Top Ten Ways Your HRIS Data
Can Unintentionally Invite
A Sarbanes-Oxley Audit
An Execut iv e W hit e Paper
Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit
In the wake of the Enron scandal, the United States Congress passed the Sarbanes-Oxley Act of
2002 (SOX) in order to hold top executives accountable for corporate governance. In the past few
years, much has been written about SOX compliance, but very little has been presented in plain,
easy-to-understand English. The “Top Ten” list presented here can help the HR professional to
identify some of the most common potential problems leading to SOX non-compliance.
It should be noted that penalties for non-compliance can include fines ranging from $100,000
to $25 million; criminal and civil action; loss of Directors and Officers (D&O) liability insurance;
loss of exchange listing; and imprisonment on felony convictions for up to 20 years. To date, no
company has been prosecuted for non-compliance. Don’t let your corporation be the first.
A few of the points below are self explanatory in the realm of the human resources environment. Other
points require third party validation of the relevance of these issues in the event of a Sarbanes-Oxley
audit. Corporations are hesitant to comment on possible or even potential issues such as these for
fear of raising red flags and inviting an audit. A business analyst that works with corporations on a daily
basis who are challenged by compliance issues was recruited to comment on these points.
Stephen Chipman, Regional Managing Partner for the Central Region of Grant Thornton LLP says,
“Millions are being spent by corporations to comply with Sarbanes-Oxley and address internal control
weaknesses. Smart companies are finding ways to do so that adds value to their organizations, not
just ways to comply with the law. In Sarbanes-Oxley it is necessary for you to document controls, why
not do it in a way where you can help run your business more effectively.”
The Top Ten
According to a top HR consultant, these are the ten most common ways you can unintentionally
invite the SOX auditors to investigate your company.
> A corporation’s payroll data does not match its org chart
> A corporation cannot show how separate entities running different payrolls or
HRIS systems merge together into executive management or the board
> A corporation’s chain of command data is broken
> A corporation continues to pay people after they have been terminated
> A corporation cannot display effective segregation of duties
> A corporation cannot visually demonstrate who is responsible for managing contractors
> A corporation cannot show effective controls over who has security access to which systems
> A corporation does not have data on its outsourced personnel that could impact its
segregation of duties or other SOX requirements
> A corporation cannot visually demonstrate that all managerial controls are appropriate given
the authority and security rights of each subordinate
> A corporation’s data processes are so manual that audits require the highest priced auditors to make numerous judgment calls on their viability
2
Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit
This is not by any means a complete list of things that could invite trouble. But it’s a good starting
point for developing a strategy for SOX compliance.
Let’s take a closer look at these ten most commonly identified issues.
1. A corporation’s payroll data does not match its org chart.
If your organizational charts are produced manually, your payroll data will never match your org chart.
The corporate landscape today is rapidly changing. Between mergers, acquisitions, right-sizing and
re-organization, it becomes very difficult to keep up.
2. A corporation cannot show how separate entities running different payrolls or HRIS systems
merge together into executive management or the board.
By nature, the geography of large and mid-sized corporations is distributed across multiple locations
and multiple functions. When systems don’t merge all information smoothly to show convergence at
the executive or board level, your company could be in danger of SOX non-compliance.
3. A corporation’s chain of command data is broken.
Chain of command data is also called position control, span of control, hierarchy data and reports
to data. Are you still using Person to Person reporting? If so, you are very much at risk for SOX
non-compliance. More effective methods include some combination of electronic communications
methods to establish a record of chain of command data.
4. A corporation continues to pay people after they have been terminated.
Believe it or not, this happens. And it’s illegal. You can eliminate any potential for having this
hazardous accident happen to you by implementing the safeguards built in to many automated
human resource management applications.
“If this is happening, it clearly demonstrates a break down of internal controls. The company is
no longer safeguarding its assets and one would have to determine how significant a weakness
this is in relation to Sarbanes-Oxley reporting. It is certainly a control weakness that would get
the attention of management and the auditors,” says Chipman. “Tr ying to match your controls
over the exit of an employee in different departments in large organizations is challenging — there
are often time lags and potential for communications breakdowns.”
5. A corporation cannot display effective segregation of duties.
Under Sarbanes-Oxley, the requirement for a transparent demonstration of who is doing what is
no longer limited to your financial department. Anyone who accesses files should be tracked. It’s
especially important to have a reporting mechanism for failed access attempts so you can see
when sensitive data might be at risk from unauthorized persons.
“This issue is probably the most significant area of difficulty that organizations have in maintaining
an appropriate internal control environment,” says Chipman. “One of the problems that you have
as an organization is identifying where those segregation of duties issues exist and having the
appropriate understanding of people’s roles, responsibilities and their interface with one another
3
Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit
within the organization. Among medium to smaller public companies, this is the single biggest area
where exceptions under Sarbanes-Oxley will likely occur. Starting with an appropriate organizational
chart is a very important element in addressing the effectiveness of segregation of duties.”
6. A corporation cannot visually demonstrate who is responsible for managing contractors.
The law says you must have effective internal controls in place to show managerial responsibilities.
Even though you know who’s in charge of contractors, SOX requires the information to be readily
apparent to outside parties, such as shareholders and auditors.
“Sarbanes-Oxley dictates that controls are not only in place but that those controls be documented,”
added Chipman. “Obviously having controls over contractors is critical. Again, an appropriate org
chart is a good place to document these controls.”
7. A corporation cannot visually demonstrate effective controls over who has security access to
which systems.
One of the most critical internal controls is the ability to determine who has access to various levels
of secure information, and why.
Chipman says, “This is a simple point. Under Sarbanes-Oxley, you not only have to have appropriate
controls but they need to be documented, this would include security access controls.”
8. A corporation does not have data on its outsourced personnel that could impactits
segregation of duties or other SOX requirements.
How much do you know about your outsourced personnel? How do you keep tabs on what they’re
doing? There are SOX compliance issues with the inability to show what functions outsourced
personnel are performing.
“Corporations are reasonably good at knowing what is going on under their own roof. But a complete
understanding of outsourced personnel can be challenging because they are not apart of the line
reporting structure,” say Chipman. “A lot of organizations have looser controls when it comes
to outsourced personnel and sub-contractors. This can create an issue regarding not only the
segregation of duties, but the controls over hiring and firing of those subcontractors.”
9. A corporation cannot visually demonstrate that all managerial controls are appropriate given
the authority and security rights of each subordinate.
You cannot have a disconnect in the manager-subordinate chain. Subordinates need to be shown to be
performing subordinate functions with subordinate security access to their respective managerial staff.
“You have the issue of identifying control weaknesses, which the organization is responsible to do.
It would certainly be easier to identify conflict in authority and security rights between peers and
their subordinates, as well as make sure those controls are appropriately documented if you have
a robust organizational chart,” added Chipman. “Obviously it would only be one piece, but a very
important piece.”
4
Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit
10. A corporation’s processes are so manual that audits require the highest priced auditors to
make numerous judgment calls on the viability of the data.
Data entry is the bane of many an HR administrator. Systems today can automate many of the
processes that previously were handled manually. The likelihood of SOX compliance increases as
more data is automatically processed.
“If the documentation within a company is outdated it will be required that the company update
its documentation in order to meet Sarbanes-Oxley requirements,” said Chipman. “If the company
does not do that itself, it has to hire others to come in and do it for them. Many companies that
are accelerated filers under Sarbanes-Oxley have engaged accounting firms to come in and redocument areas of their internal controls. This can be a very expensive proposition.”
Automating Compliance With The Sarbanes-Oxley Act
As your company develops a strategy for SOX compliance, consider that new requirements will
continue to evolve as time passes. Maintaining compliance utilizing manual procedures in today’s
data-driven world will be next to impossible. This is why many companies have come to rely upon
software applications specifically designed to address these Top Ten issues and many other
regulations set forth in the SOX Act.
Failure to comply with Sarbanes-Oxley could result in seeing your top executives heavily fined or in
extreme cases, hauled away in handcuffs. And, because the law requires executive management to
be aware of the controls required for compliance and to be responsible for their effectiveness, the
Information Technology department no longer can become the scapegoat for unfortunate events.
Sarbanes-Oxley Act of 2002 — Why, in a nutshell:
> To improve quality and transparency in financial reporting and independent audits and
accounting services for public companies
> To create a Public Company Accounting Oversight Board
> To enhance the standard setting process for accounting practices
> To strengthen the independence of firms that audit public companies
> To increase corporate responsibility and the usefulness of corporate financial disclosure
> To protect the objectivity and independence of securities analysts
> To improve Securities and Exchange Commission resources and oversight
> And for other purposes
“Yes, you have to comply with the law, which is Sarbanes-Oxley, but you also want to do it in a
way that is going to add value to a company’s operation,” said Chipman. “Having relevant parts
of your documentation embedded into a robust, dynamic and flexible organizational chart that is
able to move and change with the corporation is one way of getting that added value.”
It is vitally important to the continued success of your company to implement processes designed
to streamline SOX compliance. It pays to have an effective, integrated solution.
5
Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit
About Aquire
Aquire gives companies the wisdom that can only be derived from visualizing and deeply understanding
the trends and future needs of their organization. Through a team of dedicated people, and a host
of innovative solutions, a strategic partnership with Aquire helps companies make evidence-based
decisions about their workforce investments. With Aquire solutions in hand, companies can build and
communicate plans that differentiate their workforces to maximize their productivity and profits. More
than 15 years of workforce insight gained from serving thousands of customers has helped Aquire
grow from an industry pioneer into a recognized innovator with a portfolio of software solutions that
support today’s vital workforce planning and talent management challenges.
North American Office
Aquire United Kingdom, Ireland and Africa
Aquire Europe and Middle East
400 East Las Colinas Blvd.
Suite 500
Irving, TX 75039 USA
Phone: +1 214.574.5020
Fax: +1 214.574.5014
Toll-free: 888.674.2427
Enterprise House
5 Roundwood Lane
Harpenden
Hertfordshire
AL5 3BW
United Kingdom
TEL: 0845 371 7085
TEL (outside the UK): +44 1582 463489
BCB Bachstrasse 1
CH-9606 Bütschwil,
Sankt Gallen
Switzerland/Schweiz/Suisse
TEL: 044 5007159
TEL (outside Switzerland): +41 44 500 7159
6
11-AQU-250 / 08.15.11
Neumarkt Galerie
Richmodstraße 6
50667 Köln
Germany
TEL: 0221 92042 430
TEL (outside Germany): +49 221 92042 430
aquire.com | blog.aquire.com
facebook.com/aquire | twitter.com/aquireinc
linkedin.com (OrgPublisher Group for customers only)