Leveraging Sarbanes-Oxley (SOX) to Build Better Practices
Powering Strategies and Managing
Risks — Using SOX compliance to
build disciplined, repeatable, and
auditable practices.
Running a successful business just got a lot more complicated
for many publicly traded and GAAP-compliant organizations.
Fraud and mismanagement by executives of highly visible
public companies such as Enron, Tyco, WorldCom, Global
Crossing and others have created an atmosphere of executive
mistrust. At the same time, many Internet Companies had
Some SOX Imperatives
spectacular failures that drove the technology stock market into a tail
spin. As a response, the Sarbanes-Oxley (SOX) Reform Act, passed
into federal law in 2002, has created new federal requirements for
the way publicly-held companies report their finances. It has also
made non-compliance into a personal risk for the CXOs and the executives of the organization, who face fines and jail time. (See page 2)
PlanView Portfolio Management—which includes governance
processes, workflow, financial tracking, and auditable decision trails—
is becoming a key tool to manage risks and regulatory compliance for
SOX and other requirements. The only way for executives to mitigate
What PlanView Portfolio Management Offers
An audit trail of decisions
• PlanView uses a stage/gate technique to track and manage new opportunities from the investment analysis
stage, to the project/program stage, and on to the stage where the deliverables are deployed as assets. At
each decision “gate,” PlanView records an audit trail showing: date, decision, ID of decision-maker, notes,
as well as the previous and the following decisions.
• PlanView speeds and supports investment and portfolio decisions with PlanView PRISMS™ for IT Governance.
PRISMS are real-time processes deployed within PlanView software.
Faster financial reporting
• PlanView tracks labor and costs on projects and other work down to the task level, if required. Tracking at
the phase level supports capitalization reports as required by GAAP SOP 98-1. Create simple reports in
PlanView or export to almost any ERP, financial software, HR, etc.
• PlanView’s integrated time and expense tracking have been shown to reduce time for chargeback reports
and billing by an average of 4.0 weeks (Aberdeen PSA User Survey, 2001)
Attesting to internal control
structures
• PlanView delivers software and processes for enterprise portfolio management, including control structures
such as lifecycle roles, workflow automation, collaborative portals, content templates and more. Process
architects at customer sites tailor new processes and templates as needed.
Improved project success rate
• Using PlanView’s investment analysis helps organizations align new work with business strategies. Formal
work initiation processes ensure that only the right work gets started.
• PlanView manages changes and issues with formal risk escalation and management; also auditable and
also integrated with portfolio management. Less risk = more project success.
A portal to track the SOX
compliance project itself
• PlanView not only supports SOX compliance, it’s becoming a key solution for managing the SOX compliance
project. All managers, team members, and associates access real-time status via a PlanView portal.
PlanView helps you optimize the performance of
your organization and maximize productivity from
your resources.
PlanView Web Software is the world leader in web-based, integrated portfolio, project and resource management
www.planview.com
Benelux (Tel +31 20 65 41 700), and the rest of Europe (Tel +49 721 9597-0).
tools and processes. Headquarters are in Austin, Texas USA (tel 512 346-8600), with offices across the USA, in
the UK and Ireland (Tel +44 118 903 6166), Italy (Tel +39 06 4227-2292), France (Tel +33 141 22 1380),
SOX in a Nutshell:
Personal Liability, the Audit Trail
& Fast, Fast, Fast
The Sarbanes-Oxley (SOX) package of reforms
signed into law 2002 through 2003 defines personal liabilities for the CEO and CFO and requires a digital audit trail of financial decisions. The act which
affects all publicly traded companies with a market
capitalization of over $75-million (under $75M get
an extra year) includes the following:
“Sarbanes-Oxley is providing the impetus for a series of
compliance issues related to IT. CEOs and CFOs are now
required to attest that annual and quarterly financial reports
contain no material errors or omissions. With their own necks
suddenly on the line, these executives are scrambling to make
sure their systems are more timely and accurate. Short of
giving a blank cheque to IT, CEOs should be more willing to
sign off costly overhauls of their existing financial reporting,
budgeting, and supporting business intelligence systems.”
—Computer Business Review, May 2003
• Quarterly reporting must be done in 35 days compared
to the previous 45 days.
• Annual reporting must be done in 60 days compared
to the previous 90 days.
• Significant events must be reported in “plain English”
and within 2 days compared to the previous 5 to 15
days.
• The CEO and CFO are required to verify the effectiveness of the financial controls they use to keep auditors
up to date. The impact of not complying: personal fines
of up to $1
million and up to 10 years in prison, or both. If a CEO
or CFO is found to be willfully misleading, the fine
goes to $5 million and up to 20 years in prison or
both.
• Other parts of the act address the liabilities of accounting firms.
Achieving the agile or real-time enterprise has been
a key business strategy for the past several years
because it can lead to higher revenues and market
share. Now it’s seen as a way to fight risk.
Executives have developed a keen focus on business
risks because they are being held personally responsible by the government, stockholders and employees for the results of their business decisions. The
only way for executive to mitigate their risks is to
use IT to power business processes that operate in
near real-time, that are repeatable and auditable. •
their risks is to empower business processes that operate in near real-time, that are
repeatable and auditable. IT is the engine that drives business processes, so the IT
group has now been made even more critical to the well-being of the CXO. While
at the same time, the CIO is getting more visibility at the board level and must justify and support his or her technology decisions in business terms.
PlanView would like to offer some thoughts on how to go beyond mere SOX
compliance. The idea behind the SOX reforms is to establish a broad, digital paper
trail to prove the corporate financial reports are open and honest. Yet SOX is the
tip of a much broader effort to use IT to improve business processes. In one 2003
study by the Meta Group, 65% of the respondents are seeking to use SOX to
achieve process enhancements to improve efficiency and competitive advantage.
Only 20% were focused merely on compliance. As PlanView customers are doing,
implementing governance processes, work initiation processes, investment analysis,
and just-in-time mentoring can help your organization elevate your business
processes to a competitive advantage.
The CIO Impact: Technology + Business Issues
IT expenditures can no longer be justified on their technical merit alone; they have
to be justified in clear business terms. IT expenditures are now as intensely scrutinized as any other expense, and a backlash is partly to blame. Many senior executives who authorized large IT capital expenditures in the boom years now have the
impression that IT organizations are wasteful, willful and need to be controlled.
This has driven the CIO to look for greater understanding of business strategies
and strategic alignment. In some cases the CIO is evolving into the owner of the
organization’s strategic processes. Titles like “CIO and VP of Strategy” are growing
common in companies where IT acts as the engine of corporate growth. The result?
IT governance processes are becoming essential not only to the advancement of the
CIO, but to the survival of the corporation.
www.planview.com • Sarbanes-Oxley Paper
p. 2
PlanView uses a stage/gate
structure for workflow and
internal control of projects
Distribute Decisions Through Governance
Converging Trends
IT Governance is defined as repeatable, disciplined and auditable
methods of decision-making, communicating, performing and delivering real benefits to the organization. It integrates strategic decision-making with the work and resource management in a consistent, auditable workflow to give a comprehensive picture to everyone with a vested interest in the process.
• Measure portfolios of work and resources to make early decisions about their
performance to eliminate non-productive work and realign resources.
Improving corporate processes will reduce risk, and meet the real
business needs of saving costs and improving productivity, while
also supporting the internal control structures required by SOX regulations. Some organizations look at regulatory requirements and
believe they can be satisfied just by giving executives more information. They are missing the point, or are at least far behind the
power curve. Compliance comes from management decisions being
made based on disciplined, repeatable and auditable processes. IT
governance is how technology becomes the pedal that accelerates
business strategies.
Managing business strategies & risks and IT governance are on
converging paths. IT is the only way to meet the speed, accuracy,
repeatability and auditability that are required in business processes.
IT is the engine of corporate processes.
• Plan to the capacity of the organizational resources to align the workforce with
the pipeline of projects, service requests and on-going work.
PlanView Portfolio Management
Some of the key components of IT Governance are:
• Apply a work initiation process to focus resources on the right work.
• Clarify investment decisions by analyzing risks and dependencies before
funding and then clearly communicate the results.
• Execute all work to a high standard of quality and eliminate surprises by
collaborating across the enterprise during execution and managing changes and
risks.
• Assure the work really delivers the promised benefits to the organization and
capture knowledge about best practices and resource performance.
Our solution provides a set of IT governance processes that nest
within internal control processes of the whole organization.
PlanView’s IT Governance includes initializing, scoping, ranking,
prioritizing, resource planning and monitoring of projects, service
work, and standard activities through portfolios. Our portfolio management software uses a web-based application infrastructure which
—Continued on page 6
p.3
www.planview.com
PlanView portfolio management includes
time-phased cost & benefit forecasting & tracking,
lifecycle workflow with role assignments,
full-featured document management,
investment analysis and more.
www.planview.com • Sarbanes-Oxley Paper
p. 4
PlanView’s Audit Trails Incorporate Organizational Roles
Role
Description
Governance Board (GB)
Executive management sets the governance process, which varies by the investment
type, size of investment and other key factors. PlanView’s default set-up includes
three governance boards depending on the investment classification — Local, Group
and Strategic — since strategies are different for each one.
Project Management
Office (PMO)
The Project Management Office (PMO) is responsible for setting and encouraging
standards and acting as an agent for the governance board for lifecycle steps before
the project manager is assigned.
Investment Owner (IO)
The investment owner decides which investments to fund and is responsible for
tracking performance and adjusting the portfolio of investments based on changes in
strategy, performance, market conditions, etc.
Customer (Customer)
The customer initializes the investment request and is responsible for defining basic
request information. Customers can be internal LOBs or external.
Executive Sponsor (ES)
The executive sponsor reviews the goals of the project and is the authority for scope
changes, risk planning and changes to the deliverables.
Project Manager (PM)
The project manager is responsible for the planning and execution of the project.
The resource manager is responsible for supplying skilled resources to meet work
Resource Manager (RM) requirements.
Project Team (PT)
p.5
The project team includes all lifecycle roles associated with the project.
Financial Manager (FM)
The financial manager is responsible for confirming the funding for projects is within
organizational guidelines and is properly identified in the organization’s accounts.
Business Analyst (BA)
The business analyst is responsible for reviewing the project definition and completing
the appropriate documents to guide the governance board on the project scope.
www.planview.com
has core functionality for work initiation, workflow, content management, collaboration, configurable portals and business intelligence to
deliver a broad range of functionality including:
project management, service management,
resource management, time & expense tracking, strategic management, investment analysis,
performance tracking and financial forecasting.
PlanView’s PRISMS for IT are governance
processes that include workflows, best practices,
collaboration, content documents, manager
tools and more. You can implement the
processes, modify them to your unique needs or
automate your own methods with the PlanView
process architecture tools. The processes are a
part of software and services that automates the
delivery of mature, proven solutions. Giga
Group reports in 2003 estimated that a 20%
process improvement can reap productivity
improvements of up to 80%. PlanView offers
tools and pre-built processes to improve your own business
processes by making them consistent, repeatable, disciplined and
auditable. You reduce executive liability to stockholder or regulatory reviews and improve organizational performance.
Create Real Value With PlanView
A large cross-section of the organization will typically be involved
in SOX compliance. PlanView helps you speed your decision cycle
with access to repeatable methods, real-time metrics and information at the level of detail each user wants and needs. The results:
➺ Costs are controlled
➺ Redundant work is identified and eliminated
➺ Dependencies are clarified and managed
➺ Risks are recognized and mitigated
➺ Staff is focused on the right work
PlanView Portfolio Management Software integrates a set of
governance processes into a single application infrastructure to
provide strategic management, project & service management and
resource management. Through the PlanView solution, individual
www.planview.com • In the U.S. Tel: 512 .346 . 8600
Manage SOX compliance in its own
project portal in PlanView.
projects, service requests and on-going work are managed in context of the overall organizational strategies. Resource demands can
be forecasted and capacities evaluated for staff, capital and other
resources. Projects and service are linked into portfolios to evaluate their larger impact on strategies for programs, products, initiatives and more. Investment decisions are based on concise, repeatable models to focus resources on the right work. Resource overloads and under-utilization are addressed with real-time information to optimize resource usage. Your governance processes are
encouraged and monitored by PlanView software. Time and
expenses are managed and tracked down to the task level for
reporting and chargeback. Documents, tools, notifications and
information are delivered to the appropriate person at the appropriate time through workflow. Real-time performance information
is shared across the organization.
For more information, additional PlanView Position Papers, or
to see a demo, please contact us at www.planview.com. •
p.6
© Copyright 2003 PlanView, Inc. All rights reserved. Level I document. Version 2003-September-18.
PlanView is a registered trademark of PlanView, Inc. PRISMS, Scoreboard and HomeView are trademarks of PlanView Inc.
All other trademarks are acknowledged. PlanView may vary the specifications and availability of these products and services without notice.