Executive Summary
The Sarbanes-Oxley Act of 2002 assigns personal responsibility to senior management of public and non-public organizations in the USA, and is being applied in various forms also by other countries
throughout the world. Of particular concern is Section 404 of the Act, which relates to “Management Assessment of Internal Controls”.
Internal Controls will vary from enterprise to enterprise. They need to be tailored to the relevant industry (or industries) that the organization operates within; they are also typically unique
for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise
uses for financial and other reporting.
Senior management need to show that answers are available in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers
should be available that also show how resources relate to strategic and tactical business plans that have been defined by management. These are internal control questions that address: “What”;
“How”; “Where”; “Who”; “When”; and “Why”.
These six questions are shown as columns in a matrix, where different perspectives of “Planner”, “Owner”, “Designer”, “Builder” and “Subcontractor” are also shown as rows. This is
provided by the Zachman Framework for Enterprise Architecture. While Enterprise Architecture has previously been considered to be an IT responsibility, when it is also used by senior
management it enables precise Governance Analysis. It also provides a Business Transformation Enablement capability.
With the legal implications of Sarbanes-Oxley non-compliance, an inability to answer internal control reporting audit questions takes on a new personal meaning for senior managers. A Governance
Analysis Framework is needed – that is both easy to create, and easy to use – to obtain answers for relevant internal control reporting questions.
An example is discussed in the paper of a Governance Analysis Framework (GAF) that uses matrices to create and maintain relationships between aspects of an enterprise that enable each of these
questions to be answered. Some of these matrices, from the Project Management Organization Unit of a typical enterprise, are illustrated in Figures 1 – 3.
The sample GAF matrices in Figures 1 – 3 clearly show the answers to each question by reading across relevant rows, or down particular columns. These matrices, plus many others, are tailored to
each enterprise. They can be created in a 25 day Strategic Modeling project within an elapsed duration of 3 months, based on the Strategic Business Plans for the enterprise. This uses an initial
facilitated session over two days with active participation of senior management and their direct reports, where a Strategic Map is developed.
A Strategic Map is a “picture of the business”, similar in concept to the layout of a city. A city map clearly shows the layout of streets (“where”) and the access routes that define “how” to
get there. It also indicates “what” is located in parts of the city. Given a reason (“why”) to take a given route at a certain time (“when”), people (“who”) can use the map to navigate
through any city.
What is missing in most enterprises is a similar “map (or picture) of the business”. A city map can be bought from newsagents in that city, but no newsagent sells Strategic Maps for enterprises.
In the absence of a Strategic Map for an enterprise, it is hard to answer these questions. As a result, Internal Control Reporting is difficult.
A Strategic Map that is developed and tailored to an enterprise enables senior managers, as well as middle managers, expert business staff and IT staff to see the data, activities and processes,
locations, business units and people, the business events and the business plans that all need to be managed effectively for internal control reporting. From the Strategic Map and underlying
Strategic Model, the Governance Analysis Framework matrices become dynamic. They are automatically generated.
Given the Strategic Map input from the senior management team and their reports, more detailed analysis by the facilitator in the 25-day Strategic Modeling project period identifies key data,
business activities, locations, business units, and business events for the business plans that were used as catalysts. The result of this analysis is documented in a Governance Analysis Framework
(GAF) Report, which is the main deliverable from the Strategic Modeling project.
The GAF Report and its contents provide a documented view of tailored Internal Control Reporting from the strategic perspective for senior management. These dynamically-tailored matrices must be
then completed by relevant business experts. The strategic GAF matrices are populated by more detailed matrices from key business units. These Tactical Modeling projects – each similar to the
Strategic Modeling project – can in turn be undertaken for key business units.
Strategic Modeling projects and Tactical Modeling projects have been completed for large and medium Commercial enterprises throughout the world. Similar Strategic Modeling and Tactical Modeling
projects for Government and Defense Departments have also been completed in the USA, Canada, Australia and NZ.
The methods discussed in the paper can be applied rapidly in 25 days, within an elapsed 3 month period, in a step-by-step approach as follows:
- Establish Plan for Strategic Modeling Project
- Capture Initial Business Planning Input as Catalyst
- Conduct Strategic Modeling Facilitated Session
- Carry out Strategic Model Analysis
- Derive Governance Analysis Framework (GAF) Documentation
- Review of GAF Matrices and Governance Implementation Plan
- Progressive Enterprise Completion of GAF Matrices
- Implementation of the Governance Implementation Portfolio
The GAF Reports produced from Strategic Modeling and Tactical Modeling projects provide the documentation and modeling tool capabilities that are needed for Internal Control Reporting for
Sarbanes-Oxley. As an added by-product of the Governance Analysis Framework methods described in the paper, similar methods and tools can be also used to implement transformed business activities
and processes for Business Transformation Enablement.