The Right Way to Outsource Control Planning

As many domestic firms scramble to meet the year-end deadline for Sarbanes-Oxley (SOx) section 404 compliance and foreign firms eye their deadline next year, they are hiring a ton of consultants to help them put the necessary control environments in place.

While this type of decision-making is understandable, it does carry some risks due to the nature of the work being performed that organizations need to be aware of. Organizations must not forget that the control environment must be tailored to the needs of their organizations and that they are the ones who will be held accountable.

Organizations implement, or should implement, controls in order to protect what matters most to them. Taking a step back, what is the purpose of SOx? It is targeted at restoring faith in the stock markets by attempting to restore public confidence in the integrity of the financial reporting process.

Therein lies the first hint. If starting from scratch, the most basic control environment for SOx compliance must be focused on protecting the integrity of the financial reporting process. This varies from company to company and is one reason a simple “do this and your done” approach doesn’t work.

When talking to consultants, the first thing to evaluate is their focus. Do they understand what is needed? Are they overly broad or too narrow? Are they aiming to create a solution or a straw house that will require years of additional support from them — with associated fees of course!

No Silver Bullet

With the above in mind, the series of controls to be implanted should be done in such a way as to create a framework. Within the framework, people, processes and technology are integrated to protect what matters to the specific organization and integrated in a logical, comprehensible and supportable manner. These are three very important attributes!

When a resource comes in and forces its version of a control framework onto your organization without tailoring it, something is very wrong. There must be a risk analysis that identifies what needs to be protected. Not every company needs a full-blown COBIT implementation. Indeed, many will be just fine with a fraction of the 318 detailed control objectives covered as long as the appropriate risks are identified and mitigated.

Beware of prospective vendors who come in and promise to solve your compliance issues with an application or suite of applications. You absolutely need to have a control framework that is tailored to your organization’s needs. This means you must have the right people following the right processes for the right reasons. Any applications purchased or developed must support this effort, not necessarily drive it. In short, be very cautious and make sure that the application supports goals — and don’t divert attention away from the goals.

Involve the Right People

There are two parts to this. First, make sure the correct people evaluate the prospective vendors/partners. These stakeholders need to understand the organization, what matters most, have a basic understanding of controls and have a vested interest in protecting both the organization and shareholders.

Second, the right people must be engaged with the consultants to ensure correct decisions are made and, just as important, to learn. When audits are performed and/or actions investigated, it will be your organization that ultimately will be held accountable.

Beware approaches that follow a simple “cookie cutter” approach. You must understand what is vital to your organization, what must be done to protect it and be able to defend decisions made to external auditors. You do not want to say, “We do this because the consultant told us to.”

Value Standards

Beware of custom approaches that do not leverage standards. COBIT, ITIL and ISO 17799 have been around for years. A great many external auditors will follow audit programs based on COBIT. If your consultant:

Then a fairly sound approach is being followed. There are tremendous benefits to be gained by leveraging these existing works. Common vocabulary, industry best practices, training programs, reduced costs, shorter learning curves — the list goes on and on.

One fact that seems to be overlooked is that SOx is not a one-time event. Organizations are investing substantial sums of money for year one compliance. The challenge is that SOx doesn’t end after the first year — it goes on indefinitely and there will be more regulations to come.

If resources are not carefully planned, budgeted and granted, the process risks not being sustainable and regressing over the following years, losing the initial investment and possibly even incurring penalties due to noncompliance. When the consultants finally leave, your organization will need to stand on its own. You will need the people, the processes and appropriate knowledge in order to do that. And that means adequate planning and, subsequently, budgets.

Summary

Organizations need to prudently engage and manage the use of external groups when it comes to the creation of a control environment. They cannot simply hire a vendor, get a stack of books and/or applications and flag the project as finished. Quite to the contrary, care must be given to understand what is needed, that the best vendor is selected and that the internal stakeholders truly “own” the developed control framework. To do this, they must engage the right people, select vendors who are leveraging standards and plan for compliance efforts as part of their ongoing strategic planning and budgeting processes.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020