August 8th, 2010

What’s Generally In-Scope for DR?

Disaster recovery (DR) scope is generally grouped in several tiers (service level) and the requirements for DR is discovered through the Business Impact Analysis (BIA). For the sake of this blog, I’m giving DR a Tier 1, 2, and 3. Tier 1 is typically < 24 hours RTO (management tolerance for downtime), tier 2 is < 2 weeks and tier 3 is usually > 3-4 weeks RTO for most companies.

Systems typically in the tier 1 group are applications that supports your business’ product, revenue, and financials. In addition, IT infrastructure components are also highly critical. For example, telecom, core network, VPN, DNS, DHCP, Active Directory, Network Share Drive, and File and Print Servers are critical to the continuity of business.

Posted in Compliance | No Comments »

July 30th, 2010

Top 5 Reasons Why Companies Outsource BCP

1. When skill set is not available. The key knowledge staff that used to be with the company is no longer available to support business continuity.

2. When you have to execute BCP timely. BCP is required for regulatory and operational risk management but individuals in your organization do not have the time, training or experience to deliver key BCP and risk documentations timely to pass internal and external audits.

3. When you want options to making decisions. Management is looking for a guidance based on best practices from other companies.

4. When innovation is required. The nature of the business is new and cutting edge. Traditional risks and continuity plans may not be a good fit for the business. Management is looking for highly specialized professionals who can creatively think outside the box.

5. When economy of scale makes sense. Management is looking for experienced individuals with the network to get the best solution and the most competitive pricing for recovery solutions.

Posted in Business Continuity, Disaster Recovery, Risk Management | No Comments »

July 23rd, 2010

Procure To Pay Cycle

Procuring is the process of finding vendors, qualifying vendors and buying from vendors. The pay process is the process of invoicing, verifying, and paying vendors. Depending on the size of your company, some or all of this process can be performed in the procurement, purchasing, account payable and business application / IT function.

The Procure to Pay process consist of the following sub-processes:
1. Creating Purchase Requisition
2. Creating Purchase Order
3. Creating Receipt
4. Creating Invoice in AP
5. Paying the Invoice
6. Transfer, Import and Post to GL

Controls:
A.Purchase Requisition Controls – ensure that the purchase is valid and approved prior to the expenditure
  1. Approval for the purchase requisition
  2. Purchase requisition is approved for an approved vendor in the vendor master list
  3. Approver’s signature authorization limit

B. Vendor Master Controls – ensure that the vendor has been validated before set-up on the vendor master.

  1. Segregation of duties controls are exercised when granting system access to the vendor master.
  2. All vendors require a W-9 prior to set-up on the vendor master.
  3. In some cases a vendor profile form is required. (i.e. global vendors)
  4. Vendors are screened against business unit and other government requirements and watch lists or according to company policy.
  5. Inactive vendors are flagged or purged on an annual basis at least every 12-18 months
  6. Changes to the vendor master are accurate and reported for audit purposes.
  7. Address of vendor is validated as accurate and reported for audit purposes.
  8. Updates to employees on the vendor master are accurate and complete.
  9. Electronic Data Interchange (EDI) vendors are properly set up and appropriately validated.
  10. There are standard vendor naming conventions.
  11. Duplicate vendor remit to addresses are reviewed with appropriate action taken.
C.Invoice Processing Controls – accounts payable function is responsible for the timely and accurate processing of invoices
  1. Segregation of duties controls is exercised when granting system access to invoice processing functionality.
  2. Vendor is paid only once for the goods and services delivered.
  3. Discounts are taken if appropriately approved.
  4. Vendor invoice is paid upon validation with goods received and purchase order. Blocked three-way match exceptions are not processed and are monitored by Accounts Payable for clearing.
  5. Vendor is paid at the appropriate price in accordance with the terms and conditions of the contract.
  6. Payments to contract labor vendors do not exceed the authorized amount.
  7. Purchases are authorized and in accordance with the company’s approval levels. Third party support (invoices/contracts) is sent directly to Accounts Payable.
  8. Interface, EDI, and spreadsheet upload transactions are accurately and completely transmitted to the Enterprise Resource Planning (ERP) system.
  9. Transaction is accurately reflected in the general ledger; Accounts Payable reconciliations for aging and clearing accounts are promptly performed and reviewed in a timely fashion.
  10. Invoices are processed according to invoice payment terms.
  11. EDI transactions are accurate and completely recorded in the organization’s ERP system.
  12. Disbursement Controls – to detect and prevent fraud within a timely manner.
  13. Check requests should be routed to the appropriate personnel for review prior to payment release.
  14. For audit purposes, disbursement activities should be traceable to the general ledger and bank statement.
  15. Approved purchase orders, receiving transactions, and invoices must support requests for payment.
  16. Vendor discounts should be taken according to company policy.

D. Disbursements Controls – disbursements must be recorded in the period the payment was made.

  1. Expenses must be properly and accurately recorded in the accounting records during the period in which the liability was incurred.
  2. Blank checks should be properly stored and safeguarded in a secure area.
  3. Ensure proper accounting for void or canceled checks.
  4. Specific limits of signed authority must be established for bank accounts.
  5. Banking and disbursement information must be safeguarded from loss or destruction.
  6. Checking accounts must be provided with a “match pay”, “positive pay”, or “positive payee” control that permit a preview of checks presented to the bank for payment.
  7. Check requests are used for the proper purpose and are limited in value.
  8. Ensure that the Automated Clearing House (ACH) network accounts have debit blocking capabilities to ensure that no unauthorized debits can be placed.

Process Optimization:
• Enable end-to-end process ownership from requisition to purchase order to payment. By reducing multiple purchasing groups, the organization can negotiate terms for the company’s strategic play.
• Create an urgent, non-urgent, and small amount spending process and streamline or automate the approval and reconciliation process.
• Optimize complex contract purchasing process with suppliers. Integrate the buying process with suppliers using ERP and EDI systems between companies.
• Bring the procurement process online to integrate and automate the purchasing lifecycle process.

Recommended Application:
1.SAP
2.Oracle
3.Ariba
4.PurchasingNet
5.Computron
Please email me if you like to add additional application to this list.

Reference:
1.http://www.erpschools.com
2.http://www.businessstrategy.com/
If you’re an expert in this process, I’d love to list your resources here. Please email me with a link to your site.

Posted in Account Payable, Business Process, Compliance, PUrchasing, Procure to Pay, Procurement, SOX | No Comments »

June 13th, 2010

SOX Compliance Threats

Below is the list of the 10 threats to SOX compliance published by Deloitte.

10 Threats to Compliance Companies working toward section 404 compliance should be especially alert to the following threats to compliance:
1. Lack of an enterprise-wide, executive-driven internal control management program
2. Lack of a formal enterprise risk management program
3. Inadequate controls associated with the recording of nonroutine, complex, and
unusual transactions
4. Ineffectively controlled post-merger integration
5. Lack of effective controls over the IT environment
6. Ineffective financial reporting and disclosure preparation processes
7. Lack of formal controls over the financial closing process
8. Lack of current, consistent, complete, and documented accounting policies and procedures
9. Inability to evaluate and test controls over outsourced processes
10. Inadequate board and audit committee understanding of risk and control

Posted in Compliance, SOX | No Comments »

June 10th, 2010

Fraud

This week, I met a man,  who was an ex-CEO of a clean tech company. He was smart and had a strong presence. However, being in the business, instinct lead us to do some digging about him. The result was shocking. This man was recently in jail, convicted over 50 counts of fraud charges. He was the CEO of a Bay Area solar company. He took consumers’ deposits and never delivered services he promised.

Today, Duane Reade (later bought by Walgreens) ex-CEO and CFO was convicted of securities fraud, conspiracy and making false statements from 2000-2005.  See Reuter’s report.

I am sure there are many stories like this. Corporate fraud vs consumer fraud, which is worse?

Posted in SOX | No Comments »

June 10th, 2010

SOX Goes Mobile

Can you visualize your auditors going paperless? Here’s a snapshot of Mintview for SOX in the cloud, on an ipad.  Based on our test, we’re finding that the ipad still have its shortfalls but it’s looking promising. Managers can successfully use Mintview for reviewing and communicating SOX in meetings on the ipad 100% of the time. Documenting SOX may be more tricky since the ipad is not a full featured browser.

Posted in Compliance, SOX | No Comments »

June 10th, 2010

Handling Claims via Postal Mail

US Postal Office and privacy carriers are not consider business associates to covered entities under HIPAA. This exception is outlined here under the section titled:

Other Situation in Which a Business Associate Contract Is NOT Required:

With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.

Check here to read the full HIPAA Business Associate Agreement requirements.

Posted in Compliance | No Comments »

June 9th, 2010

HIPAA for Workers’ Compensation

Should you treat all ePHI and PHI the same? Unfortunately, like most rules, it is not black and white. There are a few exceptions to HIPAA compliance. One of which is handling PHI and ePHI in the workers’ compensation process.

Workers’ Compensation and HIPAA

There is no problem with employers, workers’ compensation insurance carriers, physicians, and other participants in the workers’ compensation system sharing protected health information with each other in connection with workers’ compensation claims and appeals.

HIPAA specifically allows three exemptions for workers’ compensation-related matters:
1. If the disclosure is “[a]s authorized and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.” 45 C.F.R. § 164.512(l).

2. If the disclosure is required by state or other law, in which case the disclosure is limited to whatever the law requires. 45 C.F.R. § 164.512(a).

3. If the disclosure is for the purpose of obtaining payment for any health care provided to an injured or ill employee. 45 C.F.R. § 164.502(a)(1)(ii).

Thus, the employee’s written authorization is not necessary for the disclosure if one of those exceptions applies, and the employee also would not be able to require the covered entity to withhold the information under 45 CFR § 164.522(a). The bottom line is that if any health-related information is being exchanged in conjunction with a workers’ compensation claim or appeal, the HIPAA privacy rule will not stand in the way.

Posted in Compliance, HIPAA | No Comments »

June 9th, 2010

Testing for HIPAA Compliance

Are you a HIPAA covered entity? As of April 16, 2003, HIPAA covered entities are required to regularly test software and computer systems internally to ensure HIPAA required security controls is implemented to handle Electronically Personal Health Information (ePHI). In addition, HIPAA covered entities are also responsible for selecting and testing its vendors (handling its ePHI records at any capacity) for HIPAA compliance.

To conduct a HIPAA compliance review, neither officers nor its IT staff are the appropriate reviewer of its internal security controls. Mostly, officers are not specialized in the security of software and computer systems to test these controls. Furthermore, IT staff, inside the company, who may have the technical and audit skills, may not be appropriate because of its conflict of interest. This is an example of a security control for segregation of duty.

Thus, many organizations use a trusted independent consultant, like Munimotion, to assist in HIPAA compliance reviews. By conducting an annual HIPAA review by a consultant, you are not only working with the right individual to minimize risk, you are meeting a HIPAA compliance requirement.  Among other HIPAA requirements, one of them is the requirement for companies to perform regular self assessment for HIPAA compliances.

Posted in Compliance, HIPAA | No Comments »

June 9th, 2010

Birthday News!

Welcome to our blog! Today is the birth of our website and blog. In the past year, our team has been working hard to help shape how small to mid-size companies deal with compliance. Our vision is to develop an easy to use product that bridge the gap between auditors and the entire organization accountable for compliance.

We recognize that we need to built a bridge to close the gaps between the board, executives, business leaders, auditors, security, privacy and IT groups. Let’s face it, in the past decade, the corporate landscape has changed drastically. Employees are now asked to do more than ever before. Managers are accountable for more than ever before; expanding beyond unfamiliar territories. We can’t train people fast enough to keep up and companies certainly don’t have the luxury training budget they once had.

Thus, we want to make compliance as painless as possible. We want to help streamline the governance of compliance across various groups and present only what is relevant to you while reusing and reducing compliance effort across the organization. Our software was designed from grounds up and is based on widely accepted frameworks by auditors and compliance specialists. Development of our vision is not going to be overnight so we will need your help. Tell us how we can help. In the meantime, our SOX module is available. Click here to read more about Mintview.

Posted in Compliance, SOX | No Comments »

Governance, Risk, & Compliance