Monday, November 25, 2013

What's Slovenia got to do with it?

 
Stereotyping people from other countries is one of those things for which I'm guilty and hence, trying to overcome. Sometimes, however, I have no preconceived notions about people from certain places because, well, I just haven't been exposed to them through the natural course of living and working in Europe.
 
Sharon (not her real name) from Slovenia gave me the following answer when I asked her to tell me how she got herself out of her comfort zone and out of her country.

Enter Sharon:
 
What drives me out of my comfort zone? Pure hunger, passion and vision!
If you want to set a goal like learning [as a Slovenian at least two!] two foreign languages »fluently«, to master it, you need to put in that extra hours and that extra effort, to show respect to those languages and its cultures.
One of the key challenges which we Slovenians and especially young generation need to address is their [our] appetite for Excellency [to really master something].
As W. Smith put it: »hours and hours beating on your craft«. Here I want to serve an example of Maestro, a top world-wide winning Slovenian dancing team. [https://t.co/ue8oro7ekt]. [By the way they are currently going big in California!] Why are they where they are? Because, those guys are working on every move, over and over again, polishing it to perfection. And another key message is: team work.
My experience with leaving Slovenia, for a yet another completely different language, way much out of my comfort zone than English, has taught me that the only power is in generosity. Being generous especially with sharing knowledge, experience and good energy, furthermore openness to new and unknown, team work, creating high performing teams. It is all about helping people to achieve their highest potential.
I truly have a vision we can build a better Slovenia, a better world if we try to understand the needs beyond boarders [our own boarders and country boarders] and maybe try to address those [their] needs.
If we understand other cultures not in a way of putting ourselves downand saying how they do it better and how that is not possible in Slovenia. Because it is. They key is to look abroad, learn how to do it better and bring it back home. And I know we can do it. We can build a better future.
Think of working smarter, beyond that »hamster« hard-working wheel [Slovenians are recognized abroad as honest, dedicated hard working employees], beyond boarders.
And if you really want to achieve something greater, have balance, happiness in your life, you have to “heart it”.Put your heart into whatever you do. I had a vision. And I am living my vision now, overlooking from my corner office in the 15th floor, seeing the whole beautiful city and the river which takes me back where I belong, to the Adria. Adria is where my heart is. Never forgetting where we came from. And as hungry as I am, I am working on my new vision, new goals and new boarders to cross.
It is hard work every day. To get yourself out of your comfort zone and do the best you can. That is my challenge every day.
 


Wednesday, October 5, 2011

Austrian in California

If Arnold Schwarzenegger can do it then so can one Martin Pfleger.  Mr. Pfleger hails from Austria and now lives in San Francisco.  While I'm here on a 3 year secondment with Deloitte, Martin was kind enough to provide me with advice and counsel on how to better work the locals here and does a nice job answering the question:  What motivates an Austrian to trade Vienna for San Francisco?  Can this "bet the farm" approach be taught to other Austrians?

Enter Martin Pfleger:


Hello Jason,


Before I tell you what motivates me, why I am as I am and what I recommend you to do/try I want to introduce you a bit into the Austrian mentality because I think it will help you understand many things when you see them.

First, I think in general Austrians are very conservative people. We don’t like big changes and we don’t like unexpected incidents. In other words, we don’t like to go outside of our comfort zone. A good example would be that Austria has the lowest mobility rate in the EU. The attitude of many people is still that they finish school, maybe college, and then try to find a job at a nice established company and ideally work there, in the same city, their entire life.

I think a big reason for that is the Austrian system overall. There are no incentives to work harder or more. About 2 years ago I read an amazing article in “Die Presse” (one of the quality newspapers in Austria). They came up with a statistic that compared the income of two families – each consisted of the parents and two children. One family earned I think about 2500 Euros the other one a bit more than 4000 Euros a month. After all the social benefits were included both families had about the same income!

Also, if you do work harder and earn more than the average person then people usually get jealous and ask how can he/she earn more than me? Most Austrians also don’t understand why managers at companies earn a multiple of the regular workforce.

Furthermore, Austrians know that they live in one of the most beautiful and richest countries in the world. Because of the vast social system people basically have no worries. Everyone is insured and if you lose your job the government will take care of you. There are actually people that don’t work because they get higher unemployment payment than they would earn if they worked.

We are also very skeptical, pessimistic and risk averse people. This explains the low mobility rate and the “we don’t like unexpected incidents” mentality. That’s also why almost no Austrian would pack his or her belongings and move somewhere else in the world.

I hope this little inside helps you understand some behavior.

Why am I not like this typical Austrian I just described?

I think I am more curious about things and other people/cultures than most other people in Austria. I’m also a very optimistic and believe that I can accomplish whatever I want. When I was 16 my Dad sent me to relatives in Colorado where I spent my summer vacation. My English at that time wasn’t very good and I had never done anything like this before. I was a little scared, to be honest, and definitely went outside of my comfort zone. But those 6 to 7 weeks were so amazing and I learnt a lot. Since that time I think I constantly want to explore new things and I try to constantly get outside of my comfort zone. I constantly want to learn new things, make new experiences and face new challenges.

What motivates me?

I want to prove myself. I set myself goals and want to accomplish them. So far it has worked out quite well. I always wanted to study in the United States which I first did when I did my exchange semester in St. Louis, Missouri. I also wanted to learn more about South America and improve my Spanish which I did in Mexico (although Mexico is still part of North America, I know). I also knew that I didn’t want to do my master’s degree in Austria and get taught in English by Austrians. So I went to San Francisco to study there. This might sound kind of easy but it wasn’t due to the explained Austrian mentality of my family as well as for financial reasons. My current challenge/goal is to find employment here in California and stay here at least for some time. For me it’s like if I don’t go outside of my comfort zone regularly I feel like I’m standing still and I’m not improving as an individual.

Recommendations:

OK, this is by far the toughest part because I have tried to change my family’s and friends mentality but haven’t come up with a magic formula. I think you have to try to get them somehow outside of their comfort zone. A great way is a change of environment – international exposure. It really had an impact on me and I just love it. I know it’s very tough to do that. Maybe a good starting point would be to somehow get them to know or work with some international people. This might be a way to develop curiosity for other people and cultures and lead them to do things they usually wouldn’t do.

Otherwise I can only think of some kind of incentives.

I think it is important to show them the objective of your changes. If they don’t see a reason or benefit they won’t do it. Most people are kind of stubborn. Whatever you do you should be careful though. As I said, we don’t like change. Austrians are resistant to change. The mentality is: why should you change something if everything works fine the way it is? Especially if a foreigner tries to initiate change they will think: “this guy tries to do things like they do in America, but we are here in Austria and this is not what we do or how we do it.” So they will expect that you adapt to them and if you try to change things you might face some intended obstacles from other employees.

I hope my thoughts help you a bit. If you have any further questions feel free to send me an e-mail or give me a call! In the meantime I will think of other recommendations that might help.

All the best and good luck with everything!

Martin

Thursday, December 23, 2010

SOX Rationalization – What is taking place

Originally presented to FEI – November 19, 2009


**

Good afternoon. For the next 10 minutes or so we’re going to talk about three efficiency levers included in Audit Standard 5, or AS5, that can result in less effort and significant savings in SOX compliance.


To do this, we’ll visit a prison and a conference room. Given the length of some meetings, you might say they are one and the same. In this case, they aren’t. In fact, we’d tell you that the prison is a myth but that would be a scene spoiler. Instead, let’s just say we’ll use it to frame the conversation.



In 1910, Cosmopolitan magazine published a short story titled “The Spanish Prisoner.” It’s about a clever confidence game. Several men, including a brewer, a poet, and two farmers are conned into believing that if they send money to secure the release of a Spanish millionaire imprisoned in a Madrid dungeon, they’ll earn a large reward and the hand of the prisoner’s beautiful daughter. At every turn, the men are asked to pay more and more money, which they do, believing they will get the reward and marry the daughter.



We wonder if in your efforts to comply with SOX this might sound familiar, in that you’re always paying more based on a promise, but have yet to see results for the added expense.



Now, the men involved in the Spanish Prisoner scam are strangers until they meet on board a ship bound for Madrid and discover they are all traveling for the same reason.



Imagine for a moment that you, modern day financial officers, are on that ship, too. While they are thinking of riches and the beautiful daughter, you are thinking about how it seems that spending more and more money is the only way to assure SOX compliance. There is an endless need for new technology, processes and people.


Yet, you also know that since the passage of SOX the few companies reporting material weaknesses have not experienced a significant negative impact to their value which suggests that the benefits of this early warning mechanism have not been as great as anticipated.



And you know that since the PCAOB replaced Audit Standard 2 (AS2) with AS5, only a few companies have achieved permanent savings by taking full advantage of the efficiency levers in AS5.



You’re also familiar with The Pareto Principle, the notion that 20% of the effort yields 80% of the results. And you want to focus on that 20% and ensure that it’s yielding 80%, at least.



Unlike the perpetrator of the Spanish Prisoner scam, we’re not going to ask for money. We’re going to do just the opposite: offer three ideas that can save money and time. And we’ll do this, for the sake of the story, aboard the ship, in the captain’s conference room.



First, we’ll talk about how external auditors can be more efficient by increasing their use of an internal audit department or third party’s work.



Second, we’ll talk about how a company can reduce the number of control activities by implementing a top down, risk based approach.



And finally, we’ll talk about how a company can leverage it’s IT infrastructure to shorten the financial close process, and also leverage the existing financial application functionality to spend less time testing controls.



USE THE WORK OF OTHERS

So first, we gather the Internal Audit team in the conference room. They are an experienced, sea-hardy team. We discuss how to approach this year’s SOX testing so that the external auditor can rely on IA’s work to the maximum extent possible.



For a normal risk area, like payroll and Information Technology, the team explains that the external auditor still won’t consider leveraging 100% of the Internal Audit work. But as we probe more, we find that this obstacle can be overcome with minimal effort, since AS5 removed restrictions on using the work of others if it can be demonstrated a competent, objective third party did the work.



So, we suggest that the internal audit team ask the external auditors to explain where IA has not demonstrated competence and objectivity. They resist. They say, “Our auditors have increased reliance year over year;” or “We don’t want to antagonize our auditors.” Or, “We test this area to make sure our people are doing their jobs.”



But we know that the AS5 criteria for demonstrating competence and objectivity are easy to achieve, and if achieved, can save money as AS5 intended. It requires two straightforward things: for the tester to prove objectivity by demonstrating that he is not the control activity owner, and prove competence by producing work-papers that meet the PCAOB’s standards. This is the easy part.



The hard part is persuading the IA department to have the uncomfortable conversation with the external auditor and establish how this can be done. Companies avoid that conversation because they conjure nightmares of how the external auditor might respond. Chances are, the nightmare will never occur. More likely, the result will be that the team will understand how the work-papers can be improved to maximize reliance and eliminate testing in areas where the external auditor is placing limited or no reliance on Internal Audit’s work.



TOP DOWN APPROACH

The next topic on the agenda is reviewing the scope of SOX testing procedures. Specifically, we want to look at the control activities the company plans to test. We notice that a large number of control activities outside the realm of financial reporting are included in the SOX scope. Indeed, there are other controls outside the scope that if the CFO were asked, would be the primary ones she relies on. And because they aren’t included in scope, they’re not the detailed ones that end up getting tested. We remind the company that their procedures need only comply with the SEC guidance and that no testing is required for controls that mitigate the same risk for the same class of transactions or non-financial risks. Again, there’s resistance. We hear, “That’s the way we’ve always done it,” and “The control activity owners would stop performing their control activities if we don’t test them.” And then we ask, “but did the control activity owners not perform the controls before SOX was in place? What’s different now other than the requirement to test?” And what can you do to take the controls the CFO said she relies on and make them robust enough such that you don’t need all the detailed ones? Those top down controls are the ones everyone in this room should make sure your team is focused.



So, we ask about the captain, in this case, you the CFO. Does the CFO know this? Has she approved of this extra effort to test redundant controls? We suggest that she should know; that raising the question to the top is the best method for resolving the dilemma and eliminating unnecessary items from the scope. Have you had this conversation with your SOX team?



AUTOMATED CONTROLS

Having dispatched those two questions, we talk about the final and perhaps most difficult one: the financial close process. Our goal is to find a common language (or common control activities) to overcome the obstacles that make financial reporting systems resemble a confusing “Tower of Babel” because of the different applications, operating systems and networks that are installed across the globe, like a general ledger on Oracle, payroll on Peoplesoft, a mainframe tracking revenue and equity edge tracking stock options.



The company wants to close its books more quickly and with fewer errors, but the jumble of systems makes it very hard. We ask about the plan to consolidate systems. There isn’t one. We ask, ”Why?” We hear the resistance again: “It’s the way we’ve always done it;” or, “Consolidation isn’t a priority right now.”



And consolidation is hard, but we press on and ask about the percentage of automated controls in the SOX population. The answer is generally somewhere between 2 and 15%.



Which brings us the Ah ha! Moment - the company spends millions of dollars on multiple financial applications yet relies on manual controls 85% of the time, or more, to get its financials right.



So we settle down and give some examples of automated controls.



First, there is testing a three-way match. ERPs like SAP and Oracle can be configured properly for automated three-way match. When this automation is correctly done, companies can expedite SOX testing in manually intensive functions like Accounts Payable. Testers do not have to pull a sample of receiving, invoice, and PO documents and ensure payment rules were followed and exceptions approved. They only have to test configuration and, due to the automated controls, can bypass intensive document sampling. This frees up staff resources, saving time and money.



A second automation option is testing approval workflows for journal entries. When configurations for proper approval workflows are established and effective in ERPs like SAP and Oracle, the manual verification and approval process for specific journal entries, like those that exceed a certain dollar amount, can be automated. No more manual identification of those entries via transaction reports. No more finding samples and testing paper copies of journal entries for handwritten approvals against approval authorities. The time and money that used to be spent reviewing those documents can be spent on something more productive.



It’s natural for the status quo to be more powerful than change; for the crew to hoist the main sail the way they always have. But as companies remain extremely cost conscious, and especially in this unpredictable economy, it’s possible and high time, to leverage built-in automation functionality.



In addition, it’s possible to leverage the SOX infrastructure even further.



Some companies are effectively using the SOX infrastructure to address other compliance requirements specific to their industry, in government contracting with the Defense Contract Audit Agency, for example; in the retail industry to secure personally identifiable or credit card information (CFR 11, PCI); in the pharmaceutical industry to comply with Food and Drug Administration requirements, and for energy utilities to comply with North American Electric Reliability Corporation requirements.



There is also the possibility to drive greater shareholder value by using the SOX infrastructure to assess the effectiveness of revenue generating activities and cost-cutting measures, including reducing the overall effective tax rate.



Okay, so not only have the original men in the Spanish Prisoner story discovered, somewhere in the middle of the Atlantic Ocean that they’re victims of a con, they’ve also had to endure a lot of SOX talk in the Captain’s conference room. But the ship eventually lands in Gibraltar and the men make their way north to Madrid. James, the ne’er do well narrator, has devised a scheme to con those who have already been conned, a second time. He convinces them to let him hold what’s left of their money, that he will find the original con man and make everything right. He enlists Pip, “a wizened old fellow,” as a co-conspirator in his scheme.



But Pip is one crafty fellow. When they get to Madrid, Pip tells James that he knows where the con man, the Spanish prisoner, is. He leads him in the dark of night through narrow, twisting alleys. Then suddenly, a gang attacks James, ties him up and steals the last of the men’s money. And with a wicked smile, Pip introduces himself as the Spanish millionaire who was never a millionaire and never in prison at all.



So, when it comes to rationalizing SOX, it’s better to realize that you’re not in prison, either, that you have options that can preserve your company’s money. These include taking advantage of the changes in AS5 to make your external auditors more efficient, implementing a top down risk based scoping approach, and implementing the built-in automation capabilities of systems whenever feasible. Thank you.

“Insecure Perceptions”

Originally published in the SDBJ March 30, 2002


**

Sadly, our country had to experience the events of September 11, 2001 (9/11) in order to take seriously all the threats to our country’s security. Our former complacency may have been rooted in the vast oceans separating us from nations associated with terrorism, as well as the fact that no other attack of this magnitude had been executed successfully in the U.S. before 9/11. Whatever the reason, the perception that we are immune to attack has been replaced by pragmatic action to prevent the next attack.

We have begun the process of fencing in our water reservoirs, installing the National Guard in our airports, and increasing restrictions on foreign visitors. Money spent on these activities is perceived as an investment in current and future security rather than an unnecessary waste of resources. Indeed, what is spent on bolstering our country’s security is perceived as a means to protect our way of life.

Must similar catastrophic events take place before organizations take network security just as seriously? Perhaps. One only needs a few minutes researching the Internet to identify attacks (“hacks”) on organizations that have compromised company and customer data. Despite this evidence, most small to mid-size organizations still perceive money spent on network security as a cost, rather than a means to protect company data, competitive advantage, and customer privacy over the long term.

Those involved with computer systems are aware of the risk and understand what needs to be done to protect informational assets. These people include IT Administrators, MIS Directors, CIOs and other “Network Guys” who build, maintain, and support an organization’s systems. Short of an event like 9/11, what can be done to get an organization’s decision makers to invest in network security?

No amount of 9/11 events can change a decision maker’s mindset when it comes to implementing strong network security in order to protect information assets. An organization’s decision maker perceives security as either an expense or investment. Indeed, the reasons why decision makers perceive security differently warrant further analysis outside the scope of this article.

To clairfy, the three major actors in network security are as follows:

 Network Guys – those who build, maintain and support systems

 Insiders (good or bad) – those with authorized access to systems who may or may not be able to penetrate systems

 Outsiders (good or bad) – those without authorized access to systems who penetrate systems

Organizations can turn to Outsiders for independent assistance in identifying the network security risks at their organization. These Outsiders include boutique security firms, “white-hat” hackers, systems auditors, and rogue contractors. These Outsiders exploit commonly known vulnerabilities, exposing the organization’s network security weaknesses to the IT Administrator. These exposures form components of a business case for strong network security in organizations. The appeal of using an outsider to exploit weaknesses lies in their ability to recommend solutions with little influence from a software or hardware vendor.

The result is like witnessing a disaster inside an organization without dealing with the associated disastrous consequences. After careful review of the business case, many decision makers view spending money on network security as an investment with a positive Return On Investment (“ROI”), instead of as an expense.

Given this, what can be done?

5-Minute Case Study

If you are reading this in your office, you probably have a network jack somewhere near your computer. This network jack connects you to your organization’s information resources. Imagine how many unmonitored network jacks exist in your company. Is this a risk? Yes.

Footprinting/Scanning

Our team of “Outsiders” was recently engaged to help an IT Administrator build a business case for strong network security. We began by connecting a laptop PC to a network jack. Once connected, we obtained a network address (IP address) from the organization’s server and reviewed the network subnet information assigned to our computer. The subnet information was then used to guide a port scanner in scanning the entire subnet for computers.

Enumeration

The nature of the network’s broadcast protocols allowed us to quickly identify every computer on the subnet. The scan identified open ports, user accounts, file and printer shares, network interfaces, and security alerts. While company networks facilitate the sharing of files and services, the nature of this sharing presents a risk.

Gaining Access

We then selected the computer with the most user accounts. Using native operating system tools, we established a [null] session with this computer and proceeded to use another freely available tool to extract the userIDs and their associated network access permissions. Knowledge of userIDs alone does not make a computer vulnerable. However, most organizations fail to force their employees to change their passwords periodically or select strong passwords. Even today, many users select passwords that are easy to remember (i.e., user’s name, user’s girlfriend’s name, user’s pet’s name), and, therefore, easy for someone else to guess.

We then sorted the userIDs according to privilege and focused on userIDs with administrative privileges. Of the five userIDs with administrative privileges, one userID had a password equal to the userID. From this discovery, we mapped a logical drive to the computer and proceeded to locate the computer’s “sam” file stored in a commonly known location. [The sam file contains the computer’s userIDs and passwords in encrypted form.] Using another tool from the Internet (l0phtcrack), we decrypted 78 percent of the passwords in 30 minutes.

This exercise provided us with administrative access to the computer, which happened to be the organization’s primary user account server. This was accomplished within 5 minutes of plugging into the network. Admittedly, the security guards at the front entrance provide some protection against someone walking in and doing this without your permission; however, this does not address those with daily physical access (i.e., people with badges) to network jacks. These people include disgruntled employees, curious employees, contractors, consultants, and auditors who have plugged their PCs into your network.

So What?

So, what is wrong with someone else knowing your password? Indeed, password sharing has been prevalent since the birth of mainframes. Today, however, most organizations store sensitive financial, payroll, operations, inventory, customer, and marketing data in computers running operating systems that are not securely configured or monitored for security violations and fraudulent activity. Unfortunately, the user’s network password is often the only protection an organization has over the applications where sensitive transactions take place. Most small to mid-size organizations continue to perceive computer security as an expense, rather than an investment with a sizable ROI.

Due to insufficient resources, most organizations lack strong internal controls to thwart exploitation of simple, commonly known vulnerabilities. Large organizations usually dedicate entire departments to the enforcement of network security. Some of these organizations come equipped with Security Officers who focus their time on safeguarding the organization’s information assets. Far too often, however, small to mid-size organizations fail to dedicate resources to security and suffer painful consequences, including the destruction of data.

In the case study above, we were in a position to execute violent acts against the organization’s network in less than 30 minutes with no prior knowledge of the organization’s network. These acts could have included compromising sensitive data, deleting and/or modifying audit logs, and creating “back doors” for future access. Our ability to exploit an organization’s primary account server quickly allowed the IT Administrator to demonstrate to the organization’s CFO that strong network security should be implemented immediately.

How?

Many IT Administrators lose sleep over what could happen if determined individuals with regular access to the network were to compromise information resources. IT Administrators understand the multitude of vulnerabilities discovered daily.

Our “Outsiders” use native operating system and freely available Internet tools to quickly identify vulnerabilities in company networks. Vulnerability identification can be used to:

 Build the business case for implementing strong network security

 Reduce the risk of visitors, disgruntled or curious employees, competitors, or contractors compromising sensitive data

 Raise security awareness within the organization

 Protect company and customer data from commonly known network vulnerabilities

Why?

The door may be wide open for determined Insiders desiring to obtain sensitive company data. Commonly known vulnerabilities, combined with default computer configurations, are what make it easy for Insiders to violate company security. Most companies do not have the resources to securely configure computers, leaving them exposed to the abuse of people inside an organization who are curious, who are acting in malice, or who are committed to espionage.

When was the last time you assessed the security of your network?

Friday, November 12, 2010

How to double revenues with half the effort

Let’s revisit the fact pattern found at public companies with a market cap >$75M:

• Top down, risk based approaches to SOX compliance free time to monitor the effective operation of those controls that prevent/detect material weaknesses over financial reporting.

• SOX control activity counts are declining.

• SOX requires the adoption of a framework (e.g. COSO).

• COSO requires the monitoring of control activities impacting financial reporting.



Sadly, monitoring sales activities isn’t required by SOX.



The benefits of monitoring sales activities include:

• Early identification of sales best practices worthy of replication

• Ability to identify/reward the 20% of the sales force producing 80% of the results

• Ability to identify the bottom 20% of the sales force in need of training

• Alerting management to training needed by the sales force



How closely should sales activities be monitored? In SOX, control deviations should occur less than 5% of the time. Contrast this with most sales monitoring mechanisms and you find inconsistent (ineffective) operation of the behaviors that lead to sales (antecedents). The best sales monitoring I’ve seen includes daily/weekly monitoring of the antecedents to revenue growth.



Antecedents defined: those activities (meetings held, calls made, accounts opened) that result in increased revenue. Antecedents for products/services with longer sales cycles generally include counting the number of interactions held with the prospect and posting it for all to see (7 meetings are needed to make pursue/don’t pursue decisions).



Like COSO, effective operation of any activity is enhanced by training and monitoring. In sales vernacular, this means coaching and reporting. Let’s revisit these concepts.



COACHING:

• Coaches push the sales force to sell.

• Coaches solicit common objections originating from accounts and prospects around why they don’t need or want a given service.

• Coaches are aware of service offerings, what is selling and how these are sold in the marketplace.

• A coach’s role includes:

o Understanding how the sales force approaches the marketplace

o Collecting objections provided by prospects and current customers

o Showing how to overcome objections

o Holding a series of focused, targeted calls with the sales force assigned to all program accounts and pre-identified prospects on a weekly/bi-weekly basis.

• The coaches drive monthly or bi-monthly sales campaigns to gauge how program accounts and prospects respond to a new service offering by region. Coaches identify program accounts and prospects that match defined success criteria and discuss how to introduce new services.

• Coaches hold the sales force accountable for bringing ideas to program accounts and prospects by following up with individual sales people. They ask questions around 1) why a given offering is not relevant at the program account or prospect and 2) why the offering is not getting sold?



REPORTING:

• Daily or weekly reports are sent comparing the aforementioned antecedents. Voicemails to the salesforce recognize and name successful sellers. The individual/regional reports include:

o # of meetings held with individuals at program accounts and prospects for a given product/service

o $ revenue generated

• Results are published regionally / nationally on a weekly basis via voicemails by Leadership to link sales metrics to an individual

• Winning individuals or geographies receive special recognition on a quarterly/annual basis (e.g., dinner with President in NY)



Questions & Actions

1. Has your company redirected the effort spent monitoring control activities over financial reporting to monitoring the behaviors of your sales force?

2. Do you have a tactical plan to actively monitor the identification, pursuit and closure of sales opportunities?

3. How frequently does Leadership assess the success of its sales force? Specifically, the success of expanding services to those accounts that produce more than 80% of the company’s revenue?

4. What mechanism exists to identify and replicate the behaviors of successful sellers?

5. Do you know which techniques are most successful in closing deals?

6. Do you know the common objections to selling your product/service?

7. Do you brainstorm ways to overcome objections?

8. Do you rehearse these?

Thursday, August 12, 2010

Left Brain Right Brain

Why do we find comfort double teaming audit work and single teaming sales calls?

People that love math get a sense of achievement when they solve problems and get the right answer. The certitude, the exactness, and the feeling of being right bring subsequent benefits when the math student learns how accurate he was.

Taking this to the SOX/Sales realm, the act of testing controls provides a similar sense of achievement, the sense of getting the right answer. Understanding this motivating force leads us to blog entry #3.

The problem is that some companies still test more controls than they are required to test under 404 requirements. With AS5, external auditors no longer render opinions on the adequateness of management’s testing. Instead, they render an opinion on whether controls that prevent/detect a material weakness are designed and operating effectively; however, legacy AS2 efforts are difficult to tear down unless other activities are defined for the control testers. Overcoming the motivation to test and retest the same control is difficult when the current year procedure is “how we did it last year”, a gratifying sense of achievement awaits the tester because no alternate activity has been defined.

SAS65 and AS5 describe the situations in which the work of others may be relied upon; the scenario where we don’t have to doubly test a control activity. The SEC 404 Guidance for Management describes how the amount of evidence to support Management’s 404 assertions may vary, in some cases evidence can be obtained simply by walking around.

In testing SOX controls, the best practice is to maximally rely on the work of others unless there exists a specific risk or qualitative/quantitative factor of concern. In short: single team the audit.

Salespeople hunting prospects (potential customers matching the profile of your best customers) get no sense of achievement like the smart math student. Because most prospects don’t buy when asked the first time, there is a great tendency for sales professionals to hunt prospects alone. Being rejected or receiving a “no” answer is so much easier when one is by himself.

Despite lower sales success rates, humans tend to hunt their sales prospects alone.

Selling products/services by more than one person is a best practice. Double teaming communicates the benefits and the “asks” better than single teaming. Everytime.

Bank tellers double team instinctively because banks are designed with a counter full of bankers working side by side. The double teamers outsell the lone rangers by wide margins.

In selling, the best practice is to double team every sale unless the salesperson is simply responding to a customer request for the product/service. In short: double team the sale.
Questions & Actions:

Can the amount of controls testing work relied upon by your auditor be increased? Review SAS65, AS5 and the SEC Guidance for Management to identify the opportunities to reduce the amount of double auditing taking place over your 404 controls.

Does your sales force double team every prospect? Double teaming ensures the benefits are completely described to a prospect and ensures younger professionals see how it’s done all while maximizing revenue growth.

Thursday, August 5, 2010

Count What Matters

On my 6 mile run this morning I was reminded again of the notion that “what gets measured gets managed” – Peter Drucker. If I don’t count the specific behavior that leads to a desired result then I don’t understand said activity.




The same is true for testing SOX controls and selling products/services.



For example, the operational frequency of a control activity determines the number of samples selected for testing. If a control occurs many times a day then the test sample size is 25 selections; if it happens daily then the sample size is 15 selections; and so on.



To play on Drucker, measuring the frequency of an activity is necessary to manage the level of effort spent testing operating effectiveness.



When selling products/services is the activity, I understand and count the antecedent to selling. If I’m not counting antecedents to a sale, then I’m not closing any deals. In my world, the antecedent to a sale is directly or indirectly asking a prospect (potential clients who match the profile of my best customers) for the business.



Pareto’s 80/20 rule guides me. 20% or fewer of the control activities contribute the most assurance to preventing 80% of the causes of a material weakness. 20% of my prospects generate 80% of my sales.



Generally, business processes with large numbers of control activities are candidates for finding time to redeploy against sales efforts. Processes like payroll (with a lower risk of material misstatement) offer the best opportunities for reducing on the number of controls and redeploying related effort elsewhere – to activities like spending time asking for the business.



Questions & Actions:

1. When was the last time you counted the number of control activities in the processes impacting financial reporting? The control activity count may be higher than you think. Look for activities that can be eliminated from your population of controls to save time the amount of time spent testing these.

2. How frequently do you ask for the sale in a meeting or during eminence building activities? An old friend of mine said that a qualified prospect needs to say “no” 7 times before they are no longer a prospect. Identify your prospects that haven’t said “no” 7 times and ask for the business, again.