1. Dean Plank
From: Saved by Windows Internet Explorer 7
Sent: Tuesday, April 08, 2008 4:28 PM
Subject: Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics
Page 1 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics
4/17/2008
Leveraging AS5, SOX Testing at Silicon Graphics
By Christine Dunn — April 1, 2008
n the latest of our conversations with compliance and governance executives, we catch up with Dean
Plank, director of internal audit at Silicon Graphics, Inc. Readers can also visit our archive of Q&A
interviews.
You’re director of internal auditing. How long have you been in
that role?
Since June 2007.
How big is your team? Do you outsource any work?
There’s one person that works for me, and he resides in Europe. He does
the European work and helps out on some domestic projects.
We’ve done some outsourcing in the past, exclusively for the Sarbanes-
Oxley test work that needed to be done internally. Outside of that, we
haven’t outsourced any internal audit efforts. My consulting experience
has helped me a lot. My colleague in Europe and I have a significant
amount of experience, so I feel we have enough resources.
This year for our Sarbanes-Oxley-related work there are a few internal
employees that work in the finance area that will help with internal
Sarbanes testing. We selected the individuals based on their skill sets and
experience. We’ve discussed it with our auditors and they’re on board
with that approach.
How important to the job is experience in SOX compliance? Is
working for an audit firm important?
I grew up during the first few years of my career with a big audit firm. So
I think the exposure you get and the working knowledge you attain with an independent audit firm is very
good, because you obtain exposure to different industries and business processes. And so you gain a lot of
DETAILS
Dean Plank is the
director of internal
audit for Silicon
Graphics, Inc. (SGI)
and holds a Masters
International
Management and
B.A. Business
Administration degrees from the
University of St. Thomas in St. Paul,
Minnesota, and is a Certified Public
Accountant.
Prior to SGI, Plank was a Sarbanes-
Oxley (SOX) Consultant for AXT, Inc.
Plank has held finance positions with
8x8, Inc., Yahoo Inc., Apple
Computer, Inc., and E&J Gallo
Winery.
Plank
COMPANY BASICS
Company Silicon Graphics, Inc.
Headquarters Sunnyvale, CA
Employees 1,588
Industry Computer Products
’06 Revenue $341 million
2. experience across the different industries and the way they do business. You can take those different
experiences to a company if you go into private industry.
And you report to?
The chairman of the audit committee. There are three independent board members on the audit committee.
In addition, administratively, I report to the CFO and sit on her staff.
What questions are they asking you most often?
They’re primarily interested in my perspective on the control environment internal to the company. As with
many companies, we periodically lose people to attrition, so they want to make sure that controls are in place
through employee transitions, that we’re addressing them, and [that we] are always improving them.
How does your company define “compliance,” versus internal auditing or risk management?
I wasn’t here, but originally they put together an internal task group to document the business processes and
identify key controls in each of the business processes; I call them cycles. So for example, we have an
inventory cycle, a treasury cycle, a fixed-asset cycle, et cetera. An internal task force documented the cycles
and identified the key controls within each cycle.
At the time I was working with independent auditors to get their guidance on the internal compliance
program for year one of Sarbanes-Oxley. After that it was a matter of testing key controls and the effectiveness
of process owners complying with key controls.
At the time all the internal employees were working with the financial programs. Once we got things
established for year one, it was a matter of re-evaluating processes to see if anything had changed or been
documented or edited. We had to go out and test the processes to get to year two. The program evolved. The
most time spent developing the program is in the first year or two. After that, it’s a matter of adjusting the
program to meet the needs of the business, executive management, and the independent auditors.
What are the pillars of your compliance program?
Any good compliance program starts with the tone at the top of the organization, carried by the board, CEO,
CFO, and other key executives within the company. SGI has always had a very strong tone at the top, which is
the foundation pillar for any compliance program.
After that, I would say that the pillars are pretty much the Sarbanes-Oxley narratives that we’ve generated,
which are the documentation of what we call narratives that describe the control processes and identify key
controls in each cycle.
After that, you put together a test program that tests the key controls identified in the narrative. Then you go
and execute and perform testing from there.
How do you monitor that the program is being carried out throughout the company?
Through our test processes. The last several years, our testing has covered in general the second, third, and
fourth quarters of the year. We do our testing throughout the year, with the exception of Q1, so that we have
an awareness of how the control environment is working from quarter to quarter.
Page 2 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics
4/17/2008
3. I report back to the audit committee every quarter the results of the compliance-testing program that we do.
There are no surprises; there’s a quarterly meeting. Sometimes there’s a comment or request to look in an
area. Once in a while we get a question from the audit committee chairperson to look at a certain area, and so
we do a little bit of work that they request.
Would you say SGI’s compliance program is “fully” implemented?
There’s always a little bit of tweaks to be made. In general, I’m very comfortable with the program that we
have. Over the last couple of years the issues that were identified we addressed immediately to remediate. We
went back and retested to make sure the remediation had been completed and that the controls were working
based on the follow up retest.
We track that remediation process throughout the year. On a periodic basis we provide the results on remedial
testing to the independent auditors. Our external auditors know about any issues in any given area. It is a
robust program and something we’re working on from week-to-week throughout the fiscal year.
How do you leverage your SOX work into the broader compliance program?
The accounting-compliance focus now under Auditing Standard No. 5 is more at an entity-level type of control
process: the tone at the top, and management’s involvement at the executive level in terms of tone. So by
going in and testing processes at a detailed level, you get a good feel for the overall control environment.
[Since] the industry is moving from AS2 to AS5, with more of a focus on entity-level controls, moving forward
I think the focus will be more toward the whistleblower policies or higher-level types of control information.
At the entity level of controls, companies are moving toward more of a tone or process that comes down from
the top. We have a program where, annually, we will send out a letter to all employees. They need to respond
in terms of their compliance with the control environment. We have created an overall control message that
we’re asking employees to abide by and confirm back that they are in compliance.
Have you noticed any real differences between AS5 and AS2?
The key difference for me is that under AS5 we can focus more on the priority areas for a control environment.
Revenue recognition gets a lot of attention and so does the management of a stock program.
For example, if over the last three years we did a lot of testing in the fixed-asset area, under AS2 we would
need to go back and continue to test a lot of fixed-asset transactions, even though the testing has proven that
the control environment is sound. Under AS5 you can spend less time testing around fixed assets and more
around revenue recognition processes and our equity program processes. It’s a matter of adjusting the time
you have to test the control environment, taking the time away from the areas that have tested out to be
sound, and moving to the higher-risk or more important areas from an independent auditing perspective, like
revenue recognition or equity, for example.
What about the Section 404 guidance for management, from the Securities and Exchange
Commission? Is that of any use?
We pretty much have taken our cues from AS5 and working with our independent auditors, getting guidance
from them. They can’t tell us what to do, but they can provide guidance. I try to sit down with them on a
regular basis throughout the year to find out what’s on their mind and what they perceive to be higher-risk
areas. That’s where I will spend more time.
Page 3 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics
4/17/2008
4. Back
What are your priorities and goals for this year?
Internally, our SOX compliance program is quite robust and working well. My priority is to get through the
testing the rest of this year in less time, because of the experience that I have internally. With the other
auditor in Europe, and the internal finance people helping, we will get through the same amount of testing in
less time because of the familiarity and experience. By doing this, I will free up time to add back more
traditional internal audit activity that can be of great incremental benefit to SGI.
Compliance Week provides general information only and does not constitute legal or financial guidance or advice.
Page 4 of 4Compliance Week: Leveraging AS5, SOX Testing at Silicon Graphics
4/17/2008