Sarbanes Oxley – the suit of armor that protects you from innovation

Sarbanes Oxley – the suit of armor that protects you from innovation

Posted by Pete Loughlin in AP Automation 14 Dec 2012

The great thing about uncontrolled environments is they’re not controlled. Change becomes easy and innovation abounds. Business improvements are only limited by your ability to imagine. The sky’s the limit.

Of course a business environment with no controls is a dangerous place. Mistakes go undetected and fraud can thrive unless there are pragmatic business controls in place. But working within a tightly controlled environment requires a different way of thinking in order to ensure that change isn’t stifled completely.

Purchasing Insight logoI was reminded of this recently when I facilitated a workshop to look at some fairly basic accounts payable business processes – the fine detail of how invoices are brought into the business and allocated to various workflow queues. We didn’t go near the matching or accounting processes – just the opening few moves of how the work is allocated. It’s not as simple as it sounds. The paper work needs to be checked and logged. There are some basic business rules that need to be met in order to decide whether an invoice is accepted or rejected. Reasons for rejection need to be recorded. Invoices need to be categorized, scanned and archived. It’s not rocket science but there is plenty of room for errors. It was a very successful workshop. We identified two gaping holes on the process and two areas where  we could drive very significant new efficiencies. It worked because everyone agreed to come to the workshop with a completely open mind.  It could have been very different. We could have invited the auditors.

Internal auditor do their job very well in my experience – the problem is the job they do. Performing detailed studies of business processes in order to identify weakness and making recommendations of controls to put in place to strengthen those processes is important. But once those processes and their associated controls are documented, the documentation becomes like the business process bible. Try work shopping a simple process with the auditors in the room and they’ll whip out their Vision diagrams with a flourish and say –“That’s the process”. And this is where the problem lies. It is very difficult to argue against Sox compliant, signed off business processes. But being Sox compliant does not mean that business processes are optimized. What it means is that they are in control. Does it mean that things can’t be  done in a different, better, more efficient way? No! Does it mean that these business processes take advantage of the best  technologies and techniques? Of course not.

It’s one of the unintended consequences of Sarbanes Oxley. It has put an inordinate amount of influence into the hands of internal auditors. They are clever people. They are professionals and as a result, they are intimidating. Sox rules put a business in control but they also put up barriers to innovation and change.

Some organizations are so obsessed with compliance that they forget what their business priorities are. Change is healthy. It keeps a business vibrant but if you want to deliver change effectively, it is sometimes useful to turn a blind eye to Sarbanes Oxley – at first at least.

Pete Loughlin can be found on twitter @peteloughlin

  • Ian Burdon December 17, 2012 at 3:01 pm /

    Interestingly that has not been my experience of auditors whether Scottish Government Internal Audit or Audit Scotland (with whom we met last week). I have always found that if you pay attention to what Audit concerns are and respond in a reasonable and business like way then auditors are no block to innovation – in fact often just the opposite. One of the key benefits of eProcurement, in some respects the most important one, is reinforcing governance, transparency, accountibility and providing evidence of compliance. It helps a lot if the reporting and audit trail in your eProcurement software, like Elcom’s, supports Auditors in doing their job.

  • Markus December 23, 2012 at 3:08 pm /

    Pete, I think you have been lucky in a number of ways. First and foremost you had people in the room who were willing to work on process improvements. This is not normally the case. In my experience most accounting people are too scared and push the compliance people to tell them what will be “secure and compliant”. This is where everything goes wrong. Auditors are not handling invoices, they are checking them. Organizations would be better advised to utilize process experts like you more often to get the job done BEFORE sox documents are written. In the end it will be fruitful to have an auditor check what process people have designed – not the other way around.
    I guess this is the answer you would expect from a compliance fanatic like me 🙂

Post a comment