SlideShare a Scribd company logo

Compliance Week_April 1 2008_article

D
Dean Plank
1 of 4
Download to read offline
Dean Plank From: Saved by Windows Internet Explorer 7 Sent: Tuesday, April 08, 2008 4:28 PM Subject: Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics Page 1 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008 Leveraging AS5, SOX Testing at Silicon Graphics By Christine Dunn — April 1, 2008 n the latest of our conversations with compliance and governance executives, we catch up with Dean Plank, director of internal audit at Silicon Graphics, Inc. Readers can also visit our archive of Q&A interviews. You’re director of internal auditing. How long have you been in that role? Since June 2007. How big is your team? Do you outsource any work? There’s one person that works for me, and he resides in Europe. He does the European work and helps out on some domestic projects. We’ve done some outsourcing in the past, exclusively for the Sarbanes- Oxley test work that needed to be done internally. Outside of that, we haven’t outsourced any internal audit efforts. My consulting experience has helped me a lot. My colleague in Europe and I have a significant amount of experience, so I feel we have enough resources. This year for our Sarbanes-Oxley-related work there are a few internal employees that work in the finance area that will help with internal Sarbanes testing. We selected the individuals based on their skill sets and experience. We’ve discussed it with our auditors and they’re on board with that approach. How important to the job is experience in SOX compliance? Is working for an audit firm important? I grew up during the first few years of my career with a big audit firm. So I think the exposure you get and the working knowledge you attain with an independent audit firm is very good, because you obtain exposure to different industries and business processes. And so you gain a lot of DETAILS Dean Plank is the director of internal audit for Silicon Graphics, Inc. (SGI) and holds a Masters International Management and B.A. Business Administration degrees from the University of St. Thomas in St. Paul, Minnesota, and is a Certified Public Accountant. Prior to SGI, Plank was a Sarbanes- Oxley (SOX) Consultant for AXT, Inc. Plank has held finance positions with 8x8, Inc., Yahoo Inc., Apple Computer, Inc., and E&J Gallo Winery. Plank COMPANY BASICS Company Silicon Graphics, Inc. Headquarters Sunnyvale, CA Employees 1,588 Industry Computer Products ’06 Revenue $341 million
experience across the different industries and the way they do business. You can take those different experiences to a company if you go into private industry. And you report to? The chairman of the audit committee. There are three independent board members on the audit committee. In addition, administratively, I report to the CFO and sit on her staff. What questions are they asking you most often? They’re primarily interested in my perspective on the control environment internal to the company. As with many companies, we periodically lose people to attrition, so they want to make sure that controls are in place through employee transitions, that we’re addressing them, and [that we] are always improving them. How does your company define “compliance,” versus internal auditing or risk management? I wasn’t here, but originally they put together an internal task group to document the business processes and identify key controls in each of the business processes; I call them cycles. So for example, we have an inventory cycle, a treasury cycle, a fixed-asset cycle, et cetera. An internal task force documented the cycles and identified the key controls within each cycle. At the time I was working with independent auditors to get their guidance on the internal compliance program for year one of Sarbanes-Oxley. After that it was a matter of testing key controls and the effectiveness of process owners complying with key controls. At the time all the internal employees were working with the financial programs. Once we got things established for year one, it was a matter of re-evaluating processes to see if anything had changed or been documented or edited. We had to go out and test the processes to get to year two. The program evolved. The most time spent developing the program is in the first year or two. After that, it’s a matter of adjusting the program to meet the needs of the business, executive management, and the independent auditors. What are the pillars of your compliance program? Any good compliance program starts with the tone at the top of the organization, carried by the board, CEO, CFO, and other key executives within the company. SGI has always had a very strong tone at the top, which is the foundation pillar for any compliance program. After that, I would say that the pillars are pretty much the Sarbanes-Oxley narratives that we’ve generated, which are the documentation of what we call narratives that describe the control processes and identify key controls in each cycle. After that, you put together a test program that tests the key controls identified in the narrative. Then you go and execute and perform testing from there. How do you monitor that the program is being carried out throughout the company? Through our test processes. The last several years, our testing has covered in general the second, third, and fourth quarters of the year. We do our testing throughout the year, with the exception of Q1, so that we have an awareness of how the control environment is working from quarter to quarter. Page 2 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008
I report back to the audit committee every quarter the results of the compliance-testing program that we do. There are no surprises; there’s a quarterly meeting. Sometimes there’s a comment or request to look in an area. Once in a while we get a question from the audit committee chairperson to look at a certain area, and so we do a little bit of work that they request. Would you say SGI’s compliance program is “fully” implemented? There’s always a little bit of tweaks to be made. In general, I’m very comfortable with the program that we have. Over the last couple of years the issues that were identified we addressed immediately to remediate. We went back and retested to make sure the remediation had been completed and that the controls were working based on the follow up retest. We track that remediation process throughout the year. On a periodic basis we provide the results on remedial testing to the independent auditors. Our external auditors know about any issues in any given area. It is a robust program and something we’re working on from week-to-week throughout the fiscal year. How do you leverage your SOX work into the broader compliance program? The accounting-compliance focus now under Auditing Standard No. 5 is more at an entity-level type of control process: the tone at the top, and management’s involvement at the executive level in terms of tone. So by going in and testing processes at a detailed level, you get a good feel for the overall control environment. [Since] the industry is moving from AS2 to AS5, with more of a focus on entity-level controls, moving forward I think the focus will be more toward the whistleblower policies or higher-level types of control information. At the entity level of controls, companies are moving toward more of a tone or process that comes down from the top. We have a program where, annually, we will send out a letter to all employees. They need to respond in terms of their compliance with the control environment. We have created an overall control message that we’re asking employees to abide by and confirm back that they are in compliance. Have you noticed any real differences between AS5 and AS2? The key difference for me is that under AS5 we can focus more on the priority areas for a control environment. Revenue recognition gets a lot of attention and so does the management of a stock program. For example, if over the last three years we did a lot of testing in the fixed-asset area, under AS2 we would need to go back and continue to test a lot of fixed-asset transactions, even though the testing has proven that the control environment is sound. Under AS5 you can spend less time testing around fixed assets and more around revenue recognition processes and our equity program processes. It’s a matter of adjusting the time you have to test the control environment, taking the time away from the areas that have tested out to be sound, and moving to the higher-risk or more important areas from an independent auditing perspective, like revenue recognition or equity, for example. What about the Section 404 guidance for management, from the Securities and Exchange Commission? Is that of any use? We pretty much have taken our cues from AS5 and working with our independent auditors, getting guidance from them. They can’t tell us what to do, but they can provide guidance. I try to sit down with them on a regular basis throughout the year to find out what’s on their mind and what they perceive to be higher-risk areas. That’s where I will spend more time. Page 3 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008
Back What are your priorities and goals for this year? Internally, our SOX compliance program is quite robust and working well. My priority is to get through the testing the rest of this year in less time, because of the experience that I have internally. With the other auditor in Europe, and the internal finance people helping, we will get through the same amount of testing in less time because of the familiarity and experience. By doing this, I will free up time to add back more traditional internal audit activity that can be of great incremental benefit to SGI. Compliance Week provides general information only and does not constitute legal or financial guidance or advice. Page 4 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008

Recommended

Creative Performance Audit
Creative Performance AuditCreative Performance Audit
Creative Performance AuditHumanology
 
Dow Corning Performance Review (2015 Summer)
Dow Corning Performance Review (2015 Summer)Dow Corning Performance Review (2015 Summer)
Dow Corning Performance Review (2015 Summer)Ryan Cwik
 
Deber 2
Deber 2Deber 2
Deber 2jparedesuniandesr
 
7.6 practice
7.6 practice7.6 practice
7.6 practiceMsKendall
 
Easy content-creation-for-websites
Easy content-creation-for-websitesEasy content-creation-for-websites
Easy content-creation-for-websitesRed Cherry Calgary Web Design
 
Portfolio fulvio de nitto
Portfolio fulvio de nittoPortfolio fulvio de nitto
Portfolio fulvio de nittoFulvio De Nitto
 
3° lugar concurso de vídeos escola sepe tiaraju
3° lugar concurso de vídeos escola sepe tiaraju3° lugar concurso de vídeos escola sepe tiaraju
3° lugar concurso de vídeos escola sepe tiarajujazunudu
 
Lista de ganhadores Abril 2013
Lista de ganhadores Abril 2013Lista de ganhadores Abril 2013
Lista de ganhadores Abril 2013eCGlobal Community
 

Recommended

Creative Performance Audit
Creative Performance AuditCreative Performance Audit
Creative Performance AuditHumanology
 
Dow Corning Performance Review (2015 Summer)
Dow Corning Performance Review (2015 Summer)Dow Corning Performance Review (2015 Summer)
Dow Corning Performance Review (2015 Summer)Ryan Cwik
 
Deber 2
Deber 2Deber 2
Deber 2jparedesuniandesr
 
7.6 practice
7.6 practice7.6 practice
7.6 practiceMsKendall
 
Easy content-creation-for-websites
Easy content-creation-for-websitesEasy content-creation-for-websites
Easy content-creation-for-websitesRed Cherry Calgary Web Design
 
Portfolio fulvio de nitto
Portfolio fulvio de nittoPortfolio fulvio de nitto
Portfolio fulvio de nittoFulvio De Nitto
 
3° lugar concurso de vídeos escola sepe tiaraju
3° lugar concurso de vídeos escola sepe tiaraju3° lugar concurso de vídeos escola sepe tiaraju
3° lugar concurso de vídeos escola sepe tiarajujazunudu
 
Lista de ganhadores Abril 2013
Lista de ganhadores Abril 2013Lista de ganhadores Abril 2013
Lista de ganhadores Abril 2013eCGlobal Community
 
Operational Auditing
Operational AuditingOperational Auditing
Operational Auditingahmad bassiouny
 
IFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk SolutionsIFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk SolutionsJames Hannan, CPA
 
Iso 9001 consultant
Iso 9001 consultantIso 9001 consultant
Iso 9001 consultantwesbenley8493
 
GAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training InstituteGAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training Institutehimalya sharma
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Internal audit
Internal auditInternal audit
Internal auditS.M. Towhidul Islam
 
PIMM overview whitepaper
PIMM overview whitepaperPIMM overview whitepaper
PIMM overview whitepaperi-nexus
 
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkCOSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkBlackLine
 
Interview Question for Manager
Interview Question for ManagerInterview Question for Manager
Interview Question for ManagerMd. Abdul Momen (Jibon)
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesJoshua Hoskins
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001Dipin Sharma
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001Dipin Sharma
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
Sales & Operations Planning
Sales & Operations PlanningSales & Operations Planning
Sales & Operations PlanningSteelwedge
 
Legal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance IndicatorsLegal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance IndicatorsSeyfarthLean Consulting
 
Give Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROIGive Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROIi-nexus
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001Dipin Sharma
 
What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6IANS
 
Case 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docxCase 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docxtidwellveronique
 
What are the steps for ISO 13485 certification
What are the steps for ISO 13485 certificationWhat are the steps for ISO 13485 certification
What are the steps for ISO 13485 certificationhimalya sharma
 

More Related Content

Similar to Compliance Week_April 1 2008_article

IFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk SolutionsIFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk SolutionsJames Hannan, CPA
 
GAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training InstituteGAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training Institutehimalya sharma
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
PIMM overview whitepaper
PIMM overview whitepaperPIMM overview whitepaper
PIMM overview whitepaperi-nexus
 
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkCOSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkBlackLine
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesJoshua Hoskins
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
Sales & Operations Planning
Sales & Operations PlanningSales & Operations Planning
Sales & Operations PlanningSteelwedge
 
Legal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance IndicatorsLegal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance IndicatorsSeyfarthLean Consulting
 
Give Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROIGive Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROIi-nexus
 
What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6IANS
 
Case 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docxCase 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docxtidwellveronique
 
What are the steps for ISO 13485 certification
What are the steps for ISO 13485 certificationWhat are the steps for ISO 13485 certification
What are the steps for ISO 13485 certificationhimalya sharma
 

Similar to Compliance Week_April 1 2008_article (20)

Operational Auditing
Operational AuditingOperational Auditing
Operational Auditing
 
IFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk SolutionsIFG Finance Accounting and Risk Solutions
IFG Finance Accounting and Risk Solutions
 
Iso 9001 consultant
Iso 9001 consultantIso 9001 consultant
Iso 9001 consultant
 
GAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training InstituteGAP Analysis | Management Systems | ISO Training Institute
GAP Analysis | Management Systems | ISO Training Institute
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
Internal audit
Internal auditInternal audit
Internal audit
 
PIMM overview whitepaper
PIMM overview whitepaperPIMM overview whitepaper
PIMM overview whitepaper
 
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkCOSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
 
Interview Question for Manager
Interview Question for ManagerInterview Question for Manager
Interview Question for Manager
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal Releases
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
Sales & Operations Planning
Sales & Operations PlanningSales & Operations Planning
Sales & Operations Planning
 
Legal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance IndicatorsLegal Operations Guide to Key Performance Indicators
Legal Operations Guide to Key Performance Indicators
 
Give Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROIGive Me an Hour and i will triple your ROI
Give Me an Hour and i will triple your ROI
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6What is an IANS CISO Workshop? Factor 6
What is an IANS CISO Workshop? Factor 6
 
Case 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docxCase 9-56 Judging the quality of a client’s internal audit functi.docx
Case 9-56 Judging the quality of a client’s internal audit functi.docx
 
What are the steps for ISO 13485 certification
What are the steps for ISO 13485 certificationWhat are the steps for ISO 13485 certification
What are the steps for ISO 13485 certification
 

Compliance Week_April 1 2008_article

  • 1. Dean Plank From: Saved by Windows Internet Explorer 7 Sent: Tuesday, April 08, 2008 4:28 PM Subject: Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics Page 1 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008 Leveraging AS5, SOX Testing at Silicon Graphics By Christine Dunn — April 1, 2008 n the latest of our conversations with compliance and governance executives, we catch up with Dean Plank, director of internal audit at Silicon Graphics, Inc. Readers can also visit our archive of Q&A interviews. You’re director of internal auditing. How long have you been in that role? Since June 2007. How big is your team? Do you outsource any work? There’s one person that works for me, and he resides in Europe. He does the European work and helps out on some domestic projects. We’ve done some outsourcing in the past, exclusively for the Sarbanes- Oxley test work that needed to be done internally. Outside of that, we haven’t outsourced any internal audit efforts. My consulting experience has helped me a lot. My colleague in Europe and I have a significant amount of experience, so I feel we have enough resources. This year for our Sarbanes-Oxley-related work there are a few internal employees that work in the finance area that will help with internal Sarbanes testing. We selected the individuals based on their skill sets and experience. We’ve discussed it with our auditors and they’re on board with that approach. How important to the job is experience in SOX compliance? Is working for an audit firm important? I grew up during the first few years of my career with a big audit firm. So I think the exposure you get and the working knowledge you attain with an independent audit firm is very good, because you obtain exposure to different industries and business processes. And so you gain a lot of DETAILS Dean Plank is the director of internal audit for Silicon Graphics, Inc. (SGI) and holds a Masters International Management and B.A. Business Administration degrees from the University of St. Thomas in St. Paul, Minnesota, and is a Certified Public Accountant. Prior to SGI, Plank was a Sarbanes- Oxley (SOX) Consultant for AXT, Inc. Plank has held finance positions with 8x8, Inc., Yahoo Inc., Apple Computer, Inc., and E&J Gallo Winery. Plank COMPANY BASICS Company Silicon Graphics, Inc. Headquarters Sunnyvale, CA Employees 1,588 Industry Computer Products ’06 Revenue $341 million
  • 2. experience across the different industries and the way they do business. You can take those different experiences to a company if you go into private industry. And you report to? The chairman of the audit committee. There are three independent board members on the audit committee. In addition, administratively, I report to the CFO and sit on her staff. What questions are they asking you most often? They’re primarily interested in my perspective on the control environment internal to the company. As with many companies, we periodically lose people to attrition, so they want to make sure that controls are in place through employee transitions, that we’re addressing them, and [that we] are always improving them. How does your company define “compliance,” versus internal auditing or risk management? I wasn’t here, but originally they put together an internal task group to document the business processes and identify key controls in each of the business processes; I call them cycles. So for example, we have an inventory cycle, a treasury cycle, a fixed-asset cycle, et cetera. An internal task force documented the cycles and identified the key controls within each cycle. At the time I was working with independent auditors to get their guidance on the internal compliance program for year one of Sarbanes-Oxley. After that it was a matter of testing key controls and the effectiveness of process owners complying with key controls. At the time all the internal employees were working with the financial programs. Once we got things established for year one, it was a matter of re-evaluating processes to see if anything had changed or been documented or edited. We had to go out and test the processes to get to year two. The program evolved. The most time spent developing the program is in the first year or two. After that, it’s a matter of adjusting the program to meet the needs of the business, executive management, and the independent auditors. What are the pillars of your compliance program? Any good compliance program starts with the tone at the top of the organization, carried by the board, CEO, CFO, and other key executives within the company. SGI has always had a very strong tone at the top, which is the foundation pillar for any compliance program. After that, I would say that the pillars are pretty much the Sarbanes-Oxley narratives that we’ve generated, which are the documentation of what we call narratives that describe the control processes and identify key controls in each cycle. After that, you put together a test program that tests the key controls identified in the narrative. Then you go and execute and perform testing from there. How do you monitor that the program is being carried out throughout the company? Through our test processes. The last several years, our testing has covered in general the second, third, and fourth quarters of the year. We do our testing throughout the year, with the exception of Q1, so that we have an awareness of how the control environment is working from quarter to quarter. Page 2 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008
  • 3. I report back to the audit committee every quarter the results of the compliance-testing program that we do. There are no surprises; there’s a quarterly meeting. Sometimes there’s a comment or request to look in an area. Once in a while we get a question from the audit committee chairperson to look at a certain area, and so we do a little bit of work that they request. Would you say SGI’s compliance program is “fully” implemented? There’s always a little bit of tweaks to be made. In general, I’m very comfortable with the program that we have. Over the last couple of years the issues that were identified we addressed immediately to remediate. We went back and retested to make sure the remediation had been completed and that the controls were working based on the follow up retest. We track that remediation process throughout the year. On a periodic basis we provide the results on remedial testing to the independent auditors. Our external auditors know about any issues in any given area. It is a robust program and something we’re working on from week-to-week throughout the fiscal year. How do you leverage your SOX work into the broader compliance program? The accounting-compliance focus now under Auditing Standard No. 5 is more at an entity-level type of control process: the tone at the top, and management’s involvement at the executive level in terms of tone. So by going in and testing processes at a detailed level, you get a good feel for the overall control environment. [Since] the industry is moving from AS2 to AS5, with more of a focus on entity-level controls, moving forward I think the focus will be more toward the whistleblower policies or higher-level types of control information. At the entity level of controls, companies are moving toward more of a tone or process that comes down from the top. We have a program where, annually, we will send out a letter to all employees. They need to respond in terms of their compliance with the control environment. We have created an overall control message that we’re asking employees to abide by and confirm back that they are in compliance. Have you noticed any real differences between AS5 and AS2? The key difference for me is that under AS5 we can focus more on the priority areas for a control environment. Revenue recognition gets a lot of attention and so does the management of a stock program. For example, if over the last three years we did a lot of testing in the fixed-asset area, under AS2 we would need to go back and continue to test a lot of fixed-asset transactions, even though the testing has proven that the control environment is sound. Under AS5 you can spend less time testing around fixed assets and more around revenue recognition processes and our equity program processes. It’s a matter of adjusting the time you have to test the control environment, taking the time away from the areas that have tested out to be sound, and moving to the higher-risk or more important areas from an independent auditing perspective, like revenue recognition or equity, for example. What about the Section 404 guidance for management, from the Securities and Exchange Commission? Is that of any use? We pretty much have taken our cues from AS5 and working with our independent auditors, getting guidance from them. They can’t tell us what to do, but they can provide guidance. I try to sit down with them on a regular basis throughout the year to find out what’s on their mind and what they perceive to be higher-risk areas. That’s where I will spend more time. Page 3 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008
  • 4. Back What are your priorities and goals for this year? Internally, our SOX compliance program is quite robust and working well. My priority is to get through the testing the rest of this year in less time, because of the experience that I have internally. With the other auditor in Europe, and the internal finance people helping, we will get through the same amount of testing in less time because of the familiarity and experience. By doing this, I will free up time to add back more traditional internal audit activity that can be of great incremental benefit to SGI. Compliance Week provides general information only and does not constitute legal or financial guidance or advice. Page 4 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics 4/17/2008