In the latest of our conversations with compliance and governance executives, we catch up with Dean Plank, director of internal audit at Silicon Graphics, Inc. Readers can also visit our archive of Q&A interviews.
You’re director of internal auditing. How long have you been in that role?
Since June 2007.
How big is your team? Do you outsource any work?
There’s one person that works for me, and he resides in Europe. He does the European work and helps out on some domestic projects.
We’ve done some outsourcing in the past, exclusively for the Sarbanes-Oxley test work that needed to be done internally. Outside of that, we haven’t outsourced any internal audit efforts. My consulting experience has helped me a lot. My colleague in Europe and I have a significant amount of experience, so I feel we have enough resources.
This year for our Sarbanes-Oxley-related work there are a few internal employees that work in the finance area that will help with internal Sarbanes testing. We selected the individuals based on their skill sets and experience. We’ve discussed it with our auditors and they’re on board with that approach.
How important to the job is experience in SOX compliance? Is working for an audit firm important?
I grew up during the first few years of my career with a big audit firm. So I think the exposure you get and the working knowledge you attain with an independent audit firm is very good, because you obtain exposure to different industries and business processes. And so you gain a lot of experience across the different industries and the way they do business. You can take those different experiences to a company if you go into private industry.
And you report to?
The chairman of the audit committee. There are three independent board members on the audit committee. In addition, administratively, I report to the CFO and sit on her staff.
What questions are they asking you most often?
They’re primarily interested in my perspective on the control environment internal to the company. As with many companies, we periodically lose people to attrition, so they want to make sure that controls are in place through employee transitions, that we’re addressing them, and [that we] are always improving them.
How does your company define “compliance,” versus internal auditing or risk management?
I wasn’t here, but originally they put together an internal task group to document the business processes and identify key controls in each of the business processes; I call them cycles. So for example, we have an inventory cycle, a treasury cycle, a fixed-asset cycle, et cetera. An internal task force documented the cycles and identified the key controls within each cycle.
At the time I was working with independent auditors to get their guidance on the internal compliance program for year one of Sarbanes-Oxley. After that it was a matter of testing key controls and the effectiveness of process owners complying with key controls.
At the time all the internal employees were working with the financial programs. Once we got things established for year one, it was a matter of re-evaluating processes to see if anything had changed or been documented or edited. We had to go out and test the processes to get to year two. The program evolved. The most time spent developing the program is in the first year or two. After that, it’s a matter of adjusting the program to meet the needs of the business, executive management, and the independent auditors.
What are the pillars of your compliance program?
Any good compliance program starts with the tone at the top of the organization, carried by the board, CEO, CFO, and other key executives within the company. SGI has always had a very strong tone at the top, which is the foundation pillar for any compliance program.
After that, I would say that the pillars are pretty much the Sarbanes-Oxley narratives that we’ve generated, which are the documentation of what we call narratives that describe the control processes and identify key controls in each cycle.
After that, you put together a test program that tests the key controls identified in the narrative. Then you go and execute and perform testing from there.
How do you monitor that the program is being carried out throughout the company?
Through our test processes. The last several years, our testing has covered in general the second, third, and fourth quarters of the year. We do our testing throughout the year, with the exception of Q1, so that we have an awareness of how the control environment is working from quarter to quarter.
I report back to the audit committee every quarter the results of the compliance-testing program that we do. There are no surprises; there’s a quarterly meeting. Sometimes there’s a comment or request to look in an area. Once in a while we get a question from the audit committee chairperson to look at a certain area, and so we do a little bit of work that they request.
Would you say SGI’s compliance program is “fully” implemented?
There’s always a little bit of tweaks to be made. In general, I’m very comfortable with the program that we have. Over the last couple of years the issues that were identified we addressed immediately to remediate. We went back and retested to make sure the remediation had been completed and that the controls were working based on the follow up retest.
We track that remediation process throughout the year. On a periodic basis we provide the results on remedial testing to the independent auditors. Our external auditors know about any issues in any given area. It is a robust program and something we’re working on from week-to-week throughout the fiscal year.
How do you leverage your SOX work into the broader compliance program?
The accounting-compliance focus now under Auditing Standard No. 5 is more at an entity-level type of control process: the tone at the top, and management’s involvement at the executive level in terms of tone. So by going in and testing processes at a detailed level, you get a good feel for the overall control environment. [Since] the industry is moving from AS2 to AS5, with more of a focus on entity-level controls, moving forward I think the focus will be more toward the whistleblower policies or higher-level types of control information.
At the entity level of controls, companies are moving toward more of a tone or process that comes down from the top. We have a program where, annually, we will send out a letter to all employees. They need to respond in terms of their compliance with the control environment. We have created an overall control message that we’re asking employees to abide by and confirm back that they are in compliance.
Have you noticed any real differences between AS5 and AS2?
The key difference for me is that under AS5 we can focus more on the priority areas for a control environment. Revenue recognition gets a lot of attention and so does the management of a stock program.
For example, if over the last three years we did a lot of testing in the fixed-asset area, under AS2 we would need to go back and continue to test a lot of fixed-asset transactions, even though the testing has proven that the control environment is sound. Under AS5 you can spend less time testing around fixed assets and more around revenue recognition processes and our equity program processes. It’s a matter of adjusting the time you have to test the control environment, taking the time away from the areas that have tested out to be sound, and moving to the higher-risk or more important areas from an independent auditing perspective, like revenue recognition or equity, for example.
What about the Section 404 guidance for management, from the Securities and Exchange Commission? Is that of any use?
We pretty much have taken our cues from AS5 and working with our independent auditors, getting guidance from them. They can’t tell us what to do, but they can provide guidance. I try to sit down with them on a regular basis throughout the year to find out what’s on their mind and what they perceive to be higher-risk areas. That’s where I will spend more time.
What are your priorities and goals for this year?
Internally, our SOX compliance program is quite robust and working well. My priority is to get through the testing the rest of this year in less time, because of the experience that I have internally. With the other auditor in Europe, and the internal finance people helping, we will get through the same amount of testing in less time because of the familiarity and experience. By doing this, I will free up time to add back more traditional internal audit activity that can be of great incremental benefit to SGI.