Originally presented to FEI – November 19, 2009
**
Good afternoon. For the next 10 minutes or so we’re going to talk about three efficiency levers included in Audit Standard 5, or AS5, that can result in less effort and significant savings in SOX compliance.
To do this, we’ll visit a prison and a conference room. Given the length of some meetings, you might say they are one and the same. In this case, they aren’t. In fact, we’d tell you that the prison is a myth but that would be a scene spoiler. Instead, let’s just say we’ll use it to frame the conversation.
In 1910, Cosmopolitan magazine published a short story titled “The Spanish Prisoner.” It’s about a clever confidence game. Several men, including a brewer, a poet, and two farmers are conned into believing that if they send money to secure the release of a Spanish millionaire imprisoned in a Madrid dungeon, they’ll earn a large reward and the hand of the prisoner’s beautiful daughter. At every turn, the men are asked to pay more and more money, which they do, believing they will get the reward and marry the daughter.
We wonder if in your efforts to comply with SOX this might sound familiar, in that you’re always paying more based on a promise, but have yet to see results for the added expense.
Now, the men involved in the Spanish Prisoner scam are strangers until they meet on board a ship bound for Madrid and discover they are all traveling for the same reason.
Imagine for a moment that you, modern day financial officers, are on that ship, too. While they are thinking of riches and the beautiful daughter, you are thinking about how it seems that spending more and more money is the only way to assure SOX compliance. There is an endless need for new technology, processes and people.
Yet, you also know that since the passage of SOX the few companies reporting material weaknesses have not experienced a significant negative impact to their value which suggests that the benefits of this early warning mechanism have not been as great as anticipated.
And you know that since the PCAOB replaced Audit Standard 2 (AS2) with AS5, only a few companies have achieved permanent savings by taking full advantage of the efficiency levers in AS5.
You’re also familiar with The Pareto Principle, the notion that 20% of the effort yields 80% of the results. And you want to focus on that 20% and ensure that it’s yielding 80%, at least.
Unlike the perpetrator of the Spanish Prisoner scam, we’re not going to ask for money. We’re going to do just the opposite: offer three ideas that can save money and time. And we’ll do this, for the sake of the story, aboard the ship, in the captain’s conference room.
First, we’ll talk about how external auditors can be more efficient by increasing their use of an internal audit department or third party’s work.
Second, we’ll talk about how a company can reduce the number of control activities by implementing a top down, risk based approach.
And finally, we’ll talk about how a company can leverage it’s IT infrastructure to shorten the financial close process, and also leverage the existing financial application functionality to spend less time testing controls.
USE THE WORK OF OTHERS
So first, we gather the Internal Audit team in the conference room. They are an experienced, sea-hardy team. We discuss how to approach this year’s SOX testing so that the external auditor can rely on IA’s work to the maximum extent possible.
For a normal risk area, like payroll and Information Technology, the team explains that the external auditor still won’t consider leveraging 100% of the Internal Audit work. But as we probe more, we find that this obstacle can be overcome with minimal effort, since AS5 removed restrictions on using the work of others if it can be demonstrated a competent, objective third party did the work.
So, we suggest that the internal audit team ask the external auditors to explain where IA has not demonstrated competence and objectivity. They resist. They say, “Our auditors have increased reliance year over year;” or “We don’t want to antagonize our auditors.” Or, “We test this area to make sure our people are doing their jobs.”
But we know that the AS5 criteria for demonstrating competence and objectivity are easy to achieve, and if achieved, can save money as AS5 intended. It requires two straightforward things: for the tester to prove objectivity by demonstrating that he is not the control activity owner, and prove competence by producing work-papers that meet the PCAOB’s standards. This is the easy part.
The hard part is persuading the IA department to have the uncomfortable conversation with the external auditor and establish how this can be done. Companies avoid that conversation because they conjure nightmares of how the external auditor might respond. Chances are, the nightmare will never occur. More likely, the result will be that the team will understand how the work-papers can be improved to maximize reliance and eliminate testing in areas where the external auditor is placing limited or no reliance on Internal Audit’s work.
TOP DOWN APPROACH
The next topic on the agenda is reviewing the scope of SOX testing procedures. Specifically, we want to look at the control activities the company plans to test. We notice that a large number of control activities outside the realm of financial reporting are included in the SOX scope. Indeed, there are other controls outside the scope that if the CFO were asked, would be the primary ones she relies on. And because they aren’t included in scope, they’re not the detailed ones that end up getting tested. We remind the company that their procedures need only comply with the SEC guidance and that no testing is required for controls that mitigate the same risk for the same class of transactions or non-financial risks. Again, there’s resistance. We hear, “That’s the way we’ve always done it,” and “The control activity owners would stop performing their control activities if we don’t test them.” And then we ask, “but did the control activity owners not perform the controls before SOX was in place? What’s different now other than the requirement to test?” And what can you do to take the controls the CFO said she relies on and make them robust enough such that you don’t need all the detailed ones? Those top down controls are the ones everyone in this room should make sure your team is focused.
So, we ask about the captain, in this case, you the CFO. Does the CFO know this? Has she approved of this extra effort to test redundant controls? We suggest that she should know; that raising the question to the top is the best method for resolving the dilemma and eliminating unnecessary items from the scope. Have you had this conversation with your SOX team?
AUTOMATED CONTROLS
Having dispatched those two questions, we talk about the final and perhaps most difficult one: the financial close process. Our goal is to find a common language (or common control activities) to overcome the obstacles that make financial reporting systems resemble a confusing “Tower of Babel” because of the different applications, operating systems and networks that are installed across the globe, like a general ledger on Oracle, payroll on Peoplesoft, a mainframe tracking revenue and equity edge tracking stock options.
The company wants to close its books more quickly and with fewer errors, but the jumble of systems makes it very hard. We ask about the plan to consolidate systems. There isn’t one. We ask, ”Why?” We hear the resistance again: “It’s the way we’ve always done it;” or, “Consolidation isn’t a priority right now.”
And consolidation is hard, but we press on and ask about the percentage of automated controls in the SOX population. The answer is generally somewhere between 2 and 15%.
Which brings us the Ah ha! Moment - the company spends millions of dollars on multiple financial applications yet relies on manual controls 85% of the time, or more, to get its financials right.
So we settle down and give some examples of automated controls.
First, there is testing a three-way match. ERPs like SAP and Oracle can be configured properly for automated three-way match. When this automation is correctly done, companies can expedite SOX testing in manually intensive functions like Accounts Payable. Testers do not have to pull a sample of receiving, invoice, and PO documents and ensure payment rules were followed and exceptions approved. They only have to test configuration and, due to the automated controls, can bypass intensive document sampling. This frees up staff resources, saving time and money.
A second automation option is testing approval workflows for journal entries. When configurations for proper approval workflows are established and effective in ERPs like SAP and Oracle, the manual verification and approval process for specific journal entries, like those that exceed a certain dollar amount, can be automated. No more manual identification of those entries via transaction reports. No more finding samples and testing paper copies of journal entries for handwritten approvals against approval authorities. The time and money that used to be spent reviewing those documents can be spent on something more productive.
It’s natural for the status quo to be more powerful than change; for the crew to hoist the main sail the way they always have. But as companies remain extremely cost conscious, and especially in this unpredictable economy, it’s possible and high time, to leverage built-in automation functionality.
In addition, it’s possible to leverage the SOX infrastructure even further.
Some companies are effectively using the SOX infrastructure to address other compliance requirements specific to their industry, in government contracting with the Defense Contract Audit Agency, for example; in the retail industry to secure personally identifiable or credit card information (CFR 11, PCI); in the pharmaceutical industry to comply with Food and Drug Administration requirements, and for energy utilities to comply with North American Electric Reliability Corporation requirements.
There is also the possibility to drive greater shareholder value by using the SOX infrastructure to assess the effectiveness of revenue generating activities and cost-cutting measures, including reducing the overall effective tax rate.
Okay, so not only have the original men in the Spanish Prisoner story discovered, somewhere in the middle of the Atlantic Ocean that they’re victims of a con, they’ve also had to endure a lot of SOX talk in the Captain’s conference room. But the ship eventually lands in Gibraltar and the men make their way north to Madrid. James, the ne’er do well narrator, has devised a scheme to con those who have already been conned, a second time. He convinces them to let him hold what’s left of their money, that he will find the original con man and make everything right. He enlists Pip, “a wizened old fellow,” as a co-conspirator in his scheme.
But Pip is one crafty fellow. When they get to Madrid, Pip tells James that he knows where the con man, the Spanish prisoner, is. He leads him in the dark of night through narrow, twisting alleys. Then suddenly, a gang attacks James, ties him up and steals the last of the men’s money. And with a wicked smile, Pip introduces himself as the Spanish millionaire who was never a millionaire and never in prison at all.
So, when it comes to rationalizing SOX, it’s better to realize that you’re not in prison, either, that you have options that can preserve your company’s money. These include taking advantage of the changes in AS5 to make your external auditors more efficient, implementing a top down risk based scoping approach, and implementing the built-in automation capabilities of systems whenever feasible. Thank you.
Thursday, December 23, 2010
“Insecure Perceptions”
Originally published in the SDBJ March 30, 2002
**
Sadly, our country had to experience the events of September 11, 2001 (9/11) in order to take seriously all the threats to our country’s security. Our former complacency may have been rooted in the vast oceans separating us from nations associated with terrorism, as well as the fact that no other attack of this magnitude had been executed successfully in the U.S. before 9/11. Whatever the reason, the perception that we are immune to attack has been replaced by pragmatic action to prevent the next attack.
We have begun the process of fencing in our water reservoirs, installing the National Guard in our airports, and increasing restrictions on foreign visitors. Money spent on these activities is perceived as an investment in current and future security rather than an unnecessary waste of resources. Indeed, what is spent on bolstering our country’s security is perceived as a means to protect our way of life.
Must similar catastrophic events take place before organizations take network security just as seriously? Perhaps. One only needs a few minutes researching the Internet to identify attacks (“hacks”) on organizations that have compromised company and customer data. Despite this evidence, most small to mid-size organizations still perceive money spent on network security as a cost, rather than a means to protect company data, competitive advantage, and customer privacy over the long term.
Those involved with computer systems are aware of the risk and understand what needs to be done to protect informational assets. These people include IT Administrators, MIS Directors, CIOs and other “Network Guys” who build, maintain, and support an organization’s systems. Short of an event like 9/11, what can be done to get an organization’s decision makers to invest in network security?
No amount of 9/11 events can change a decision maker’s mindset when it comes to implementing strong network security in order to protect information assets. An organization’s decision maker perceives security as either an expense or investment. Indeed, the reasons why decision makers perceive security differently warrant further analysis outside the scope of this article.
To clairfy, the three major actors in network security are as follows:
Network Guys – those who build, maintain and support systems
Insiders (good or bad) – those with authorized access to systems who may or may not be able to penetrate systems
Outsiders (good or bad) – those without authorized access to systems who penetrate systems
Organizations can turn to Outsiders for independent assistance in identifying the network security risks at their organization. These Outsiders include boutique security firms, “white-hat” hackers, systems auditors, and rogue contractors. These Outsiders exploit commonly known vulnerabilities, exposing the organization’s network security weaknesses to the IT Administrator. These exposures form components of a business case for strong network security in organizations. The appeal of using an outsider to exploit weaknesses lies in their ability to recommend solutions with little influence from a software or hardware vendor.
The result is like witnessing a disaster inside an organization without dealing with the associated disastrous consequences. After careful review of the business case, many decision makers view spending money on network security as an investment with a positive Return On Investment (“ROI”), instead of as an expense.
Given this, what can be done?
5-Minute Case Study
If you are reading this in your office, you probably have a network jack somewhere near your computer. This network jack connects you to your organization’s information resources. Imagine how many unmonitored network jacks exist in your company. Is this a risk? Yes.
Footprinting/Scanning
Our team of “Outsiders” was recently engaged to help an IT Administrator build a business case for strong network security. We began by connecting a laptop PC to a network jack. Once connected, we obtained a network address (IP address) from the organization’s server and reviewed the network subnet information assigned to our computer. The subnet information was then used to guide a port scanner in scanning the entire subnet for computers.
Enumeration
The nature of the network’s broadcast protocols allowed us to quickly identify every computer on the subnet. The scan identified open ports, user accounts, file and printer shares, network interfaces, and security alerts. While company networks facilitate the sharing of files and services, the nature of this sharing presents a risk.
Gaining Access
We then selected the computer with the most user accounts. Using native operating system tools, we established a [null] session with this computer and proceeded to use another freely available tool to extract the userIDs and their associated network access permissions. Knowledge of userIDs alone does not make a computer vulnerable. However, most organizations fail to force their employees to change their passwords periodically or select strong passwords. Even today, many users select passwords that are easy to remember (i.e., user’s name, user’s girlfriend’s name, user’s pet’s name), and, therefore, easy for someone else to guess.
We then sorted the userIDs according to privilege and focused on userIDs with administrative privileges. Of the five userIDs with administrative privileges, one userID had a password equal to the userID. From this discovery, we mapped a logical drive to the computer and proceeded to locate the computer’s “sam” file stored in a commonly known location. [The sam file contains the computer’s userIDs and passwords in encrypted form.] Using another tool from the Internet (l0phtcrack), we decrypted 78 percent of the passwords in 30 minutes.
This exercise provided us with administrative access to the computer, which happened to be the organization’s primary user account server. This was accomplished within 5 minutes of plugging into the network. Admittedly, the security guards at the front entrance provide some protection against someone walking in and doing this without your permission; however, this does not address those with daily physical access (i.e., people with badges) to network jacks. These people include disgruntled employees, curious employees, contractors, consultants, and auditors who have plugged their PCs into your network.
So What?
So, what is wrong with someone else knowing your password? Indeed, password sharing has been prevalent since the birth of mainframes. Today, however, most organizations store sensitive financial, payroll, operations, inventory, customer, and marketing data in computers running operating systems that are not securely configured or monitored for security violations and fraudulent activity. Unfortunately, the user’s network password is often the only protection an organization has over the applications where sensitive transactions take place. Most small to mid-size organizations continue to perceive computer security as an expense, rather than an investment with a sizable ROI.
Due to insufficient resources, most organizations lack strong internal controls to thwart exploitation of simple, commonly known vulnerabilities. Large organizations usually dedicate entire departments to the enforcement of network security. Some of these organizations come equipped with Security Officers who focus their time on safeguarding the organization’s information assets. Far too often, however, small to mid-size organizations fail to dedicate resources to security and suffer painful consequences, including the destruction of data.
In the case study above, we were in a position to execute violent acts against the organization’s network in less than 30 minutes with no prior knowledge of the organization’s network. These acts could have included compromising sensitive data, deleting and/or modifying audit logs, and creating “back doors” for future access. Our ability to exploit an organization’s primary account server quickly allowed the IT Administrator to demonstrate to the organization’s CFO that strong network security should be implemented immediately.
How?
Many IT Administrators lose sleep over what could happen if determined individuals with regular access to the network were to compromise information resources. IT Administrators understand the multitude of vulnerabilities discovered daily.
Our “Outsiders” use native operating system and freely available Internet tools to quickly identify vulnerabilities in company networks. Vulnerability identification can be used to:
Build the business case for implementing strong network security
Reduce the risk of visitors, disgruntled or curious employees, competitors, or contractors compromising sensitive data
Raise security awareness within the organization
Protect company and customer data from commonly known network vulnerabilities
Why?
The door may be wide open for determined Insiders desiring to obtain sensitive company data. Commonly known vulnerabilities, combined with default computer configurations, are what make it easy for Insiders to violate company security. Most companies do not have the resources to securely configure computers, leaving them exposed to the abuse of people inside an organization who are curious, who are acting in malice, or who are committed to espionage.
When was the last time you assessed the security of your network?
**
Sadly, our country had to experience the events of September 11, 2001 (9/11) in order to take seriously all the threats to our country’s security. Our former complacency may have been rooted in the vast oceans separating us from nations associated with terrorism, as well as the fact that no other attack of this magnitude had been executed successfully in the U.S. before 9/11. Whatever the reason, the perception that we are immune to attack has been replaced by pragmatic action to prevent the next attack.
We have begun the process of fencing in our water reservoirs, installing the National Guard in our airports, and increasing restrictions on foreign visitors. Money spent on these activities is perceived as an investment in current and future security rather than an unnecessary waste of resources. Indeed, what is spent on bolstering our country’s security is perceived as a means to protect our way of life.
Must similar catastrophic events take place before organizations take network security just as seriously? Perhaps. One only needs a few minutes researching the Internet to identify attacks (“hacks”) on organizations that have compromised company and customer data. Despite this evidence, most small to mid-size organizations still perceive money spent on network security as a cost, rather than a means to protect company data, competitive advantage, and customer privacy over the long term.
Those involved with computer systems are aware of the risk and understand what needs to be done to protect informational assets. These people include IT Administrators, MIS Directors, CIOs and other “Network Guys” who build, maintain, and support an organization’s systems. Short of an event like 9/11, what can be done to get an organization’s decision makers to invest in network security?
No amount of 9/11 events can change a decision maker’s mindset when it comes to implementing strong network security in order to protect information assets. An organization’s decision maker perceives security as either an expense or investment. Indeed, the reasons why decision makers perceive security differently warrant further analysis outside the scope of this article.
To clairfy, the three major actors in network security are as follows:
Network Guys – those who build, maintain and support systems
Insiders (good or bad) – those with authorized access to systems who may or may not be able to penetrate systems
Outsiders (good or bad) – those without authorized access to systems who penetrate systems
Organizations can turn to Outsiders for independent assistance in identifying the network security risks at their organization. These Outsiders include boutique security firms, “white-hat” hackers, systems auditors, and rogue contractors. These Outsiders exploit commonly known vulnerabilities, exposing the organization’s network security weaknesses to the IT Administrator. These exposures form components of a business case for strong network security in organizations. The appeal of using an outsider to exploit weaknesses lies in their ability to recommend solutions with little influence from a software or hardware vendor.
The result is like witnessing a disaster inside an organization without dealing with the associated disastrous consequences. After careful review of the business case, many decision makers view spending money on network security as an investment with a positive Return On Investment (“ROI”), instead of as an expense.
Given this, what can be done?
5-Minute Case Study
If you are reading this in your office, you probably have a network jack somewhere near your computer. This network jack connects you to your organization’s information resources. Imagine how many unmonitored network jacks exist in your company. Is this a risk? Yes.
Footprinting/Scanning
Our team of “Outsiders” was recently engaged to help an IT Administrator build a business case for strong network security. We began by connecting a laptop PC to a network jack. Once connected, we obtained a network address (IP address) from the organization’s server and reviewed the network subnet information assigned to our computer. The subnet information was then used to guide a port scanner in scanning the entire subnet for computers.
Enumeration
The nature of the network’s broadcast protocols allowed us to quickly identify every computer on the subnet. The scan identified open ports, user accounts, file and printer shares, network interfaces, and security alerts. While company networks facilitate the sharing of files and services, the nature of this sharing presents a risk.
Gaining Access
We then selected the computer with the most user accounts. Using native operating system tools, we established a [null] session with this computer and proceeded to use another freely available tool to extract the userIDs and their associated network access permissions. Knowledge of userIDs alone does not make a computer vulnerable. However, most organizations fail to force their employees to change their passwords periodically or select strong passwords. Even today, many users select passwords that are easy to remember (i.e., user’s name, user’s girlfriend’s name, user’s pet’s name), and, therefore, easy for someone else to guess.
We then sorted the userIDs according to privilege and focused on userIDs with administrative privileges. Of the five userIDs with administrative privileges, one userID had a password equal to the userID. From this discovery, we mapped a logical drive to the computer and proceeded to locate the computer’s “sam” file stored in a commonly known location. [The sam file contains the computer’s userIDs and passwords in encrypted form.] Using another tool from the Internet (l0phtcrack), we decrypted 78 percent of the passwords in 30 minutes.
This exercise provided us with administrative access to the computer, which happened to be the organization’s primary user account server. This was accomplished within 5 minutes of plugging into the network. Admittedly, the security guards at the front entrance provide some protection against someone walking in and doing this without your permission; however, this does not address those with daily physical access (i.e., people with badges) to network jacks. These people include disgruntled employees, curious employees, contractors, consultants, and auditors who have plugged their PCs into your network.
So What?
So, what is wrong with someone else knowing your password? Indeed, password sharing has been prevalent since the birth of mainframes. Today, however, most organizations store sensitive financial, payroll, operations, inventory, customer, and marketing data in computers running operating systems that are not securely configured or monitored for security violations and fraudulent activity. Unfortunately, the user’s network password is often the only protection an organization has over the applications where sensitive transactions take place. Most small to mid-size organizations continue to perceive computer security as an expense, rather than an investment with a sizable ROI.
Due to insufficient resources, most organizations lack strong internal controls to thwart exploitation of simple, commonly known vulnerabilities. Large organizations usually dedicate entire departments to the enforcement of network security. Some of these organizations come equipped with Security Officers who focus their time on safeguarding the organization’s information assets. Far too often, however, small to mid-size organizations fail to dedicate resources to security and suffer painful consequences, including the destruction of data.
In the case study above, we were in a position to execute violent acts against the organization’s network in less than 30 minutes with no prior knowledge of the organization’s network. These acts could have included compromising sensitive data, deleting and/or modifying audit logs, and creating “back doors” for future access. Our ability to exploit an organization’s primary account server quickly allowed the IT Administrator to demonstrate to the organization’s CFO that strong network security should be implemented immediately.
How?
Many IT Administrators lose sleep over what could happen if determined individuals with regular access to the network were to compromise information resources. IT Administrators understand the multitude of vulnerabilities discovered daily.
Our “Outsiders” use native operating system and freely available Internet tools to quickly identify vulnerabilities in company networks. Vulnerability identification can be used to:
Build the business case for implementing strong network security
Reduce the risk of visitors, disgruntled or curious employees, competitors, or contractors compromising sensitive data
Raise security awareness within the organization
Protect company and customer data from commonly known network vulnerabilities
Why?
The door may be wide open for determined Insiders desiring to obtain sensitive company data. Commonly known vulnerabilities, combined with default computer configurations, are what make it easy for Insiders to violate company security. Most companies do not have the resources to securely configure computers, leaving them exposed to the abuse of people inside an organization who are curious, who are acting in malice, or who are committed to espionage.
When was the last time you assessed the security of your network?
Friday, November 12, 2010
How to double revenues with half the effort
Let’s revisit the fact pattern found at public companies with a market cap >$75M:
• Top down, risk based approaches to SOX compliance free time to monitor the effective operation of those controls that prevent/detect material weaknesses over financial reporting.
• SOX control activity counts are declining.
• SOX requires the adoption of a framework (e.g. COSO).
• COSO requires the monitoring of control activities impacting financial reporting.
Sadly, monitoring sales activities isn’t required by SOX.
The benefits of monitoring sales activities include:
• Early identification of sales best practices worthy of replication
• Ability to identify/reward the 20% of the sales force producing 80% of the results
• Ability to identify the bottom 20% of the sales force in need of training
• Alerting management to training needed by the sales force
How closely should sales activities be monitored? In SOX, control deviations should occur less than 5% of the time. Contrast this with most sales monitoring mechanisms and you find inconsistent (ineffective) operation of the behaviors that lead to sales (antecedents). The best sales monitoring I’ve seen includes daily/weekly monitoring of the antecedents to revenue growth.
Antecedents defined: those activities (meetings held, calls made, accounts opened) that result in increased revenue. Antecedents for products/services with longer sales cycles generally include counting the number of interactions held with the prospect and posting it for all to see (7 meetings are needed to make pursue/don’t pursue decisions).
Like COSO, effective operation of any activity is enhanced by training and monitoring. In sales vernacular, this means coaching and reporting. Let’s revisit these concepts.
COACHING:
• Coaches push the sales force to sell.
• Coaches solicit common objections originating from accounts and prospects around why they don’t need or want a given service.
• Coaches are aware of service offerings, what is selling and how these are sold in the marketplace.
• A coach’s role includes:
o Understanding how the sales force approaches the marketplace
o Collecting objections provided by prospects and current customers
o Showing how to overcome objections
o Holding a series of focused, targeted calls with the sales force assigned to all program accounts and pre-identified prospects on a weekly/bi-weekly basis.
• The coaches drive monthly or bi-monthly sales campaigns to gauge how program accounts and prospects respond to a new service offering by region. Coaches identify program accounts and prospects that match defined success criteria and discuss how to introduce new services.
• Coaches hold the sales force accountable for bringing ideas to program accounts and prospects by following up with individual sales people. They ask questions around 1) why a given offering is not relevant at the program account or prospect and 2) why the offering is not getting sold?
REPORTING:
• Daily or weekly reports are sent comparing the aforementioned antecedents. Voicemails to the salesforce recognize and name successful sellers. The individual/regional reports include:
o # of meetings held with individuals at program accounts and prospects for a given product/service
o $ revenue generated
• Results are published regionally / nationally on a weekly basis via voicemails by Leadership to link sales metrics to an individual
• Winning individuals or geographies receive special recognition on a quarterly/annual basis (e.g., dinner with President in NY)
Questions & Actions
1. Has your company redirected the effort spent monitoring control activities over financial reporting to monitoring the behaviors of your sales force?
2. Do you have a tactical plan to actively monitor the identification, pursuit and closure of sales opportunities?
3. How frequently does Leadership assess the success of its sales force? Specifically, the success of expanding services to those accounts that produce more than 80% of the company’s revenue?
4. What mechanism exists to identify and replicate the behaviors of successful sellers?
5. Do you know which techniques are most successful in closing deals?
6. Do you know the common objections to selling your product/service?
7. Do you brainstorm ways to overcome objections?
8. Do you rehearse these?
• Top down, risk based approaches to SOX compliance free time to monitor the effective operation of those controls that prevent/detect material weaknesses over financial reporting.
• SOX control activity counts are declining.
• SOX requires the adoption of a framework (e.g. COSO).
• COSO requires the monitoring of control activities impacting financial reporting.
Sadly, monitoring sales activities isn’t required by SOX.
The benefits of monitoring sales activities include:
• Early identification of sales best practices worthy of replication
• Ability to identify/reward the 20% of the sales force producing 80% of the results
• Ability to identify the bottom 20% of the sales force in need of training
• Alerting management to training needed by the sales force
How closely should sales activities be monitored? In SOX, control deviations should occur less than 5% of the time. Contrast this with most sales monitoring mechanisms and you find inconsistent (ineffective) operation of the behaviors that lead to sales (antecedents). The best sales monitoring I’ve seen includes daily/weekly monitoring of the antecedents to revenue growth.
Antecedents defined: those activities (meetings held, calls made, accounts opened) that result in increased revenue. Antecedents for products/services with longer sales cycles generally include counting the number of interactions held with the prospect and posting it for all to see (7 meetings are needed to make pursue/don’t pursue decisions).
Like COSO, effective operation of any activity is enhanced by training and monitoring. In sales vernacular, this means coaching and reporting. Let’s revisit these concepts.
COACHING:
• Coaches push the sales force to sell.
• Coaches solicit common objections originating from accounts and prospects around why they don’t need or want a given service.
• Coaches are aware of service offerings, what is selling and how these are sold in the marketplace.
• A coach’s role includes:
o Understanding how the sales force approaches the marketplace
o Collecting objections provided by prospects and current customers
o Showing how to overcome objections
o Holding a series of focused, targeted calls with the sales force assigned to all program accounts and pre-identified prospects on a weekly/bi-weekly basis.
• The coaches drive monthly or bi-monthly sales campaigns to gauge how program accounts and prospects respond to a new service offering by region. Coaches identify program accounts and prospects that match defined success criteria and discuss how to introduce new services.
• Coaches hold the sales force accountable for bringing ideas to program accounts and prospects by following up with individual sales people. They ask questions around 1) why a given offering is not relevant at the program account or prospect and 2) why the offering is not getting sold?
REPORTING:
• Daily or weekly reports are sent comparing the aforementioned antecedents. Voicemails to the salesforce recognize and name successful sellers. The individual/regional reports include:
o # of meetings held with individuals at program accounts and prospects for a given product/service
o $ revenue generated
• Results are published regionally / nationally on a weekly basis via voicemails by Leadership to link sales metrics to an individual
• Winning individuals or geographies receive special recognition on a quarterly/annual basis (e.g., dinner with President in NY)
Questions & Actions
1. Has your company redirected the effort spent monitoring control activities over financial reporting to monitoring the behaviors of your sales force?
2. Do you have a tactical plan to actively monitor the identification, pursuit and closure of sales opportunities?
3. How frequently does Leadership assess the success of its sales force? Specifically, the success of expanding services to those accounts that produce more than 80% of the company’s revenue?
4. What mechanism exists to identify and replicate the behaviors of successful sellers?
5. Do you know which techniques are most successful in closing deals?
6. Do you know the common objections to selling your product/service?
7. Do you brainstorm ways to overcome objections?
8. Do you rehearse these?
Thursday, August 12, 2010
Left Brain Right Brain
Why do we find comfort double teaming audit work and single teaming sales calls?
People that love math get a sense of achievement when they solve problems and get the right answer. The certitude, the exactness, and the feeling of being right bring subsequent benefits when the math student learns how accurate he was.
Taking this to the SOX/Sales realm, the act of testing controls provides a similar sense of achievement, the sense of getting the right answer. Understanding this motivating force leads us to blog entry #3.
The problem is that some companies still test more controls than they are required to test under 404 requirements. With AS5, external auditors no longer render opinions on the adequateness of management’s testing. Instead, they render an opinion on whether controls that prevent/detect a material weakness are designed and operating effectively; however, legacy AS2 efforts are difficult to tear down unless other activities are defined for the control testers. Overcoming the motivation to test and retest the same control is difficult when the current year procedure is “how we did it last year”, a gratifying sense of achievement awaits the tester because no alternate activity has been defined.
SAS65 and AS5 describe the situations in which the work of others may be relied upon; the scenario where we don’t have to doubly test a control activity. The SEC 404 Guidance for Management describes how the amount of evidence to support Management’s 404 assertions may vary, in some cases evidence can be obtained simply by walking around.
In testing SOX controls, the best practice is to maximally rely on the work of others unless there exists a specific risk or qualitative/quantitative factor of concern. In short: single team the audit.
Salespeople hunting prospects (potential customers matching the profile of your best customers) get no sense of achievement like the smart math student. Because most prospects don’t buy when asked the first time, there is a great tendency for sales professionals to hunt prospects alone. Being rejected or receiving a “no” answer is so much easier when one is by himself.
Despite lower sales success rates, humans tend to hunt their sales prospects alone.
Selling products/services by more than one person is a best practice. Double teaming communicates the benefits and the “asks” better than single teaming. Everytime.
Bank tellers double team instinctively because banks are designed with a counter full of bankers working side by side. The double teamers outsell the lone rangers by wide margins.
In selling, the best practice is to double team every sale unless the salesperson is simply responding to a customer request for the product/service. In short: double team the sale.
Questions & Actions:
Can the amount of controls testing work relied upon by your auditor be increased? Review SAS65, AS5 and the SEC Guidance for Management to identify the opportunities to reduce the amount of double auditing taking place over your 404 controls.
Does your sales force double team every prospect? Double teaming ensures the benefits are completely described to a prospect and ensures younger professionals see how it’s done all while maximizing revenue growth.
People that love math get a sense of achievement when they solve problems and get the right answer. The certitude, the exactness, and the feeling of being right bring subsequent benefits when the math student learns how accurate he was.
Taking this to the SOX/Sales realm, the act of testing controls provides a similar sense of achievement, the sense of getting the right answer. Understanding this motivating force leads us to blog entry #3.
The problem is that some companies still test more controls than they are required to test under 404 requirements. With AS5, external auditors no longer render opinions on the adequateness of management’s testing. Instead, they render an opinion on whether controls that prevent/detect a material weakness are designed and operating effectively; however, legacy AS2 efforts are difficult to tear down unless other activities are defined for the control testers. Overcoming the motivation to test and retest the same control is difficult when the current year procedure is “how we did it last year”, a gratifying sense of achievement awaits the tester because no alternate activity has been defined.
SAS65 and AS5 describe the situations in which the work of others may be relied upon; the scenario where we don’t have to doubly test a control activity. The SEC 404 Guidance for Management describes how the amount of evidence to support Management’s 404 assertions may vary, in some cases evidence can be obtained simply by walking around.
In testing SOX controls, the best practice is to maximally rely on the work of others unless there exists a specific risk or qualitative/quantitative factor of concern. In short: single team the audit.
Salespeople hunting prospects (potential customers matching the profile of your best customers) get no sense of achievement like the smart math student. Because most prospects don’t buy when asked the first time, there is a great tendency for sales professionals to hunt prospects alone. Being rejected or receiving a “no” answer is so much easier when one is by himself.
Despite lower sales success rates, humans tend to hunt their sales prospects alone.
Selling products/services by more than one person is a best practice. Double teaming communicates the benefits and the “asks” better than single teaming. Everytime.
Bank tellers double team instinctively because banks are designed with a counter full of bankers working side by side. The double teamers outsell the lone rangers by wide margins.
In selling, the best practice is to double team every sale unless the salesperson is simply responding to a customer request for the product/service. In short: double team the sale.
Questions & Actions:
Can the amount of controls testing work relied upon by your auditor be increased? Review SAS65, AS5 and the SEC Guidance for Management to identify the opportunities to reduce the amount of double auditing taking place over your 404 controls.
Does your sales force double team every prospect? Double teaming ensures the benefits are completely described to a prospect and ensures younger professionals see how it’s done all while maximizing revenue growth.
Thursday, August 5, 2010
Count What Matters
On my 6 mile run this morning I was reminded again of the notion that “what gets measured gets managed” – Peter Drucker. If I don’t count the specific behavior that leads to a desired result then I don’t understand said activity.
The same is true for testing SOX controls and selling products/services.
For example, the operational frequency of a control activity determines the number of samples selected for testing. If a control occurs many times a day then the test sample size is 25 selections; if it happens daily then the sample size is 15 selections; and so on.
To play on Drucker, measuring the frequency of an activity is necessary to manage the level of effort spent testing operating effectiveness.
When selling products/services is the activity, I understand and count the antecedent to selling. If I’m not counting antecedents to a sale, then I’m not closing any deals. In my world, the antecedent to a sale is directly or indirectly asking a prospect (potential clients who match the profile of my best customers) for the business.
Pareto’s 80/20 rule guides me. 20% or fewer of the control activities contribute the most assurance to preventing 80% of the causes of a material weakness. 20% of my prospects generate 80% of my sales.
Generally, business processes with large numbers of control activities are candidates for finding time to redeploy against sales efforts. Processes like payroll (with a lower risk of material misstatement) offer the best opportunities for reducing on the number of controls and redeploying related effort elsewhere – to activities like spending time asking for the business.
Questions & Actions:
1. When was the last time you counted the number of control activities in the processes impacting financial reporting? The control activity count may be higher than you think. Look for activities that can be eliminated from your population of controls to save time the amount of time spent testing these.
2. How frequently do you ask for the sale in a meeting or during eminence building activities? An old friend of mine said that a qualified prospect needs to say “no” 7 times before they are no longer a prospect. Identify your prospects that haven’t said “no” 7 times and ask for the business, again.
The same is true for testing SOX controls and selling products/services.
For example, the operational frequency of a control activity determines the number of samples selected for testing. If a control occurs many times a day then the test sample size is 25 selections; if it happens daily then the sample size is 15 selections; and so on.
To play on Drucker, measuring the frequency of an activity is necessary to manage the level of effort spent testing operating effectiveness.
When selling products/services is the activity, I understand and count the antecedent to selling. If I’m not counting antecedents to a sale, then I’m not closing any deals. In my world, the antecedent to a sale is directly or indirectly asking a prospect (potential clients who match the profile of my best customers) for the business.
Pareto’s 80/20 rule guides me. 20% or fewer of the control activities contribute the most assurance to preventing 80% of the causes of a material weakness. 20% of my prospects generate 80% of my sales.
Generally, business processes with large numbers of control activities are candidates for finding time to redeploy against sales efforts. Processes like payroll (with a lower risk of material misstatement) offer the best opportunities for reducing on the number of controls and redeploying related effort elsewhere – to activities like spending time asking for the business.
Questions & Actions:
1. When was the last time you counted the number of control activities in the processes impacting financial reporting? The control activity count may be higher than you think. Look for activities that can be eliminated from your population of controls to save time the amount of time spent testing these.
2. How frequently do you ask for the sale in a meeting or during eminence building activities? An old friend of mine said that a qualified prospect needs to say “no” 7 times before they are no longer a prospect. Identify your prospects that haven’t said “no” 7 times and ask for the business, again.
Monday, August 2, 2010
The Holy Grail: Leverage your SOX skills to save money and drive sales
This blog is most likely not for you. I think there are only about 1000 people that want to reduce the costs of Sarbanes-Oxley requirements while simultaneously redirecting internal talent to projects that drive shareholder value by increasing sales.
In my experience, a few of the obstacles include:
Please use your personal name or initials and not your business name and do not put your website in the comment text as both will come off like spam. Have fun and thanks for adding to the conversation!
In my experience, a few of the obstacles include:
- fear of doing things that might cost a person his job;
- uncertainty with focusing on debatable activities that drive shareholder value; and
- inexperience with practicing how to get out of one's comfort zone.
- Why can't the skills obtained through the course of preparing for SOX be used to drive sales?
- Where are the allowable "loopholes" in the regulations that allow for a company to implement internal controls over financial reporting in the most efficient way possible?
- How to motivate those charged with SOX to read the guidance as passionately as someone might read religious literature [or the last thing you read with intense interest]?
Please use your personal name or initials and not your business name and do not put your website in the comment text as both will come off like spam. Have fun and thanks for adding to the conversation!
Subscribe to:
Posts (Atom)