the compliance staff had an interest in
reducing panicky middle-of-the-night
phone calls. LogicalApps helped the
company convert manual controls into
automatic processes. The result? Less staff
time to manage controls, and less audit
support to make sense of the reports that
were generated. “We’re embedding tools
like LogicalApps into our base infrastructure,” says Craig Haught, Cymer’s vice
president and CIO. “There are no surprises. It’s like a flight check. When you
bring in a new capability, you want it to
work at launch.”
LogicalApps helped Intuit set up a
more-preventive controls environment.
For example, if someone changes a
product SKU number, the revenue recognition team at Intuit receives a memo
to review and approve the change. In
most cases, the change goes through, but
the reason for the change is noted in real
time instead of at the end of the reporting
period, which may require reconstructing
sales figures, writing justification memos,
and letting the change go through whether or not it was the right
thing to do simply because it’s too late. “It’s not a resource strain
at month-end,” says Robert Singleton, manager of Intuit’s controls advisory office. “Until the team reviews and approves the
process, it’s not in Oracle.”
Oracle Governance, Risk, and Compliance
Controls Suite to manage controls has
generated a real return on investment
for Intuit, including 55 percent time
savings among internal departments, 65
percent reduction in controls testing, and
42 percent reduction in external auditor
testing. The payback period for the current
installation was less than five months,
Singleton reports. Some of these improvements came from a decrease in control execution and testing resources, with control
execution falling by 15 hours and control
testing resources decreasing from 60 hours
per test to 10.
The GRC processes set up at Cymer
were designed to be measurable, preventive, and automated. “That’s critical
for getting the confidence of the audit
committee and at the senior levels of the
company,” Haught says. And, the system
is designed to grow with the company.
“Scalability allows us to minimize manual
errors,” says Haught. The standardized
architecture means that he and his staff
don’t have to reinvent the system as the company grows.
>>SNAPSHOTS
Intuit
www.intuit.com
Employees:
8,200
Revenue: US$834.9 million
Oracle products and services:
Oracle E-Business Suite 11i, including
Financials and Human Resources;
Oracle Governance, Risk, and
Compliance Controls Suite (formerly
LogicalApps); Siebel Call Center;
Siebel Service; Oracle Consulting
Cymer
www.cymer.com
Employees:
1,000
Revenue: US$522.7 million
Oracle products and services:
Oracle9i Database; Oracle E-Business
Suite 11i, including Manufacturing,
Financials, Accounting, and Human
Resources; Oracle Governance,
Risk, and Compliance Controls Suite
Other products: IBM xSeries 445
SAVING MONEY AND STRENGTHENING OPERATIONS
Intuit’s central Controls Advisory Office is in charge of helping
operations managers achieve and maintain a compliant control
environment. The strategy is to manage risk and improve processes in real time, not at the end of the month or the quarter.
This approach generates reliable results without creating problems for operations. “My time is focused on addressing risk
within Intuit and making sure that there are appropriate controls,” Singleton says. “The controls that are in place are things
that we were doing before Sarbanes-Oxley; they just needed to
be documented so that they could be audited.”
In its Sarbanes-Oxley evaluation, Intuit identified 358 financial and operational controls, 101 of which are now automated
under Oracle and another 257 of which are manual. The company’s goal is to convert manual controls to automated controls.
Those 257 controls for FY2008 are down from 314 in FY2007
and 30 more are targeted for the end of FY2009.
Cymer and Intuit both found that big payoffs came from
reducing the time to do the analysis. In 2005, Intuit’s access
and configuration control testing required six auditors and
14 weeks. In 2007, it took four auditors and just 8 weeks,
and Singleton expects those numbers to come down. Using
MAKING COMPLIANCE WORK IN COMPLEX ORGANIZATIONS
It’s interesting that Oracle expanded its GRC product line
through an acquisition, because acquisitions can create compliance problems. Information that the board of directors or
regulators need may be tucked away in different databases. The
information might never be integrated, which requires a different approach to embedded compliance. “It’s less about having
everything in one database and more about having everything in
accessible formats,” Mitchell says.
As companies grow and employees need flexibility, compliance becomes key to heading off major problems. Anyone who
has dealt with a crisis knows that it’s easier to prevent problems
than to deal with the aftermath. When companies spend energy
building brands and goodwill, and people spend energy building careers and reputations, it’s easy to see the payoff to creating
strong governance, reducing risk, and improving compliance.
“As a person who serves on three public boards, I appreciate the importance of governance, risk, and compliance,” says
Oracle President Charles Phillips. “It’s an issue in corporate
boardrooms, and it’s not going to ease up going forward.” <>
ANN C. LOGUE has written for Barron’s, the New York Times, and Compliance Week.
>> FOR MORE INFORMATION
Governance, Risk, and Compliance Management
oracle.com/compliance
