The Right Way to Outsource Control Planning

Just because your organization has hired a consultant to build compliance-driven control environments, don't think you're not ultimately responsible.
Posted September 29, 2004

George Spafford

George Spafford

As many domestic firms scramble to meet the year-end deadline for Sarbanes-Oxley (SOx) section 404 compliance and foreign firms eye their deadline next year, they are hiring a ton of consultants to help them put the necessary control environments in place.

While this type of decision-making is understandable, it does carry some risks due to the nature of the work being performed that organizations need to be aware of. Organizations must not forget that the control environment must be tailored to the needs of their organizations and that they are the ones who will be held accountable.

Organizations implement, or should implement, controls in order to protect what matters most to them. Taking a step back, what is the purpose of SOx? It is targeted at restoring faith in the stock markets by attempting to restore public confidence in the integrity of the financial reporting process.

Therein lies the first hint. If starting from scratch, the most basic control environment for SOx compliance must be focused on protecting the integrity of the financial reporting process. This varies from company to company and is one reason a simple "do this and your done" approach doesn't work.

When talking to consultants, the first thing to evaluate is their focus. Do they understand what is needed? Are they overly broad or too narrow? Are they aiming to create a solution or a straw house that will require years of additional support from them -- with associated fees of course!

No Silver Bullet

With the above in mind, the series of controls to be implanted should be done in such a way as to create a framework. Within the framework, people, processes and technology are integrated to protect what matters to the specific organization and integrated in a logical, comprehensible and supportable manner. These are three very important attributes!

When a resource comes in and forces its version of a control framework onto your organization without tailoring it, something is very wrong. There must be a risk analysis that identifies what needs to be protected. Not every company needs a full-blown COBIT implementation. Indeed, many will be just fine with a fraction of the 318 detailed control objectives covered as long as the appropriate risks are identified and mitigated.

Beware of prospective vendors who come in and promise to solve your compliance issues with an application or suite of applications. You absolutely need to have a control framework that is tailored to your organization's needs. This means you must have the right people following the right processes for the right reasons. Any applications purchased or developed must support this effort, not necessarily drive it. In short, be very cautious and make sure that the application supports goals -- and don't divert attention away from the goals.

Involve the Right People

There are two parts to this. First, make sure the correct people evaluate the prospective vendors/partners. These stakeholders need to understand the organization, what matters most, have a basic understanding of controls and have a vested interest in protecting both the organization and shareholders.

Second, the right people must be engaged with the consultants to ensure correct decisions are made and, just as important, to learn. When audits are performed and/or actions investigated, it will be your organization that ultimately will be held accountable.

Beware approaches that follow a simple "cookie cutter" approach. You must understand what is vital to your organization, what must be done to protect it and be able to defend decisions made to external auditors. You do not want to say, "We do this because the consultant told us to."

Value Standards

Beware of custom approaches that do not leverage standards. COBIT, ITIL and ISO 17799 have been around for years. A great many external auditors will follow audit programs based on COBIT. If your consultant:

  • Follows a risk based approach to identify what needs to be protected
  • Overlays that onto the necessary COBIT controls
  • Works with you to review best practices from ITIL
  • Then a fairly sound approach is being followed. There are tremendous benefits to be gained by leveraging these existing works. Common vocabulary, industry best practices, training programs, reduced costs, shorter learning curves -- the list goes on and on.

    One fact that seems to be overlooked is that SOx is not a one-time event. Organizations are investing substantial sums of money for year one compliance. The challenge is that SOx doesn't end after the first year -- it goes on indefinitely and there will be more regulations to come.

    If resources are not carefully planned, budgeted and granted, the process risks not being sustainable and regressing over the following years, losing the initial investment and possibly even incurring penalties due to noncompliance. When the consultants finally leave, your organization will need to stand on its own. You will need the people, the processes and appropriate knowledge in order to do that. And that means adequate planning and, subsequently, budgets.


    Organizations need to prudently engage and manage the use of external groups when it comes to the creation of a control environment. They cannot simply hire a vendor, get a stack of books and/or applications and flag the project as finished. Quite to the contrary, care must be given to understand what is needed, that the best vendor is selected and that the internal stakeholders truly "own" the developed control framework. To do this, they must engage the right people, select vendors who are leveraging standards and plan for compliance efforts as part of their ongoing strategic planning and budgeting processes.

    0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.