 The passing of the Sarbanes-Oxley Act caused a scrambling for resources to identify existing and potential compliance risks. Proper interpretation of required controls, development of best practices, and documenting into practical procedures challenges enterprises large and small. In some cases, knee-jerk reactions resulted in silos of information and separate controls across functions. These stratified procedures are difficult to follow and/or maintain.
Our skill is to use our domain knowledge in Manufacturing, Distribution and Service industries to design pragmatic and effective processes and controls that first meet their intended business objectives. These procedures are easily understood across multiple functions within an organization and designed to meet all Regulatory requirements.
Operational Risk Assessment
Most large public corporations have already identified the risks associated with financial controls as part of the initial SOX 404 compliance efforts. Accounts payable, cash receipts, financial reporting, etc. are hopefully all compliant now, but what about supply chain operations? Operational risks inherent in inventory accuracy and valuation, excess and obsolete inventory, customer returns and quality assurance, to name a few, can directly translate into significant financial reporting accuracy risks.
Lack of financial and operational controls reduce management’s ability to report financial performance accurately. Ineffective supply chain operations not only drive inefficiencies but also increase the likelihood of financial misstatement. Operations managers must understand this relationship and their role in complying with the financial reporting provisions of SOX.
Attivo's SOX Compliance Services
Attivo can help you focus on mitigating the risks inherent in your operations and ultimately reduce overall compliance costs. This is accomplished by using the following structured approach:
Process Review
Process Re-Engineering
Process Validation
Process Documentation
Process Review
The net result of our risk assessment is a roadmap of existing and re-engineered processes and their controls. Rather than starting with a “Gap Assessment”, our methodology inspires participation from within an organization. Participants don’t perceive us as critiquing their current actions; but rather collaborating for improvement.
Our philosophy is that most well-run organizations already meet 70% or more of the controls required, but simply lack the documented procedures, records of evidence, or an adequate documentation system for what they already do well. During this phase we may identify needed tools within the present business system that are not being fully utilized, or where new tools or metrics are required to facilitate the most effective execution and control.
You will benefit from an organized and structured approach to getting this part of the project done…which can often stall when relied upon solely by in-house resources. Also, when you’re too close to a problem, you often won’t recognize it.
Process Re-Engineering
The re-engineering of processes involves working with the detailed activities that follow the overall objectives captured by the roadmap. We ensure the steps to be performed are efficient and effective and you’ll know the controls and records needed. As they say, “the devil is in the details”.
As an example of how we can help you in designing processes, we will show you how to use the two basic types of controls: “Triggers”, and “Gates”.
Triggers are events that signify a particular action should take place. For instance, if a production traveler for assembling an item indicates that there is an Inspection in step 5, that’s a form of trigger to do the inspection at the proper sequence.
If the final step in the traveler includes the requirement that an Inspection stamp be on the traveler or it shall not be shipped, that’s a form of gate. The filing of the traveler now becomes an auditable record and objective evidence of compliance and execution of controls.
These examples of controls reflect the important details essential to providing “closed-loop” processes that ensure ongoing compliance. The real benefit to you is objective advice and leadership on creating new processes or reviewing existing ones to insure that they are efficient and repeatable and in accordance with internal controls.
Process Validation
Validation is essential to ensure procedures stand up over time and capture the multitude of variables of real-world situations and user nuances. Ideas that seemed logical conceptually when on the drawing board may not prove to be practical. It is extremely important that re-engineered processes have sufficient validation prior to final documentation.
You will benefit from using our proven methodology for validation of processes since we bring:
- Objective review of processes that is independent of “how we’ve always done it”
- Outside perspective with best practices insight
- Project management techniques and templates
Process Documentation
You will benefit from our project leadership in addressing the 3 main issues of documentation – accessibility, consistency and making them auditable…
Make it accessible (and usable)!
If a company has many documents, but people can’t find or relate to them, does it really have procedures? That’s the same question as “If a tree falls in the forest, but there’s no one around to hear it, does it make a sound”?
Once processes have been developed or re-engineered and validated, your procedures need to be documented and disseminated in a manner that’s easily accessible. This ensures ongoing repeatability of processes. For companies with multiple sites, it gives you the ability to replicate from site to site.
The key to obtaining the benefit of all the effort to design and document procedures is making them easy to find and easy to use. The most effective dissemination is done electronically, in a “paperless” documentation system. We’ll help you with that – from a variety of documentation system choices, or just setting up an entry level intranet using nothing more than Microsoft Word.
Make it consistent:
A typical mistake made by organizations is to have each department head create their own documentation. This usually results in an inconsistent and unusable documentation system, with varying levels of detail, written in different styles, which is rarely completed in a timely fashion.
Consistency is important for usability of the procedures, the ability for users to find them, and for how your company will be audited. We will facilitate your key personnel to complete the documentation, incorporating methods such as simple basics of numbering, formatting, versioning, security, archival, storage and retrieval. And most importantly, they need to be created at the proper level of detail, and directed to a compliance objective, so that they can be audited.
Make your system auditable:
The trap to avoid is putting too much detail into the wrong level or type of procedure. For example, standard operating procedures (SOP’s) usually get audited, whereas detailed work instructions or desk manuals may not be in the scope of a SOX or ISO audit. Detailed work instructions often change frequently, posing a document maintenance problem that can negatively impact an audit. We’ll provide the guidance to insure that all of your documentation is completed at the proper level of detail to achieve this important objective. |
