Advanced Front Office Lean with Business Modeler Software

Lean disciplines may have originated on the shop floor; but, they can also be applied in the front office and this is where the next frontier of productivity gains will take place. Growth in outsourcing and the shortening of product life cycles mean that more and more value is added to a product in the front office. Engineer-to-order and project-centric businesses, in particular, are vulnerable to efficiency drains in the front office, and companies that contract out a significant percentage of their manufacturing processes will also have increased demands placed on administrative functions, making front office lean absolutely critical.

In an earlier article, we dealt with some basic approaches to front-office lean. In this article, we'll focus on one often-overlooked tool for facilitating front-office lean—business modeler software that is tightly integrated with an enterprise application. Business modeler software can help to identify non-value-added steps in a front office process, but by using it to automate processes it can—in and of itself—eliminate non-value added steps.

Hidden waste

There is a hidden waste that many executives do not discuss or may not even know about.

This is the waste that comes from a lack of clarity of what the company's current business processes are, or from poorly—defined or inadequately documented processes. In a front office environment, people in administrative and managerial roles may ask each other, their managers, or even the people who work for them, "how do we open a purchase order?" or "what is our process for an engineering change order?" Conversations like this may take 10 to 15 minutes, and might happen dozens or even hundreds of times a day, depending on the organization. Various people in the organization may have been trained to undertake these processes in a variety of ways, and employees may wind up discussing the relative merits of how a process is currently undertaken and how the same process may have been completed in years past.

Even if you are reasonably efficient in manufacturing, think of how much time you are wasting on interactions like these in the office. Moreover, if processes are not documented clearly, how much time and expense is wasted by training new hires in processes that may not be optimal? The need to train and retrain people because their initial training may not have reflected current processes is one indicator that a company ought to consider business modeler software.

Another indicator that business modeler software could be helpful is a periodic or frequent need to redo front office tasks because managers and employees were trained incorrectly or because there is no established, effective procedure for taking care of business tasks.

If, in the course of conducting business, the following questions are asked with any degree of regularity, business modeler software may be required in order to facilitate leaner operations:

* How do we do this?
* Why do we do it this way?
* Isn't there a better way?

Used correctly, business modeler software can reduce training costs and prevent errors and non-value-added work that result from undocumented or unclear processes. But, as we will soon see, there are other even more exciting benefits that can be derived from this technology, particularly when it is part and parcel of an enterprise software environment.

Business modeling software standardizes and record front office processes as they evolve. Source: IFS North America, IFS Applications

How does business modeling help?

The genius of business modeler software is that it helps to reduce waste throughout your organization in a number of ways. First of all, it standardizes processes and then documents them. The business model then describes how you do things and puts that descriptive data in a common repository. Whether you are filling in for an associate who is away and have to learn a new functional area of the company or are training a new hire, your process information is standardized, accessible, and packaged for easy learning.

Business modeler software also facilitates process change management and improvement because it contains a history of how things have been done in the past and the reasons for adopting new processes over time. This history of the business models as they developed, what was done in the past and why processes were changed will help you avoid wasting time and resources by reverting to a process that you had earlier abandoned because you found them to be suboptimal.

If attempts at process change in your organization prompt comments along the lines of "we tried it that way years ago and it didn't work," business modeler software will certainly help. Only by recording and studying history can you avoid reliving it.

Another powerful aspect of business modeler software is that, if it is properly integrated with the enterprise IT environment, it is not just a training tool or a tool for senior managers; rather, it's a tool for daily use by hands-on system users. People using an enterprise software tool are using a system and therefore need a systematic approach for doing things on that computer system. The model would likely be most useful in the longer term for those who use a system only periodically, and, therefore, do not have the opportunity to rapidly master the system. Ideally, the model is not just for training, but for actual use until the processes contained in the model become second nature. Over time, the model is used less and less to guide workers as they follow processes on a daily basis. This means that when it is part and parcel of the overall enterprise software environment, business modeler software can guide front-office processes ranging from scheduling, materials planning, finance, quality, customer service, and other disciplines in a manner similar to visual cues and other methods used on the shop floor.

Business modeler software can streamline processes wherever there are a number of things to attend to; and by doing them in the proper way in the proper order, workers can reduce non-value-added steps. The fact that these processes are well-documented and centrally archived means that even after processes are learned thoroughly and the model is no longer being used as a daily guide, users can refer to it occasionally as a way to re-orient themselves on key processes.

Once processes are streamlined through the daily use of business modeler software to guide front-office activities, these well-documented processes can serve as a platform from which further lean initiatives can be launched. When an initiative comes down from senior management to reduce cost, for instance, the existing business model can be evaluated to determine where cost is coming from and how processes need to be revised to meet cost-cutting goals.

Business modeler software also enhances your lean improvement efforts by allowing you to benchmark your lean process improvements. In the software, you will have static "as is" models as well as dynamic "to be" models. Once daily system users migrate away from using the model as a guide, and as the processes become ingrained and subconscious, pragmatism and innovation take over and system users tend to change these processes, making them even leaner than they were before. These improved processes can be woven into a new "to be" model and compared to an "as-is" model as well as other dynamic "to be" models.

This means that periodically it is possible to compare current processes to the business model. Frequently, this comparison will reveal that the processes documented in the model do not describe what employees are doing, but rather that employees have improved on the original processes. Business modeler software documents where you have improved (by removing non value-added work). So, in this case, the software can help you document improvements that take place over time.

Anyone involved in lean initiatives like value stream mapping or "as-is, to-be" knows the importance of being able to record processes as they exist and describe processes as they should be. Regardless of the specific lean discipline followed, the lean goal is to document how things are done now to make sure they are done the most efficient way (with the least amount of non-value-added steps), then develop a "to-be" model depicting how things work best. You want to be able to see where your processes are now, where they are headed and then see multiple versions of evolution of those processes.

Within, without the enterprise application

The ability to guide users directly though processes in an enterprise application is one powerful way that business modeler software can facilitate lean in the front office. But that does not mean that processes need to be completed entirely within the enterprise application in order to be streamlined through the use of business modeler software. The business model should be able to encompass processes completed in other applications and on the Web.

For example, let's say that you are responsible for handling requisitions for new materials. As part of the process model, you need to do research on the part or material you are looking for. It should be possible to build into the model a link to a Web browser along with links to sites where you might source the products you need. Another procedure might be to prepare a request for quotations, and a link in the business model could open a window to complete that step, perhaps in a word processor if that is the tool you have decided to use for that step, or could even direct you to the vendor site to complete an online purchase.

Regardless of what front office process you are involved in or what technology tool your model mandates for the completion of that process, the business modeler software ought to steer users to that specific technology tool and facilitate process completion. The business modeler may be integrated into the functionality of your enterprise software environment, but it could launch processes in an ERP application, in a word processing program or direct users to a vendor site where information could simply be keyed in. Regardless of whether tasks are completed inside the enterprise software or within other pieces of software or on the Web, links to the appropriate tool are embedded in the process model.

Whether you are completing business processes within the enterprise software or outside of it, the process diagram describes what you want to do and allows you to complete all of those tasks right from that model. That is in contrast to a stand-alone business model that is just a diagram where you need to go back to your own computer to figure out how you go about completing the steps outlined in the model. So, business modeler software is one of the few tools that in and of itself removes non-value added effort.

Correct technology essential

Business modeler software is nothing new, but those who want to derive maximum lean benefits from their business model ought to choose their technology carefully. There is no shortage of standard flow charts and other tools that are touted as business modeler software. Business modeler software tools that are tightly integrated with an underlying enterprise software tool, like enterprise resource planning (ERP), will result in quantifiable business streamlining results because the model can be automated at a very granular level.

Some flowcharting tools have become dynamic enough to encompass a variety of business processes, but are still essentially generate standalone documents. Enterprise simulation tools are designed to model an enterprise for the purpose of comparing existing processes to new processes, but still might fall short of the process automation functions that represent the height of value that can be realized using business modeler software. Workflow tools, meanwhile, are designed to automate processes by passing work from one person to the next. However, a quality enterprise application ought to facilitate this degree of interaction already.

Stand-alone business modeler software will just act as another silo of information, hindering the flow of information and hence the flow of value throughout the enterprise. Business modeler software embedded within the enterprise application, however, can help define how information flows through the enterprise and help plan the most efficient way to complete business functions with the lease effort lost to non-value- added work. The resulting business benefit is that you will have a model that tracks how processes have changed and improved over time, creating an organizational memory – a history of your lean journey. Business modeler software can make that journey a better one.

The Business Model for the 21st Century Is Project-centric

The need for agility in business grows ever more pressing. Reacting in real time is vital, and time is a commodity always in short supply. Many companies are currently heavily focused on financial measures, especially how the numbers look at the end of accounting periods. While financial reports are important, relying on them too heavily can lead to a business geared to analyze the past rather than one driven to manage the present and prepare for the future. If your business is driven by accounting periods alone, then it is poorly equipped to react as dynamic situations unfold. Reacting to financial results is like reading the newspaper—you can see what has happened, but it is much too late to do anything about it.

Traditional organizational structures and systems can make understanding real-time operational situations almost impossible, delaying corrections, costing the business money, and—in a downturn—even threatening its survival.

The criteria for business success are normally measured in financial terms, but the day-to-day management to ensure these monetary goals are met needs to look beyond pure historical financial-reporting. Today, success is all about the difference between measurement and management.

Cost, time, resources, cash, and risk have long been the five fundamentals of project management. These performance indicators need to be observed and controlled in real time in order to manage and deliver a successful project. Projects typically cross departmental—and often company—boundaries, and they always have a start and an end. In today's business climate, there is much that can be learned from this approach to help manage the whole organization through the downturn and beyond—even for businesses that do not see themselves as operating in traditionally project-driven sectors. Project management techniques, applied across the board, can help an organization evolve into a true project-centric business.

In today's globalized business environment, a project-centric approach means putting together the best mix of resources—people, production, design, sales, marketing, service, and so forth, both from within the organization and from the extended enterprise—for each product and service offered by the business in order to ensure the best chance of success. This may mean moving away from traditional thinking. Traditionally, production has always been done in house, with certain products tied to specific locations. Today, for instance, a manufacturer must make a business case whether to make or buy a component or an entire product. If you have the right information in real time, you can make the necessary strategic decisions about which resources to use, where to locate elements, and whether to perform various tasks in house or through subcontractors, outsourcing, or offshoring.

The right mix to deliver success can often change. The benefits of yesterday's cost-driven decision to offshore manufacturing to China might be offset by tomorrow's increase in delivery costs due to rises in the price of oil. A historical perspective on costs is no longer enough to manage the business. Moreover, cost savings must be balanced against nonfinancial measures, such as quality, skills availability, and environmental concerns, as well as risks such as the potential impact on brand and reputation. The focus must shift from backward-looking financial measurement based on accounts and cost centers, to company-wide management of cost, time, resources, cash, and risks, supported by real-time information.

This project-centric concept needs to be instilled throughout the business, at all levels and across all departments. Many managers and executives are left with systems that don't provide easy access to performance metrics in real time. It is often these individuals that regard a project as something that delivers a specific service or tool to the business, and who don't see it as a fundamental approach to delivering the core goals of growth and profitability. By compartmentalizing the role of projects, those management teams are missing out on a very efficient approach to running the complete enterprise. Structuring the whole organization on an integrated set of projects enables success to be clearly identified, measured, and communicated. As we approach the back end of the 21st century's first decade, the project-centric approach is evolving into a clear structure for the modern, agile business.

Project management techniques should no longer be the reserve of specific industries or departments. Setting precise goals, with a defined budget, to be reached within a specified time frame, is now more common than ever before. The fundamentals of project management are now core to companies specializing in areas such as contract manufacturing, construction, and contracting, as well as in the service and traditional asset management industries. These sectors are likely to have taken a project-centric approach to running major parts of their business some time ago.

The construction and contracting industries are great examples of the project-centric approach. They are 100 percent project-focused in how they deliver products and services, but do they take the same approach to make sure the financial goals of the business as a whole are reached? Some do, but not all, as even these types of businesses struggle with measuring the past rather than managing for the future. Real-time visibility throughout the whole project life cycle, across organizations and all company business processes, is the key to success.

Improve Visibility

Building a company's business on a network of integrated projects not only sets out the logical steps to business success, it enables managers and senior executives to have better and faster visibility of progress, enabling operational and financial risks to be managed more closely, corrections to be made, and the consequences minimized.

What is key here is that businesses see the project as a real-time execution model, not just as a framework for planning and follow-up. Project-centric business applications make this work, integrating information across all departments, such as human resources (HR), finance, production, and others. This agility is even more essential in a tightening global economy.

The current accepted approach to business makes understanding a company's real-time performance difficult. Quarterly figures are often not available for weeks after the end of the reporting period, so this information is already out of date by the time it is available to the business. Yet chief executive officers (CEOs), investors, and customers are demanding more visibility, improved real-time access to information, and faster reaction to change. Taking a project-centric approach pulls together forecasted, estimated, and actual metrics, and puts monitoring in place to provide a view of all elements—not just financial actuals.

Operational and financial risks can also be evaluated on an ongoing basis, and strategies can be defined upon these. This approach delivers a level of analysis on which decisions can be made quickly and with confidence. The business becomes agile.

Project metrics are common practice for staff of all levels. They provide the right insight into the business. An enterprise resource planning (ERP) system that is built on project-centric fundamentals can provide the insight that managers need to understand the immediate situation, and the effect that adjusting resources, costs, and timings on individual projects will have on larger financial goals.

Significance of Time

Time is a great leveler, as the problem of allocating time applies to all businesses, irrespective of size and financial strength. For example, it has been proved time and again that the first product to enter a market achieves the highest profits. It is better to be a leader than a follower, and launching a new product into a new market involves major risk, cost, cash, time, and the best use of key resources. This is a forward-looking application of project-centric thinking.

It is often stated that the key constraint to execution is the availability of key executives' time. For example, when pursuing the global expansion of a business and establishing international operations, being able to execute to a predictable time plan is paramount. Maintaining the timeline is difficult if key executives do not have real-time visibility of ongoing processes, preventing them from proactively making timely decisions. This is a clear benefit of the use of project-centric business applications.

Project-centric Businesses

More and more companies in the manufacturing sector need to look at their product portfolios and the mix of in-house production, outsourced production, and after-sales services and spares that will deliver the greatest profits. Contracts often run for defined quantities of specific products over a finite period of time. The manufacturer may have several projects on the go at any one time. Globalization has made outsourcing easier for the established brand owner. As a result, more and more businesses have increasingly complex supply chains.

Changes in the global economy have released such industries as utilities from public ownership, and have created global players that own many different businesses in different countries. Sales and marketing entities in western Europe are selling electricity that is generated by a different company and delivered to the consumer on a network owned and run by yet another company. This focus on a core business service by different entities in the supply chain enables those holding the relationship with the consumer to chop and change providers to suit consumer demands and producer improvements. Suddenly the whole business is being run on project-centric fundamentals: cost, time, resources, cash, and risk.

But what does it mean for your business? The CEO of today must embrace this project-centric approach and manage the business by focusing on the five elements presented here. There must be a change from siloed organizations geared to measure the past, to companies driven to manage the present and to prepare for the future. This is a world where companies need to become project-centric, using systems that provide the agility needed to react instantly. To ignore this challenge will make it difficult to weather the downturn and stay ahead of the increasingly global competition.

Factors Inhibiting the Widespread Adoption of Business Performance Management

Although business performance management (BPM) offers outstanding benefits, such as helping organizations align their performances to their business processes and their overall organizational strategies, widespread adoption has been slow at best. BPM vendors need to ask themselves why this has been the case, and what they can do to increase their market penetration. A step in the right direction would be to identify BPM's competitors within the overall business intelligence (BI) market, analyze the market penetration that BI solutions have sustained, and determine how BPM can reposition itself to increase its competitive edge.

Identifying Vendor Differences

Identifying the way vendors are positioning themselves in the market may help users find the vendors that most closely meet their requirements. Although there is a great deal of feature and functionality crossover, vendors market their differences aggressively. This may create confusion for user organizations. Differentiators among vendors are generally seen in business benefits, market positioning, and organizational uses, which often translates into how solutions are adopted and used.

BPM Vendors

Leading BPM vendors include Applix, Cartesis, CorVu, Clarity Systems, Actuate, and Hyperion. Analysts forecast that the BPM market will reach roughly $1 billion (USD) by 2011. While BPM vendors provide similar features as their BI counterparts, they primarily focus on planning, budgeting, forecasting, consolidation activities, etc. that center on an organization's financial performance. This can include sales and marketing efforts, human resources management, and vertical market solutions.

Traditional BI Vendors

Traditional BI vendors include Cognos, Business Objects, Information Builders, and MicroStrategy. In 2005, analyst consensus placed the overall BI market between $4 billion and $6 billion (USD) with high growth rates for subsequent years. BI vendors provide users with the ability to create and leverage data from within a data warehouse, and extract, transform, and load (ETL) functionality that pools data from across various applications to create a centralized data repository. Additionally, reporting, online analytical processing (OLAP), analysis, scorecard, and dashboard functionality provide the user with interface and front-end analysis tools. Lastly, many BI vendors develop solutions based on various vertical markets, or business functions, to meet the general needs of organizations out of the box, and increase their usage across the organization by providing specialized solutions.
Crossover Vendors

In addition to vendors with a strong presence in either BPM or BI markets, several vendors have expanded their product offerings and marketing strategies to compete in both spaces. Included in this list are Actuate and Hyperion, which have crossed over from BPM to include BI. Within the BI space, Cognos and Business Objects are examples of vendors positioning themselves in both markets. These crossovers give users more flexibility. For BI vendors, their expansion into the BPM market gives their customers the advantage of a BI platform, vendor viability, and features and functionality. Additionally, many customers that implement BPM solutions do so as expansions within their BI frameworks.

Operational BI Vendors

Operational business intelligence (OBI) has emerged to provide organizations the forward-looking analysis and real-time decision-making ability lacking in traditional BI. Operational BPM and BI use similar tools to measure and define an organization's performance, and to compare those defined measurements to identified metrics. However, the focus of each market differs slightly. BPM focuses on the departmental management of metrics, or key performance indicators (KPIs), to manage the application of strategic planning. OBI leverages the use of BI to embed those tools within organizational processes. OBI includes the development of analytics and dashboards to monitor various metrics and provide collaboration tools to interface with various departments. OBI tends to appeal more to operations users and lines of business (LOB) managers, while performance management tools appeal to financial applications users.

Factors Inhibiting the Widespread Adoption of BPM

Aside from market size and current market penetration, the perception of BPM is that it has less presence than its BI counterpart. In reality, BPM and BI each play to a different audience in terms of usage within the organization. BPM's main focus is financials, including budgeting, consolidations, planning, and so on. However, BPM vendors may offer some similar features and functionality as BI vendors. BI vendors focus on the breadth of their product offerings, which include data warehousing, OLAP, reporting, usage of dashboards, etc. This means that BPM vendors might have to fight to get their "foot in the door," because BI plays to a wider market.

Installed Base

BPM vendors compete in a skewed market where they are immediately disadvantaged. Why? BI has a large installed base. BI vendors use aggressive marketing campaigns to target their current customer bases and to increase standardization within organizations. This presence often creates a roadblock for BPM vendors. A BI vendor's installation base and crossover strategy makes the vendor a natural contender for growth within user organizations. BI vendors have greater success because it is easier to sell to a current, satisfied customer than to find new customers. Additionally, many BI vendors develop crossover strategies or market their BI functionality to meet an organization's BPM needs.

Platform Standardization

Standardization on a single platform by the information technology (IT) department represents a significant obstacle to BPM vendors. One of IT's goals is the creation of a stable and manageable environment. BI standardization involves the use of a common BI platform to meet the needs of an entire organization. It also allows BI vendors the advantage of expanding their installed bases to generate more revenue and to align themselves more closely with the IT department.

This means that once a BI environment stabilizes, the expansion of that environment may be seen as the easiest route to achieve both IT and business satisfaction. Vendors that try to enter these organizations may encounter resistance due to the additional time and resources necessary to install, maintain, and integrate the new tools within the current environment.

Similarly, organizations have been gravitating toward standardization on an overall IT platform—that is, Microsoft, IBM, SAP, and Oracle (MISO). Therefore, organizations are more likely to look to these vendors first for BPM or BI solutions. Although most BPM vendors can integrate within these environments, the seamless transition and the use of a single platform create more ease for the IT department.

Also, the products offered from the MISO vendors are built specifically for these platforms to make, in theory, the job of the IT department easier. Whether other BPM suites are better suited to the organization's needs becomes inconsequential, as the short-term benefits of an easy integration and general functionality may outweigh the payback of a full-scale project to evaluate other options.

Financial Resources

BPM vendors have another obstacle—the financial strength of BI vendors. With their substantial revenues and profits, many BI vendors have an advantage over BPM vendors in their ability to grow functionality or sales channels either organically through internal efforts, or inorganically through the acquisition of smaller vendors. The development of BPM functionality allows users to use their current platforms with minimum integration or training issues. This provides inherent value to current customers and allows them to take advantage of a vendor's far reach.

BI vendors that become crossover vendors through organic growth can increase their installed bases and focus on platform standardization. Alternatively, many BI vendors choose to acquire smaller, best-of-breed BPM vendors to broaden their market shares. A recent example is Business Objects' acquisition of ALG Software. Such acquisitions give larger vendors an automatic inroad into the BPM market. Additionally, by buying out BPM vendors, BI vendors increase their market penetration, customer bases, and overall presence. Once BI vendors do this on a large enough scale, they could dominate the market by default, making it difficult for best-of-breed BPM vendors to compete or to expand their market presence.

Learning Curve

BPM vendors are missing the boat by arguing ease of use against BI tools. User-friendliness occurs due to familiarity with the tool, and not because of its perceived intuitiveness. Training initiatives are required to get users "up to speed" (accustomed to) on whatever tools they will use. Their comfort using the installed applications creates an ease of use that cannot always be duplicated by a new system.

Basically, the unfortunate reality for BPM vendors is that BI is already in the organization. Even if the learning curve for a BPM tool is not as steep, it may not matter. The result is that BI's use within organizations creates its ease of use over time. For BPM vendors, arguing that they have an advantage in this respect may be a losing battle. A better strategy would be to focus marketing messages on addressing perceptions of BI instead of focusing on a point BPM vendors are not likely to win.

How BPM Vendors Can Accelerate User Adoption

BPM vendors and their messages of aligning corporate strategy and business processes to drive profit have gained momentum within organizations. However, the subsequent actualization of BPM's strengths has been adopted at a slower rate than its BI counterparts. BPM vendors need to identify and focus their market strategies on differentiating themselves further from BI and on using their key strengths to further penetrate the market.

Vertical Markets

BPM vendors could accelerate user adoption by expanding into key vertical markets. These markets include finance, banking, and government. BPM's strengths are within budgeting, planning, activity-based costing, and so on. Focusing on these areas may provide BPM vendors with the ability to show user organizations the inherent value of their software in a way that does not compete directly with their BI counterparts. Also, by providing these features out of the box, and because they require less customization, the implementation times are lessened, thus adding to users' perceived value.

In addition to a vertical focus, the features that BPM solutions provide to target these specific markets could give BPM vendors the edge in relation to more horizontal implementations. Once a vendor becomes known as a leader within a specific sector, its expansion across departments within organizations may be an easier transition. Additionally, based on a BPM vendor's strengths, it can partner with BI vendors that already have a strong foothold within the industry, but whose functionality may not include BPM. This would deliver benefits to both vendors, and enable BPM to extend its presence within organizations.

Seeing IT as an Ally, Not a Detractor

To ensure successful BPM, the IT department and business unit need to work together. Many BPM vendors abandon the sales effort if IT is involved in the decision-making process. In reality, these vendors may be "kicking themselves." In many cases the business unit may drive the process and choose the tool. However, the IT department provides the back end support and maintains the platform.

Due to its overall structure, such as being built using a data warehouse and ETL processes, IT's involvement in BI is great. The expansion of many BI projects is based on IT's buy-in to support the infrastructure. Because BPM appeals to financial departments, business units that manage metrics, and C-level managers, the involvement of IT might not seem as intuitive.

Vendors positioning themselves solely for business units may be missing the boat. IT's involvement, and bridging the gap between IT and business units, can help guarantee a vendor's positive perception by the organization. Alternatively, if buy-in from the IT department is not attained, the internal expertise to keep the system up and running may be lacking, and expansion throughout the organization will most likely not occur.

Tying Key Differentiators to Return on Investment

Within the BPM and BI markets, return on investment (ROI) seems elusive. These two markets have an overlap of various features and marketing messages, but the overall advantages and how to measure them are not straightforward. Common ROI measurements that reflect hardware and software costs do not provide the full picture, as BPM advantages tie in directly to the organization's strategy. Examples include an increase in sales, lower customer turnover, successful financial consolidations, and so on.

BI can provide the same advantages, where its focus aligns with that of a BPM initiative. This means that although BI can be measured in time versus cost savings, the additional ROI measurements attached to BPM only work if the solution is aligned with organizational strategy. Vendors can use ROI calculators to develop an ROI methodology that highlights their alignment to an organization's overall strategy to further differentiate themselves from their BI competitors.

Conclusion

The focus of BPM and BI vendors overlaps as BI vendors enter the BPM landscape and vie for domination within the market. Due to their current market presence, BI vendors have a perceived advantage over their BPM counterparts. BPM vendors can learn from BI's past successes to expand their presence in the marketplace. Additionally, they can leverage their key differentiators to make more inroads into expanding their customer base and to build upon their inherent advantages.

Two Stalwart Vendors Discuss Mid-market Issues

Based on recent industry events, we put together a series of questions pertaining to market trends, platform approaches, and mid-market issues for software application vendors to answer. Following is the continuation of the responses we received from two upper mid-market, stalwart vendors—Infor and IFS.

For more background on the questions we asked below, and for these two vendors' answers to our first four questions, please see Two Stalwart Vendors Discuss Market Trends and Two Stalwart Vendors Discuss Platform Approaches (Wars).

Questions and Answers

Question 5. Microsoft desktop supremacy—"solo," "duet," or many can still play at this game?

IFS: We believe Microsoft dominates the desktop, but there is an analogy between the "stacks" and the desktops. Different technologies have different merits, but to the consumer they start to look about the same. Functional solutions will continue to drive the decision making for [enterprise resource planning] ERP applications, but user experience will continue to increase in importance.

IFS will continue to support creative [user interfaces] UIs that are simple to deploy, appealing to use, and [that] integrate well on the desktop (primarily with Office products). The IFS Smart Client for Excel is a good example of this. Most recently, in June 2007, IFS announced the North American launch of IFS Business Analytics offering, an Office Business Application (OBA) that makes IFS Applications ERP software accessible to users of the Microsoft Office 2007 system. Business Analytics is the first deliverable of the IFS Intelligent Desktop initiative, which will integrate IFS Applications with the Microsoft Office 2007 system to make these applications more broadly available to enterprise customers and greatly improve user productivity. By providing secure and traceable integration between Microsoft Office Excel 2007 and IFS Applications, the Business Analytics OBA harnesses the power of Office Excel 2007 as the preferred tool of financial analysts and a familiar tool to managers.

Infor: Why are Microsoft and SAP offering Duet? Are customers really asking for this? Microsoft sees this as means to sell and lock customers into Office 2007—it's clear that businesses have minimal reason or justification to upgrade to Office 2007, since Microsoft Office XP and Office 2003 already meet most of their needs. But, embedding business application interfaces directly into Office for Microsoft Dynamics is a great ploy to get businesses to buy and get locked into Office 2007 and subsequent releases. On the other hand, SAP's most significant revenue growth opportunity is to sell user licenses to existing customers. Duet is a great ploy [for] accomplishing that—users in other parts of a company will explore the Duet interfaces in Office and thereby cause the company to buy more SAP user licenses.
But is this what business really want—even "fatter" clients, with more installation and maintenance overhead, paying for a copy of Office 2007 in addition to the SAP user license? What about support and all the possible finger-pointing between SAP and Microsoft to resolve any problems in the future? Customers tell us that they want low cost, low installation and maintenance overhead for user access licenses. They want to deploy thin clients and browser-based user access with the flexibility to use many interface technologies, including mobile ones. Infor is pursuing a flexible, zero-footprint UI solution using state-of-the-art technologies such as AJAX, Flex, and other open standards (we already deliver Flex-based UIs). Another key point Duet misses is role-based interfaces and business processes. Infor UI strategy is centered [on] providing role-based persona interfaces that enable end-to-end business processes across traditional functional silos in the business. Again, Infor's approach is all about doing what customers want—providing them with low cost, industry standard user interfaces based on industry standards with low installation, maintenance, and hardware costs.

Question 6. Incidentally, what about partners? That is, independent software vendors (ISVs) and value-added resellers (VARs)?

IFS: IFS supports a reseller channel as well as partners that provide complimentary solutions. At the same time, IFS sees a growing interest in partnerships and collaboration opportunities.

From an IFS perspective, the US Air Force (USAF) project is a good example of where partnerships (that is, Oracle, IFS, and Click Commerce) offer a more compelling solution than any single solution (see Nimble Enterprise Applications Vendor Faces Stiff Challenges in a Competitive Environment). The reality is that many opportunities are too complex, or seen as too risky, for a single vendor to undertake. IFS will continue to develop partnerships on a case by case basis where it adds overall value, and that includes occasionally partnering with competitors if we can mutually benefit.

Infor: Infor is committed to hybrid sales models with direct sales teams and channel partners (VARs). We do not recruit thousands of VARs and let the market sort out the survival of the fittest. We rather work closely with our channel partners to provide a genuine, long-term business opportunity, working cooperatively with Infor. Infor channel partners have access to the same resources as our direct sales team. Our Infor channel regional sales managers coordinate and promote sales and services opportunities with our channel partners, and manage potential conflicts.

With regard to Infor solution partners (ISVs), we have an impressive list of complementary solution and technology partners that we work with closely to provide comprehensive solutions to our customers. These complementary and technology solutions are on our price list and sold as part of the Infor contract with our solutions on our paper. We have been doing this since day one, whereas it seems that others are only now starting to do this, but only for selective partners.

Question 7. What about going mid-market vs. defending it? What, to your mind, will be the key success factors (KSFs) in this market, and what have you been doing to better position yourself there?

IFS: Contrary to popular thought, mid-market customers require the same functionality as large enterprises. They just don't have the level of resources to acquire, implement, and support the solution. Being successful in the mid-market means delivering the solutions [customers] need at prices they can afford. As an example, IFS offers tier-one functionality that is packaged with an implementation model suited to the mid-market, and will continue its practice of one product with vertical industry focus.

The middle market has become a target for traditionally tier-one vendors, but IFS feels confident that the fact that we have always targeted this sector will serve us well.
Infor: If there is such a thing as the mid-market, then Infor is the number one vendor in this space, with a large proportion of our 70,000 customers in what is traditionally viewed as the mid-market. It is a core part of Infor's heritage inherent with the experience built into our solutions and domain expertise over the past thirty years. So, while companies like SAP and Oracle view the so-called mid-market as just a business growth opportunity, Infor has the cumulative experience and focus with customers in this market. Microsoft, on the other hand, is struggling to scale small-company solutions into the core mid-market.

To be successful in the so-called mid-market is to first understand that there isn't a mid-market per se. Companies' requirements don't differ that much by size, as you can still have smaller companies with [the] same complexity of requirements as very large companies. The difference in requirements have more to do with vertical industry, operations span (for example, production, supply chain, etc.), and business scope (single site, multisite, multiple entities, multinational). What is different is the budget and resources available for implementing business systems—so-called mid-market companies are much more cost-conscious, risk-averse, and efficient in their business systems needs and implementations. Many very large companies are actually [collections] of many smaller divisions and entities, and when those divisions and entities need [solutions] to cost-effectively run their operations, the large scale corporate solutions don't fit their needs. Infor and acquired predecessor companies have always been focused on providing the most relevant and cost-effective solutions for companies of all sizes.

Question 8. Microsoft SureStep, Lawson QuickStep, Oracle Accelerate, and others—breakthrough implementation methodologies, or merely "baby steps"? Are we missing something earth-shattering in your offering in this regard?

IFS: Everyone is trying to reduce the services content required to implement a solution, and some of these approaches are just a repackaging of existing implementation methodologies, pushing more of the work to the customer (more self-paced training, for example). The longstanding IFS application implementation methodology (IFS AIM) has a proven track record of guiding customers to a successful, cost-effective implementation.

Our implementation efforts moreover are always improving, and we have noticed a gradual decline in recent years in the percentage of services dollars when compared to license fees. This is due to our own internal process improvements rather than a specific initiative.

Infor: Infor offers these capabilities as part of our worldwide professional services team of over 2,200 people along with solutions with industry experience built in. We are not trying to make one product fit all—we have industry-specific solutions designed for different industries. The bottom line is that customers want predictable, cost-effective solutions with rapid implementations. If a vendor's solution doesn't meet those criteria, [the customers] will need special methodologies and gimmicks to achieve [them]. Conversely, within Infor industry-oriented solutions, that capability is already built into our solutions.

Question 9. At the end of the day, who do you think is in a better position to ultimately win in the market? Or do you think there will be no single winner, and that everyone will remain at the current, equidistant positions?

IFS: IFS, of course! Ultimately, the vendors that manage change, delivery value, and provide cost-effective solutions to customers will survive.

IFS is in a unique position of offering the most mature and stable SOA-based application on the market. We continue to make significant research and development investments in our product—something many of our competitors are not doing. Our product and customer-centric approach continues to attract new customers, and we feel this success is sustainable.

Infor: We don't believe that any one vendor will ultimately win. Major vendors such as SAP, Oracle, and Infor aren't going to go away given the sheer volume of customers and presence in the market. Different vendors offer different value propositions that appeal to different types of companies and market segments. New or expanded solution categories and delivery models will continue to make the business applications market attractive to new vendors and [lead to] innovation by all vendors. Consolidation will continue, but new, innovative start-ups will keep filling in the gaps. Customers want choice, which will continue to drive diversity and innovation amongst many vendors in this market.

Project-oriented versus Generic GL-oriented ERP/Accounting Systems

Project-oriented Organizations

The unique business needs of project-oriented organizations, when addressed by large ERP vendors that offer general-purpose enterprise software, require heavy customization in order to work. On the other hand, when project-oriented organizations turn to small off-the-shelf project-management solutions, these solutions are soon outgrown by the user company. These organizations are looking for systems to support the project manager, who is responsible for sharing and tracking the revenue, expense, and profitability of a project. Most enterprise-wide business systems sold by software vendors are general purpose in design and without significant tweaking, they do not address many of the unique requirements of businesses engaged primarily in providing products and services under project-specific contracts and engagements.

Project-oriented organizations have many project-specific business and accounting requirements including the need to track costs and profitability on a project-by-project basis, to provide timely project information to managers and customers, and to submit accurate and detailed bills/invoices, often in compliance with complex industry-specific and regulatory requirements. Yet, traditional generic GL-oriented accounting systems have not been designed with project phases, work breakdowns or detailed time capturing in mind, and thus, they can merely report how much has been spent or collected, but not why a certain project is losing or winning money.

Not many enterprise products will support the following project-based processes: job costing, managing the sub-contactor, financial reporting, managing the workforce, process time and expense, winning new business, purchasing goods and services, managing the project, and building to order. If these high-level processes sound too ordinary, then digging to a level deeper might reveal their true intricacy and attention to detail such as employee time, billing rates, budgeting, collections, or project proposals, which are supported by only a few vendors.

For example, the job costing process can be broken down into the following steps: setup project work breakdown structure (WBS), pay suppliers, pay employees, accrue purchase orders, allocate indirect costs, calculate estimated time to completion, calculate contract ceilings, compute revenue, bill customer, and report the project status. The process time and expense cycle would have the following steps: create project, create project workforce, enter timesheets by project, enter labor adjustments, enter travel expenses, apply project business rules, approve time and expenses, pay expenses and payroll, bill expenses and payroll, revenue recognition, and project status reports (PSRs), which are used for period reporting on a project/task/phase level, and which can be regarded as the financial statement for the project.

The managing-the-project process would feature the following detailed steps: create opportunity plan, establish detailed scope of services, create project plan with work breakdown structure (WBS), establish task schedules, search and add resources to plan, establish budget at resource level, add consultant and expenses to project plan, add direct costs for plan, establish profit performance, save baseline budget, monitor time and expense costs, monitor schedule projected profit and revenue, and submit the project deliverables and closeout project. A build-to-order process would involve ERP materials management functionality through support for the following steps: customer demand, bills of materials (BOM)/routings, engineering change notice (ECN), materials requirement planning (MRP), capacity planning, purchase requisition/order, receiving and quality assurance, fill inventory, issue manufacturing orders, final subassembly and finished goods, customer delivery, billing, revenue recognition, and PSR.

Dealing with Government Contracts

Furthermore, many project-oriented organizations provide products and services under government contracts, and project accounting for these organizations often requires the use of sophisticated methodologies for allocating and computing project costs and revenues. There are many different types of contracts governments use and within each of those there are dozens or more variations, whereby each variation will drive its own type of billings, revenue recognition and requirements for reporting back to the government customer.

The US government requires its contractors to collect and allocate costs in certain ways; for example, according to the Defense Contract Audit Agency (DCAA) rules, labor costs must be recorded daily. Also, a contractor is required to keep track of several contracts simultaneously, meeting the rules for different types of contracts and being consistent in accounting for a number of indirect costs. According to the Small Business Administration Pro-NET sourcing service database, there are tens of thousands of small and minority-owned companies that are doing business with the federal government. With the new emphasis on improving homeland security and expanding anti-terrorism operations around the world, many of these firms will likely experience significantly greater demand for their services and grow rapidly over the next several years.

Expanding Market

Additionally, service business application software systems are expanding as a result of a number of economic trends. Service organizations traditionally have utilized project accounting more than manufacturing firms due to the need to customize services for each client and to properly allocate the associated revenues and costs. Therefore, as the shift from a manufacturing-based economy to a service-based economy continues, the market for project-oriented organizations is expanding. Furthermore, the trend towards outsourcing an increasing range of activities broadens the market for project-oriented organizations as both customers and vendors need to track the costs associated with their projects.

Finally, many organizations with significant internal development activities can benefit from the use of project accounting systems to closely monitor progress and costs. Also, although somewhat conversely, more progressive firms may even try to boost their marketing, advertising, and PR expenditures in order to gain more project contracts during the market contraction, where for example, a proposal automation capability can come in handy. While project management and resource planning software applications help service organizations deliver within a budget, in the long term, these organizations need to win a new stream of projects or customers, which involves pre-sales customer relationship management (CRM), marketing and proposal management, and post-sales elements like travel and expense (T&E) management.

As the number and type of project-oriented and professional service organizations increases, such businesses are demanding increasingly sophisticated tools to address their core information and accounting needs, including project accounting, employee time collection, project budgeting, project reporting, CRM, sales force automation (SFA), and proposal generation. At the same time, these organizations are recognizing that because most aspects of their businesses revolve around their customer project relationships, they can achieve efficiencies in a number of project accounting and core back-office business functions. These accounting and business functions such as general ledger, accounts payable, accounts receivable, materials management, and human resources, are supported through the use of software applications designed to address the special needs of project-oriented organizations. Like other businesses, project-oriented and professional services organizations are also demanding solutions that allow them to combine their business software applications into a single integrated, enterprise-wide system.

Time is of the essence for any business that bills for its services rather than sells a physical product, but the concept can be particularly tricky for design/construction firms that may need billing at different rates depending on, for example, project phase, task, client type, or escalation clause. At the same time, the industry is quite fragmented, with legions of specialist contractors, and it also has a long tradition of technophobia.

User Recommendations

While the value proposition of integrated ERP/accounting and project management systems cannot be debated, companies should always identify the tradeoffs they are willing or not willing to make in order to achieve a level of integration. It is important to identify the laundry list of items that might or should be integrated between these systems, such as prime contracts, subcontracts, purchase orders, budgets, change orders, budget revisions, costs, accounts payable invoices and checks, labor, billing details, forecasts, and so on. Also, the companies should vigorously clarify the meaning of integration that the vendors tout—will the integrated solution contain a centralized database, for example? Also, does the integration accommodate the creation of new entries as well as real time or batch file transfers to synchronize changes to existing records?

Often, buying a completely integrated solution is not an option when companies have either an accounting or project-management system in place, which they will not simply rip-and-replace. Thus, prospects should assess the contesting vendors' flexibility to integrate to legacy and other third party applications, and to keep up with new versions or upgrades to both solutions. Built-in interfaces to commonly used third-party products like MS Project, MS Office, Corel Draw, Crystal Reports, etc., should be questioned, possibly during software demonstrations.

Most Misunderstood Link in Supply Chain Management

Critical to sales, customer service, quality, cash flow, and to a company's very survival, credit and collections is often caught up in a 1950's risk management time warp.

Lots of things have changed since the '50s, besides the color of my hair. One thing that has remained fairly constant though is how most business executives view the credit and collection function.

They Don't Know What They Don't Know

An 18-year-old kid knows everything worth knowing, or so he believes. Most business executives know everything worth knowing about credit and collections, or so they believe.

There are two questions I ask potential clients about their credit and collection operation:

1. How do you measure performance?
2. Do you have usable written policies and procedures?

If clients have any kind of trackable numbers with which to measure credit and collection performance, those numbers are usually tied to average turn-time on the accounts receivabledays sales outstanding (DSO) or collection days index (CDI)—and percent of A/R written off as a bad debt loss (money the customer didn't pay). The same as in the '50s. As for usable written policies and procedures, many of these companies have none; only a few have actually documented the why, what, how, and when. The problem with many of these companies is that they have had the same policies and procedures since the 1950s. (A/R)—the

"The new guy learns from the old guy, who learned from the dead guy." (Scott Stratman)

The problem with verbal understandings is that everyone gets to be the policy maker and there are as many policies as there are people. Many companies have a loose collection of forms, memos, and letters that they mistakenly call policies and procedures. They can't hand these so-called policies and procedures to someone new and reasonably expect the person to know how things work.

If you think you have usable policies and procedures, pull them out and see if they answer the following questions:

1. What is the purpose of the credit function?

2. What is the goal of credit approval, and does that goal complement the purpose?

3. What is the goal of collections (delinquent A/R management), and does it complement the purpose?

4. How is credit approval performance measured, and does it complement the goal?

5. How is collections measured, and does it complement the goal?

People Forget

Eli Goldratt, in his book The Goal, says people in business forget why they're in business, that they get caught up in the process (details) and lose sight of the purpose (vision). I think Goldratt is too kind. I think many people in business never knew the purpose of what they do to begin with. Recently I was visiting with a chief executive officer (CEO) and his vice president (VP) of purchasing, and I asked the VP what the purpose of his function was. He stumbled around and came up with something about customers' needs and balancing that against various other factors.

If the head of a department can't clearly state why that department exists, what are the chances his people know? Or care?

Considering the costs of extending credit to customers—namely, the additional administrative expenses, the cost of time and money that goes with carrying A/R, and the potential for loss (bad debt)—why should any business extend credit? What is the purpose of the credit function?

Why Credit?

Businesses incur the costs of extending credit terms for the following reasons:

1. It is a customer requirement. These companies are doing business with customers that require that they be given time to ensure they receive what they ordered; they require time to process the bill for payment. If credit terms aren't extended to such customers, the company loses profitable sales.

2. The customer sells downline. Customers add value to the goods or services they buy and then sell downline to their own customers. Such customers require time (credit terms) to add value, make sales, and perhaps to collect their own A/R before they can pay vendors and suppliers. And if credit terms are not extended, profitable sales are lost.

3. It is customary. In some industries, credit terms are customary, which means that other vendors and suppliers (competitors) extend credit terms. If credit terms aren't extended, profitable sales are lost.

The only reason to incur the costs that come with extending credit terms is to get profitable sales that would otherwise be lost.

Measurements over Purpose

How performance is monitored and measured means more than any stated purpose. Remember the first question I ask prospective clients: how are you measuring performance? If they are using DSO and bad debt, they are not measuring for how well the function performs in getting profitable sales; they're measuring for risk. The old comeback to credit being a lubricant of commerce, and allowing for the expanded movement of products and services is, "a sale's not a sale until you're paid." Consider this: If the purpose (vision) of credit is "to get profitable sales that would otherwise be lost," then should not the goal of credit approval be "to find ways of accommodating profitable sales while remaining confident of payment"? Who says we can't have our cake and eat it too? Stop painting credit as "the sales avoidance department" by measuring for what you want—profitable sales.

Factors in Credit Approval

There are three main factors companies consider when deciding to extend credit to a customer:

1. Customer profile and how the customer does business (i.e., process, paperwork, accounts payable [A/P] cycle, etc.).

2. Customer past performance. If they've never paid anyone in the past, chances are real good you won't be the first they will pay.

3. Seller's product value (i.e., the margin on the sale, the current demand for the product or service, and lending company's current capacity).

Based on these factors, the goal is to find ways to maximize sales and minimize risks.

Enforcement of Payment

Why do I hate the word collections when used to describe the management of delinquent A/R? Collections has always been defined as "the enforcement of payment." The problem with this definition is that the vast majority of “past dues” aren't trying to stiff creditors; there are very often good reasons why payment isn't made when due.

A recent survey of 1,550 companies found that, on average, 73 percent of the total past due A/Rs are tied to “something going wrong”: sales and service disputes, wrong shipments, overages or shortages, damages, returns, unissued credits, missing backup, lost paperwork, wrong purchase orders (POs), and on and on. A certain percentage of past dues are using vendors or suppliers as a form of short-term financing (the float), but they're not collection agency material. Other past due customers can't pay when due for good reasons, but will be able to pay in the near future.

It is the very smallest percentage of past dues that are trying to avoid making payment. Past due A/R management is "the process of completing the sale." The goals of delinquent A/R management should be to

1. Keep customers current and buying. Find out what stands between the customer and payment, and resolve the problem so that we get all the repeat business we can (the most profitable sale).

2. Identify early on the small percentage that represents a potential for loss, and control bad debt by limiting further credit sales and by successfully improving on position (personal guarantees, returns, barter, conversion to a promissory note with additional security).

Summary

Lots of things have changed since the '50s. Customers today have more goods and services to spend their money on than ever before in human history. Unlike the '50s, a business today must be concerned with quality. And unlike the '50s, competition is crawling out of the woodwork and out of cyberspace.

Ask yourself two questions:

1. How are you measuring the performance of your credit and collection function?

2. Do you have usable written policies and procedures that support why (the purpose) credit exists?

You may find that you have forgotten a critical link in supply chain management.

Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues

In the aftermath of some highly publicized cases of corporate fraud, the US government announced legislation designed to implement compliance and financial-reporting standards. The most notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary goal of SOX is to enforce a higher level of transparency into organizations' business processes, financial transactions, and accounting methods, to ensure that known and accepted accounting principles are practiced.

In this new SOX era, the issue of compliance spans several industries, attempting to harmonize evolving standards across both public and private sector organizations. The requirement of standardized reporting of financial information now forces organizations that had once been less transparent to tighten and streamline their audit and control practices on an ongoing basis.

Traditional Audit and Compliance Standards Prior to SOX

Pre-SOX standards were designed to ensure a modicum of corporate governance by focusing on the areas outlined by the Committee of Sponsoring Organizations (COSO) and on an IT system process framework. This framework was provided by the Control Objectives for Information and Related Technology (COBIT) IT process standard, which was developed in 1992 by the Information Systems Audit and Control Association (ISACA). COBIT was to provide adequate control levels for organizational structure, ethical standards, and board and audit committee review. It was the earliest set of audit standards established to cope with IT processes and audit procedures. COBIT focused on application controls, general control of information systems, and security issues.

Reporting standards used prior to SOX remain in place today. Of these, the most notable are the EU's adopted version of the International Financial Reporting Standards (IFRS) and the US's Generally Accepted Accounting Principles (GAAP). In 2002, an accord known in financial industry circles as the Norwalk Agreement was struck. This agreement states that US-based companies' financial-reporting procedures are to be harmonized with the European standard by the end of 2008. The implementation of SOX for firms that import into and export out of the United States is yet another layer of compliance standards recently introduced. Table 1 lists several other audit control standards, both pre- and post-SOX.

Regulation	Purpose/Target Industry
SOX	publicly traded US companies
ISO 17199	IT security standards
Canadian bills 198, 52-109, and 52-111	Canada 's SOX equivalents
Basel II Accords	G8 regulations for international banking
Health Insurance Portability and Accountability Act (HIPAA)	US health and medical industries
Office of Management and Budget (OMB) Circular A-123	US government agency financial standards
Solvency II	European insurance industry standards
IFRS	European accounting standards
Office for Economic Co-operation and Development (OECD) principles	EU agencies of internal controls
GAAP	US-based generally accepted accounting principles

Table 1. Key audit control standards.

Segregation of Duties

Within SOX is a provision entitled Section 404. This section is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur, whether intentional or not. Among key provisions in this section is segregation of duties (SOD). SOD aims to close loopholes that would otherwise permit questionable accounting practices; one of its key attributes is that it allows the monitoring of processes and cross-verification of transactions processed in real time.

In simplified terms, SOD is based on the concept of having more than one person in an organization that is able and mandated to complete a task. SOD is a security principle whose main goals are the prevention of fraud and errors. These two objectives are realized through the reviewing of business processes and the dissemination of tasks and associated authorizations among several levels of hierarchy. Such actions serve as validation—in other words, they are a series of checks and balances.

One way to illustrate the key tenets of SOD is to consider an accounting department in any small to medium business (SMB). Here, some of the day-to-day activities include the receiving of checks as invoice payments, approval of employee time cards, processing of payroll checks, and reconciliation of bank statements. Within these activities a form of SOD is already in place—usually the issuing of checks requires different levels of authorization and more than one signature. In essence, more than one person validates a process or activity.

In terms of IT, SOD issues are not as clearly defined, and in many instances, individuals in an SMB have multiple levels of responsibility, which can call into conflict the stated goals of SOX and SOD.

Following are five circumstances in which IT processes can conflict with the goals of SOD:

1. Improper account provisioning for change, meaning access rights to applications are not changed (revoked) when employees leave the organization or a department.

2. Insufficient control of change management issues, meaning a change is made to a financial application or process without documented record of the date the change occurred, the nature of the change, and which persons in the organization are impacted by the change, for quality assurance purposes.

3. IT departments lack an understanding of key system configuration workflow processes.

4. No audit logs are used to document unusual system or application occurrences.

5. No root cause analysis is performed to determine what caused an unusual event.

Twin Pillars of Protection

In any organization, IT serves as both the gatekeeper and the distribution point for information. Financial-reporting serves as the means to support an IT infrastructure. Insofar as systems infrastructure and financial reporting are linked, the requirement to ensure the integrity of the system and the processes that support it are in compliance with accepted standards and practices. Within these twin pillars of protection are principles that must be adhered to in order to ensure the integrity of the system, the public's confidence in the system, and that all key requirements of SOX Section 404 are met. Figure 1 depicts the basic steps to take to meet these requirements.

Figure 1. Key elements to support SOX and SOD.

1. Study business control processes.

Below are three of the primary business control processes essential to support SOX compliance:

1. Controls found within most ERP systems—these controls reconcile orders processed only with prescribed customer credit limits. All goods shipped have an associated invoice.

2. General IT controls—these allow authorized individuals access control to order management and receivables applications. This process ensures that system upgrades and fixes are documented.

3. Manual controls—these controls ensure that only authorized individuals can alter or cancel a customer order.

2. Develop and automate internal testing to support the system.

Most organizations typically run financial reports on a monthly and a quarterly basis, reporting the organization's performance in terms of budget and projected sales. To ensure compliance to SOX-SOD requirements, these two procedures are essential:

1.

Using internal data to ensure that no sales or financial records can be altered without being identified, logged, and reviewed by three levels of authorization.
2.

Reviewing examples of where individuals contravene SOD requirements (e.g., persons who perform procurement activities cannot also be involved in the receiving of inventory and the posting of accounts payable).

The purpose of this exercise is to demonstrate that an internal, documented process exists to segregate responsibilities and prevent any ability to alter or destroy financial-related data.

3. Analyze test results with known compliance standards (e.g., COBIT, COSO).

When organizations are in the process of selecting enterprise software applications (e.g., an ERP system), due diligence is advised as part of the request for proposal (RFP) process to ensure that the proposed vendor's solution adheres to known financial-reporting and compliance standards in its industry. When interfacing a new solution with a legacy application or with an internally developed in-house system, the COBIT and SOX models should be the fundamental criteria for assessing whether the new system meets your organization's compliance and financial-reporting requirements. Following are some additional points to consider:

*

Data revision management—changes to financial-reporting data should be carefully managed, ensuring that all modifications are authorized and documented.
*

Contracts—all IT vendor contracts and service level agreements (SLAs), including their financial implications, must be clearly defined.
*

Third-party equipment—third-party software must abide by known and accepted standards. License and user requirements must be defined in vendors' contracts, as these requirements are also subject to known performance criteria indicated in the vendor SLA at the time of software purchase.
*

Access control—ensure users have an identifiable security password and user code, which tracks access and transactions performed.
*

Security—the system must be in compliance with ISO 17799 and designed in a way that limits disclosure or access to unauthorized parties.
*

Incident management—the system must record all incidents of failure or loss of data, and must support Information Technology Infrastructure Library (ITIL) guidelines. Corrective action to be taken must be documented so that it can be retrieved, and the work performed by another person.

SOD Checklist

If your organization is planning to review its SOX- and SOD-readiness, then a good starting point is to obtain a copy of the ISACA's segregation of duties control matrix to use as a general guideline. If after reviewing the matrix you conclude that your company performs certain tasks that cannot be segregated, then you can implement a series of further controls. Below are a few separate control procedures to help achieve SOX-SOD compliance:

*

Ensure that transparent audit trails are in place, that management is aware of each individual's level of responsibility, and that corresponding authorization is established.
*

Ensure that information related to who did the work, who approved the work, and the date and time the activity was executed are documented in the audit trail.
*

Enable the ability to review transactions at random times, thus instilling confidence in the process.

A Final Word

The introduction of SOX is hoped to bring a new level of accountability to the corporate world. It is believed by many that from the cases of corporate fraud in the United States several years ago, a new opportunity has emerged for corporate America to show integrity and prove that the interests of customers, employees, and shareholders are its primary concern. The positive outcome in all of this has been that those running organizations realize that their companies are part of the community they serve, and unethical behavior will not be tolerated. The compliance aspects of SOX and SOD, though challenging to understand at first, limit the opportunity (or chance) for wrongdoing, and ensure that organizations employ streamlined and verifiable processes to run their business.