14 Dec 2012 Sarbanes Oxley – the suit of armor that protects you from innovation
The great thing about uncontrolled environments is they’re not controlled. Change becomes easy and innovation abounds. Business improvements are only limited by your ability to imagine. The sky’s the limit.
Of course a business environment with no controls is a dangerous place. Mistakes go undetected and fraud can thrive unless there are pragmatic business controls in place. But working within a tightly controlled environment requires a different way of thinking in order to ensure that change isn’t stifled completely.
I was reminded of this recently when I facilitated a workshop to look at some fairly basic accounts payable business processes – the fine detail of how invoices are brought into the business and allocated to various workflow queues. We didn’t go near the matching or accounting processes – just the opening few moves of how the work is allocated. It’s not as simple as it sounds. The paper work needs to be checked and logged. There are some basic business rules that need to be met in order to decide whether an invoice is accepted or rejected. Reasons for rejection need to be recorded. Invoices need to be categorized, scanned and archived. It’s not rocket science but there is plenty of room for errors. It was a very successful workshop. We identified two gaping holes on the process and two areas where we could drive very significant new efficiencies. It worked because everyone agreed to come to the workshop with a completely open mind. It could have been very different. We could have invited the auditors.
Internal auditor do their job very well in my experience – the problem is the job they do. Performing detailed studies of business processes in order to identify weakness and making recommendations of controls to put in place to strengthen those processes is important. But once those processes and their associated controls are documented, the documentation becomes like the business process bible. Try work shopping a simple process with the auditors in the room and they’ll whip out their Vision diagrams with a flourish and say –“That’s the process”. And this is where the problem lies. It is very difficult to argue against Sox compliant, signed off business processes. But being Sox compliant does not mean that business processes are optimized. What it means is that they are in control. Does it mean that things can’t be done in a different, better, more efficient way? No! Does it mean that these business processes take advantage of the best technologies and techniques? Of course not.
It’s one of the unintended consequences of Sarbanes Oxley. It has put an inordinate amount of influence into the hands of internal auditors. They are clever people. They are professionals and as a result, they are intimidating. Sox rules put a business in control but they also put up barriers to innovation and change.
Some organizations are so obsessed with compliance that they forget what their business priorities are. Change is healthy. It keeps a business vibrant but if you want to deliver change effectively, it is sometimes useful to turn a blind eye to Sarbanes Oxley – at first at least.
Pete Loughlin can be found on twitter @peteloughlin