Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit

Transcription

1 Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit An Executive White Paper

2 In the wake of the Enron scandal, the United States Congress passed the Sarbanes-Oxley Act of 2002 (SOX) in order to hold top executives accountable for corporate governance. In the past few years, much has been written about SOX compliance, but very little has been presented in plain, easy-to-understand English. The Top Ten list presented here can help the HR professional to identify some of the most common potential problems leading to SOX non-compliance. It should be noted that penalties for non-compliance can include fines ranging from $100,000 to $25 million; criminal and civil action; loss of Directors and Officers (D&O) liability insurance; loss of exchange listing; and imprisonment on felony convictions for up to 20 years. To date, no company has been prosecuted for non-compliance. Don t let your corporation be the first. A few of the points below are self explanatory in the realm of the human resources environment. Other points require third party validation of the relevance of these issues in the event of a Sarbanes-Oxley audit. Corporations are hesitant to comment on possible or even potential issues such as these for fear of raising red flags and inviting an audit. A business analyst that works with corporations on a daily basis who are challenged by compliance issues was recruited to comment on these points. Stephen Chipman, Regional Managing Partner for the Central Region of Grant Thornton LLP says, Millions are being spent by corporations to comply with Sarbanes-Oxley and address internal control weaknesses. Smart companies are finding ways to do so that adds value to their organizations, not just ways to comply with the law. In Sarbanes-Oxley it is necessary for you to document controls, why not do it in a way where you can help run your business more effectively. The Top Ten According to a top HR consultant, these are the ten most common ways you can unintentionally invite the SOX auditors to investigate your company. > A corporation s payroll data does not match its org chart > A corporation cannot show how separate entities running different payrolls or HRIS systems merge together into executive management or the board > A corporation s chain of command data is broken > A corporation continues to pay people after they have been terminated > A corporation cannot display effective segregation of duties > A corporation cannot visually demonstrate who is responsible for managing contractors > A corporation cannot show effective controls over who has security access to which systems > A corporation does not have data on its outsourced personnel that could impact its segregation of duties or other SOX requirements > A corporation cannot visually demonstrate that all managerial controls are appropriate given the authority and security rights of each subordinate > A corporation s data processes are so manual that audits require the highest priced auditors to make numerous judgment calls on their viability 2

3 This is not by any means a complete list of things that could invite trouble. But it s a good starting point for developing a strategy for SOX compliance. Let s take a closer look at these ten most commonly identified issues. 1. A corporation s payroll data does not match its org chart. If your organizational charts are produced manually, your payroll data will never match your org chart. The corporate landscape today is rapidly changing. Between mergers, acquisitions, right-sizing and re-organization, it becomes very difficult to keep up. 2. A corporation cannot show how separate entities running different payrolls or HRIS systems merge together into executive management or the board. By nature, the geography of large and mid-sized corporations is distributed across multiple locations and multiple functions. When systems don t merge all information smoothly to show convergence at the executive or board level, your company could be in danger of SOX non-compliance. 3. A corporation s chain of command data is broken. Chain of command data is also called position control, span of control, hierarchy data and reports to data. Are you still using Person to Person reporting? If so, you are very much at risk for SOX non-compliance. More effective methods include some combination of electronic communications methods to establish a record of chain of command data. 4. A corporation continues to pay people after they have been terminated. Believe it or not, this happens. And it s illegal. You can eliminate any potential for having this hazardous accident happen to you by implementing the safeguards built in to many automated human resource management applications. If this is happening, it clearly demonstrates a break down of internal controls. The company is no longer safeguarding its assets and one would have to determine how significant a weakness this is in relation to Sarbanes-Oxley reporting. It is certainly a control weakness that would get the attention of management and the auditors, says Chipman. Trying to match your controls over the exit of an employee in different departments in large organizations is challenging there are often time lags and potential for communications breakdowns. 5. A corporation cannot display effective segregation of duties. Under Sarbanes-Oxley, the requirement for a transparent demonstration of who is doing what is no longer limited to your financial department. Anyone who accesses files should be tracked. It s especially important to have a reporting mechanism for failed access attempts so you can see when sensitive data might be at risk from unauthorized persons. This issue is probably the most significant area of difficulty that organizations have in maintaining an appropriate internal control environment, says Chipman. One of the problems that you have as an organization is identifying where those segregation of duties issues exist and having the appropriate understanding of people s roles, responsibilities and their interface with one another 3

4 within the organization. Among medium to smaller public companies, this is the single biggest area where exceptions under Sarbanes-Oxley will likely occur. Starting with an appropriate organizational chart is a very important element in addressing the effectiveness of segregation of duties. 6. A corporation cannot visually demonstrate who is responsible for managing contractors. The law says you must have effective internal controls in place to show managerial responsibilities. Even though you know who s in charge of contractors, SOX requires the information to be readily apparent to outside parties, such as shareholders and auditors. Sarbanes-Oxley dictates that controls are not only in place but that those controls be documented, added Chipman. Obviously having controls over contractors is critical. Again, an appropriate org chart is a good place to document these controls. 7. A corporation cannot visually demonstrate effective controls over who has security access to which systems. One of the most critical internal controls is the ability to determine who has access to various levels of secure information, and why. Chipman says, This is a simple point. Under Sarbanes-Oxley, you not only have to have appropriate controls but they need to be documented, this would include security access controls. 8. A corporation does not have data on its outsourced personnel that could impactits segregation of duties or other SOX requirements. How much do you know about your outsourced personnel? How do you keep tabs on what they re doing? There are SOX compliance issues with the inability to show what functions outsourced personnel are performing. Corporations are reasonably good at knowing what is going on under their own roof. But a complete understanding of outsourced personnel can be challenging because they are not apart of the line reporting structure, say Chipman. A lot of organizations have looser controls when it comes to outsourced personnel and sub-contractors. This can create an issue regarding not only the segregation of duties, but the controls over hiring and firing of those subcontractors. 9. A corporation cannot visually demonstrate that all managerial controls are appropriate given the authority and security rights of each subordinate. You cannot have a disconnect in the manager-subordinate chain. Subordinates need to be shown to be performing subordinate functions with subordinate security access to their respective managerial staff. You have the issue of identifying control weaknesses, which the organization is responsible to do. It would certainly be easier to identify conflict in authority and security rights between peers and their subordinates, as well as make sure those controls are appropriately documented if you have a robust organizational chart, added Chipman. Obviously it would only be one piece, but a very important piece. 4

5 10. A corporation s processes are so manual that audits require the highest priced auditors to make numerous judgment calls on the viability of the data. Data entry is the bane of many an HR administrator. Systems today can automate many of the processes that previously were handled manually. The likelihood of SOX compliance increases as more data is automatically processed. If the documentation within a company is outdated it will be required that the company update its documentation in order to meet Sarbanes-Oxley requirements, said Chipman. If the company does not do that itself, it has to hire others to come in and do it for them. Many companies that are accelerated filers under Sarbanes-Oxley have engaged accounting firms to come in and redocument areas of their internal controls. This can be a very expensive proposition. Automating Compliance With The Sarbanes-Oxley Act As your company develops a strategy for SOX compliance, consider that new requirements will continue to evolve as time passes. Maintaining compliance utilizing manual procedures in today s data-driven world will be next to impossible. This is why many companies have come to rely upon software applications specifically designed to address these Top Ten issues and many other regulations set forth in the SOX Act. Failure to comply with Sarbanes-Oxley could result in seeing your top executives heavily fined or in extreme cases, hauled away in handcuffs. And, because the law requires executive management to be aware of the controls required for compliance and to be responsible for their effectiveness, the Information Technology department no longer can become the scapegoat for unfortunate events. Sarbanes-Oxley Act of 2002 Why, in a nutshell: > To improve quality and transparency in financial reporting and independent audits and accounting services for public companies > To create a Public Company Accounting Oversight Board > To enhance the standard setting process for accounting practices > To strengthen the independence of firms that audit public companies > To increase corporate responsibility and the usefulness of corporate financial disclosure > To protect the objectivity and independence of securities analysts > To improve Securities and Exchange Commission resources and oversight > And for other purposes Yes, you have to comply with the law, which is Sarbanes-Oxley, but you also want to do it in a way that is going to add value to a company s operation, said Chipman. Having relevant parts of your documentation embedded into a robust, dynamic and flexible organizational chart that is able to move and change with the corporation is one way of getting that added value. It is vitally important to the continued success of your company to implement processes designed to streamline SOX compliance. It pays to have an effective, integrated solution. 5

6 About Aquire Aquire gives companies the wisdom that can only be derived from visualizing and deeply understanding the trends and future needs of their organization. Through a team of dedicated people, and a host of innovative solutions, a strategic partnership with Aquire helps companies make evidence-based decisions about their workforce investments. With Aquire solutions in hand, companies can build and communicate plans that differentiate their workforces to maximize their productivity and profits. More than 15 years of workforce insight gained from serving thousands of customers has helped Aquire grow from an industry pioneer into a recognized innovator with a portfolio of software solutions that support today s vital workforce planning and talent management challenges. North American Office 400 East Las Colinas Blvd. Suite 500 Irving, TX USA Phone: Fax: Toll-free: Aquire United Kingdom, Ireland and Africa Enterprise House 5 Roundwood Lane Harpenden Hertfordshire AL5 3BW United Kingdom TEL: TEL (outside the UK): Aquire Europe and Middle East BCB Bachstrasse 1 CH-9606 Bütschwil, Sankt Gallen Switzerland/Schweiz/Suisse TEL: TEL (outside Switzerland): Neumarkt Galerie Richmodstraße Köln Germany TEL: TEL (outside Germany): AQU-250 / aquire.com blog.aquire.com facebook.com/aquire twitter.com/aquireinc linkedin.com (OrgPublisher Group for customers only)