Intuit’s central Controls Advisory Office is in charge of helping operations managers achieve and maintain a compliant control environment. The strategy is to manage risk and improve processes in real time, not at the end of the month or the quarter. This approach generates reliable results without creating problems for operations. “My time is focused on addressing risk within Intuit and making sure that there are appropriate controls,” Singleton says. “The controls that are in place are things that we were doing before Sarbanes-Oxley; they just needed to be documented so that they could be audited.”
In its Sarbanes-Oxley evaluation, Intuit identified 358 financial and operational controls, 101 of which are now automated under Oracle and another 257 of which are manual. The company’s goal is to convert manual controls to automated controls. Those 257 controls for FY2008 are down from 314 in FY2007 and 30 more are targeted for the end of FY2009.
Cymer and Intuit both found that big payoffs came from reducing the time to do the analysis. In 2005, Intuit’s access and configuration control testing required six auditors and 14 weeks. In 2007, it took four auditors and just 8 weeks, and Singleton expects those numbers to come down. Using Oracle Governance, Risk, and Compliance Controls Suite to manage controls has generated a real return on investment for Intuit, including 55 percent time savings among internal departments, 65 percent reduction in controls testing, and 42 percent reduction in external auditor testing. The payback period for the current installation was less than five months, Singleton reports. Some of these improvements came from a decrease in control execution and testing resources, with control execution falling by 15 hours and control testing resources decreasing from 60 hours per test to 10.
The GRC processes set up at Cymer were designed to be measurable, preventive, and automated. “That’s critical for getting the confidence of the audit committee and at the senior levels of the company,” Haught says. And, the system is designed to grow with the company. “Scalability allows us to minimize manual errors,” says Haught. The standardized architecture means that he and his staff don’t have to reinvent the system as the company grows.
Making Compliance Work in Complex Organizations
It’s interesting that Oracle expanded its GRC product line through an acquisition, because acquisitions can create compliance problems. Information that the board of directors or regulators need may be tucked away in different databases. The information might never be integrated, which requires a different approach to embedded compliance. “It’s less about having everything in one database and more about having everything in accessible formats,” Mitchell says.
As companies grow and employees need flexibility, compliance becomes key to heading off major problems. Anyone who has dealt with a crisis knows that it’s easier to prevent problems than to deal with the aftermath. When companies spend energy building brands and goodwill, and people spend energy building careers and reputations, it’s easy to see the payoff to creating strong governance, reducing risk, and improving compliance.
“As a person who serves on three public boards, I appreciate the importance of governance, risk, and compliance,” says Oracle President Charles Phillips. “It’s an issue in corporate boardrooms, and it’s not going to ease up going forward.”