having the proper ERM processes and controls in place to detect, prevent or at least mitigate the improper actions of a single individual. This is a basic tenet of any working ERM system, whether it is to mitigate the losses incurred by a single rogue trader at a large financial institution or a ship’s Captain responsible for the safety of thousands of passengers.

Whenever an event like this occurs, it always makes me ask myself the basic questions: Does my ERM program truly identify the key risks? Do I have good Key Risk Indicators in place? Do I have appropriate Risk Mitigation plans in place? Have I audited or otherwise checked those plans to assure they are in fact complete and operational? Can I demonstrate this?

As we have seen far too often, complacency in ERM has serious consequences.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA USA
Phone: 770-565-8616
Mobile: 678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters/

So, the CAE must carefully balance the positioning of his department (and him/herself) as being proactive in the utilization of his available resources, adding strategic as well as tactical value to the organization and picking their funding battles very carefully.  There is no single answer to how best deal with these potential conflicts, because the responsibilities of a CAE vary greatly by company. 

Some may also have Compliance (eg. SOX) under their domain; others might have ERM.  Some have all three areas to manage, which can get complicated if not all areas report into the AC (eg. SOX will often stay ultimately within the Business Owners’ responsibilities).  In fact, some CAE have told me their department spends 50% of their time on SOX-related matters, leaving few resources for more value-added operational audit and risk-scoping activity that could enhance their standing within the company.

With finite resources (staff, time, money, political capital), a CAE may find themselves having to use a “triage” approach to the allocation of those resources.  What some have fallen back on is the “if it ain’t broke, don’t fix it” approach.  This status quo approach can leave an audit department behind current “best practices” and prove inefficient over time.  World class organizations pursue a philosophy of cannibalization.  Said another way, if you don’t “eat your own lunch”, your competition will eat it for you.

The application of this philosophy means that you don’t just look to place resources against things that aren’t working; you also put resources against products/processes/policies that are working, but not working as well as they could be.  Your ROI comes from freeing up resources to accomplish other goals that might be of more value than the “check the box” approach of an older audit/testing process.

Think of this as an analogy to how you might be scoping and testing the difference between the Inherent Likelihood of a Risk event occurring and the Residual Likelihood of that Risk event occurring after the proper Controls are in place.  In this analogy, investing in new processes, systems and products to ensure a Risk event doesn’t occur in the Audit Dept (lack of document version control using Excel, broken audit trail of activities, incomplete reports due to multiple data sources, etc.) becomes the “Control” to prevent and mitigate the Risk.  If you would be reporting a Material Deficiency to the Business Owners if they didn’t have the proper Controls in place, why should your department be exempt from the same level of oversight and scrutiny?  Beware the old homily:  “Do as I say, not as I do!”

This “new Controls environment” may involve investments to increase or upgrade staff, find more efficient ways of doing audits/testing (CSA, Peer Testing, Co-sourcing, etc.) or automating manual procedures.  The use of automation is particularly useful and “value-added” if the CAE is trying to expand the scope of their department, or is responsible for multiple areas (eg. ICFR, ERM, etc.).  Having all of your data residing within a single electronic repository, with the ability to associate findings across audits as well as tests, can be invaluable when reporting Enterprise-level findings to the AC (and having a complete audit trail to support the accuracy of those findings to the External Auditors, reducing the cost of duplicate testing by them).

A CAE whose primary defense for why they aren’t constantly trying to improve their department, enhance productivity of their Team and improve their ability to inform Management on the state of the organization is:

“It wasn’t broke, so I didn’t invest money to fix it”…

may find that time-worn phrase headlining their exit interview summary.  After all, in the world of the CAE, when something does finally break, the AC’s first step in remediation is often a decision to get a new CAE.  You have to stay ahead of the game if you want to stay in the game.

I wish you all a Happy New Year.

Paul Fine
Director of Marketing & Business Development
Atlanta,GA
Phone:  770-565-8616
Mobile:  678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters/

1.  On the first day of the audit, my Audit Manager gave to me…
One bus ticket to Pigeon Forge,Tennessee

2.  On the second day of the audit, my Audit Manager gave to me…
Two Audit interns…
And one bus ticket to Pigeon Forge,Tennessee

3.  On the third day of the audit, my Audit Manager gave to me…
Three hours to do the preliminary survey…
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

4.  On the fourth day of the audit, my Audit Manager gave to me…
Four page Planning Memo…
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

5.  On the fifth day of the audit, my Audit Manager gave to me…
Five global processes to audit…
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

6.  On the sixth day of the audit, my Audit Manager gave to me…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

7.  On the seventh day of the audit, my Audit Manager gave to me…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

8.  On the eighth day of the audit, my Audit Manager gave to me…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

9.  On the ninth day of the audit, my Audit Manager gave to me…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

10.  On the tenth day of the audit, my Audit Manager gave to me…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

11.  On the eleventh day of the audit, my Audit Manager gave to me…
Eleven notations in the Comment Log…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennessee

12.  On the twelfth day of the audit, my Audit Manager gave to me…
Twelve hours to get to my next audit site…
Eleven notations in the Comment Log…
Ten hour post-audit conference…
Nine remediation test runs…
Eight supporting spreadsheets to reconcile…
Seven regional Controllers to train on peer testing…
Six key controls to test per process…
Five global processes to audit
Four page Planning Memo
Three hours to do the preliminary survey
Two Audit interns
And one bus ticket to Pigeon Forge,Tennesseeeeeeee

I would love to hear how many of these “Days of Audit” resonate with you.  Happy Holidays to one and all.  See you next year…

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Pfine@doublechecksoftware.com
770-565-8616
Atlanta,GA

THE PATIENT:

 1.  Anticipation:  Both audits and root canals tend to be procedures that are planned and scheduled, but all “patients” should remember that an ounce of prevention is worth a pound of cure (and usually less painful).  Neither is an event we wish to experience, but we know trying to avoid it will only lead to more dire consequences later.  But your mind does tend to imagine the worst as you wait for the appointed day.

 2.  Expectation:  Neither a root canal patient or an auditee expects anything good to come from their experience.  The goal is avoid anything bad that might result from it.  We don’t want to suffer any pain, repeat procedures, denied insurance coverage (eg. your boss doesn’t protect you) or other ill effects.  We just want it to be over with and forgotten by everyone.

 3.  Experience:  As you go through the actual experience (root canal or audit), you begin to realize that much of the anticipation and expectation was all in your head, rather than based on facts.  You have heard the horror stories from other people; maybe had a bad experience previously (as I had).  But once you relax and let the experts do their job, you will typically find the experience painless and uneventful.  Of course, both events go even smoother if the professionals involved have a good set of current generation tools at their disposal.

 4.  Aftermath:  In my case, the Novacaine has now worn off and I have no residual pain or discomfort.  Same is true for most auditees (except their numbness might be derived from other sources).  If you follow directions, answer the experts’ questions, relax in the chair and recognize their goal is not to cause you pain, you should come out just fine. 

 THE DENTIST:

 1.  Anticipation:  Dentists (and auditors) do this all day, every day.  There is no sense of anticipation or excitement; they are just doing their job.  But most (the good ones) recognize the concerns and sometimes dread that the patient (auditee) has for this process.  They try to take this emotional component of the process into account, realizing that their job will go smoother and faster if the person they are working with is inclined to be cooperative.

 2.  Expectation:  A dentist expects to find a tooth needing a nerve removed to avoid chronic inflammation and infection.  An auditor expects to find NOTHING that requires removal (material deficiency) or is causing chronic inflammation (non-operating Key Controls).  In this matter, their expectations do diverge.  However, both types of professionals are trained to recognize and deal with any exigent circumstances uncovered during their planned activities.  So, let them do their job.

 3.  Experience:  For both the dentist and the auditor, the actual experience usually goes according to the general plan.  However, there is always something they discover during their routine activities that requires some adjustment, extra effort or re-consideration.  If they don’t make a big deal about the new information, the patient/auditee will usually not even realize that something is different or even amiss.  After all, the dentist/auditor is the person who knows what the plan was, not the patient/auditee, right?

 4.  Aftermath:  When the procedure is completed, the specialty dentist gives the patient near-term instructions (pain meds, etc.), provides before/after X-rays for the patient’s regular dentist and goes on to the next patient.  Similarly, an auditor provides the auditee near-term instructions (eg. we are going to re-test some Key Controls), notifies Audit Management and Process Owners of any key findings; then go on to the next audit.  For both, it is all in a day’s work.

 So, what are the lessons we can learn from my personal experiences today?

 1.  Letting a problem fester without correction can lead to a more acute problem requiring more drastic measures.  Usually more costly and generally avoidable.

 2.  Don’t imagine the worst outcome; you might make it a self-fulfilling prophecy.

 3.  Trained professionals are usually working with your best interests at heart; there is no upside for them to do otherwise.  Help them help you.

 4.  Don’t minimize the angst and emotions the patient/auditee may be feeling; numbers aren’t always the only things that need counting.

 I hope to offer a different (and less personal) perspective for our December Newsletter.  In the meantime, we at DoubleCheck™ wish all our clients and friends in the U.S. and Canada who have served their country a well-deserved Veterans Day/Remembrance Day this Friday, 11/11/11.

 Best regards,

Paul Fine

Director of Marketing & Business Development
DoubleCheck LLC
pfine@doublechecksoftware.com
770-565-8616 (office)
678-360-2851 (cell)
Atlanta, GA USA
www.doublechecksoftware.com

“Due diligence” is the mantra of any executive considering the acquisition of a new software tool, especially one with broad-reaching scalability and impact within an organization; a key attribute of a GRC & Audit platform.

The challenge in making an optimum selection has two key elements:

1.  Most decision-makers (CAE, CAO, CCO, etc.) may have only acquired this type of product once or twice before in their career (or maybe not at all)

2.  There are a plethora of vendors who claim to offer one or more functional pieces of a GRC & Audit platform, with their features and services changing regularly. 

I could recommend every prospective purchaser go through a formal and lengthy RFP process, but that can be overkill for small-midsize (or even large) firms.  Takes up way too many internal resources and time both to pull together and to then evaluate.  Yes, there are vendors who offer to provide you a “template” RFP, but what are the odds that template is going to be both objective and a good fit to your particular framework and requirements?

I would prefer to recommend that you first pull together your key requirements, both in the short term (I just want to automate the SOX testing area now) and long term (need a platform expandable and scalable to Audit, Risk, Contract Mgmt, etc.).  You can’t select a software tool to solve a problem you haven’t yet defined. 

Once that is done, you now face the “apples to apples” vs. “apples to oranges” dilemma.  How do you make sure you are comparing accurately all that you are getting for the different prices the vendors are quoting?  The devil is in the details, as many of you who have faced “buyer’s remorse” learned the hard way.  Here are a few key areas I recommend you get clear definitions for:

1.  User licenses: 

            How do they define a “User”?  Do they differentiate between Full/Power Users and Casual/Limited Users?  What do the different types cost, and what can they do or see?  Do Assessment Takers need a license, or can they respond to surveys/assessments/questionnaires/certifications for no charge? 

2.  Implementation:

            Your success and staff adoption of a new software platform will be as dependent upon the ease and completeness of the implementation as it will be upon the actual product features.  Don’t let a salesman deflect the question by saying “90% of our customers only need our standard implementation package”.  Find out what this includes, and what it costs to “have fries with that”; eg. customized configuration (vs. standard COSO template), automated importation of your data (vs. you doing it manually), standard AND custom reports at no extra charge, U.S.-based Help Desk/Tech Support, etc.

3.  Training:

            If you haven’t been sufficiently trained on how to use the software, you won’t use it; simple as that.  How much training is the vendor including in the quote?  Four hours of online training is not the same as 5 days of onsite training, no matter what you call it.  Will the training be conducted on your own data, after the implementation, or on generic “static” data they have in a general training manual?  If onsite training, is it at your facility, or do you and your staff have to travel to the vendor’s location at your company’s expense? 

4.  Product Features:

            This is basic, but sometimes forgotten.  If the vendor says they have a feature important to you, have them show it to you.  Different products accomplish certain functions in different ways.  You want to be sure you are comparing key aspects of those functions such as being user-friendly and re-configurable (without IT or Vendor support).   

5.  References:

            I can’t emphasize this enough.  Talk to others that have done what you plan to do.  Get applicable and relevant references from the vendors; either by asking directly or going to their web site or press release site to see who their clients are.  Then, call them.  If the vendor hasn’t made their current clients “raving fans”, what are the chances they will make one of you? 

If you hold all the vendors you are considering to this same set of standards, you will have a much better chance of comparing “apples to apples” vs. “apples to oranges”.  And isn’t that what “due diligence” is all about?

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
770-565-8616
pfine@doublechecksoftware.com
www.doublechecksoftware.com

Are you still managing your GRC elements just with spreadsheets?  A number of analysts have noted that spreadsheets are still the leading “tool” for managing the various elements of governance, risk, compliance (GRC) and audit.

Yet, if you start from the premise that a GRC culture is meant to create an organizational environment where all key risks and related governance elements are not only identified and assigned from an accountability standpoint, but KNOWN by key Corporate management (versus siloed information), then the question has to be asked:

“Is a collection of spreadsheets the best tool set to meet the GRC objective?”

 I spoke with a VP-Internal Audit a few months ago that I have known for five years.  He was struggling to work through a spreadsheet that had literally a thousand rows and dozens of columns.  The lack of ease in identifying the key data cells and ensuring they were updated correctly and linked to appropriate sub-forms and workpapers was both time-consuming and had an inherently high level of risk for data corruption associated with it.

Similarly, we recently demo’d our GRC & Audit solution for a few companies that spent a week every month trying to export data from multiple spreadsheets into a template report format delivered to the Board within a PowerPoint document.  Were spreadsheets the most efficient tool to use for the collection and dissemination of important information to Senior Management on a regular basis?  They were starting to think “maybe not”.

I sometimes hear from GRC executives (e.g., Audit, ERM, Compliance, Policy, etc.) that they already have an automated solution to “share” documents, which they consider consistent with the GRC goal of “breaking down silos”.  This is not the same as having a single electronic repository of DATA.  DATA is not the same thing as DOCUMENTS.  If the data is available in its simplest form (data points), and is housed in an architecture that allows for relational linkage and reporting, then you can truly share information.

Importantly, you can then re-configure the various data elements to create a report that is specific to the needs of each individual user, or user group, rather than just sharing a general spreadsheet that then has to be interpreted or re-formatted by the user.  And if you can do this without requiring IT to help you, it becomes even more convenient.

Understand, I have nothing against the use of spreadsheets per se.  I use them myself on a daily basis.  But they are just one tool, like many others in your toolbox.  If the task is relatively simple and doesn’t require multiple human touchpoints (remember the need for Version Control), then spreadsheets might be sufficient. 

But if your objective is to make all key data available to the appropriate people (with varying levels of security access), keep a complete audit trail of any changes to the data, manage the data and tasks/issues via an automated workflow (with notifications) and have the ability to run and share reports on both a scheduled and ad hoc basis without requiring IT support, then you may want to consider a more robust automated GRC & Audit solution. 

If you now think you may want to look at alternatives to simply a spreadsheet environment, give me a call.  DoubleCheck™ would be happy to import representative samples of your spreadsheets to show you what you can do to meet your GRC & Audit objectives, and how easily you can do it, within our environment.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
pfine@doublechecksoftware.com
770-565-8616