Corporate governance for high-tech firms
Case StudyMicroelectronics manufacturer meets a compliance deadline, and reduces software production errors |
AbstractA daunting compliance deadline loomed for a microelectronics manufacturer, but Mastodon Consulting stepped in to help the company develop and document technology procedures and controls. These checks and balances included general computer controls and other IT controls of processes significant to financial reporting. Developed a framework of good governance practices and resolved critical risks via procedural and cultural change. The ChallengeA leading microelectronics manufacturer faced a regulatory compliance deadline that required them to demonstrate adequate controls over systems that could materially impact financial statements. This law, called the Japan's Financial Instruments and Exchange Law (JSOX), obliges all listed companies in Japan to strengthen internal controls and to ensure full and accurate disclosure of financial information, in order to reduce the risk of material misstatements, fraud or accounting scandal. Given the complexity of the regulations, the short timeframe for compliance and the high cost of non-compliance, the company solicited Mastodon's assistance in implementing COBIT (Control Objectives for Information and Related Technologies) as the framework for IT and computer controls, to identify gaps, remediate weaknesses, and assemble appropriate control testing documentation. Mastodon proposed a risk-based, top-down approach to optimize control while driving down time and cost. A risk-based approach is one that focuses on financial statement accounts and related processes that are significant to the financial statements. The top-down aspect means that the parent company began by evaluating entity level controls (e.g., overall control environment, oversight by the board of directors, etc.) and worked down to specific processes and financial statement accounts and related computer controls. This approach meant that time and effort were focused on areas critical to the company's financial control, avoiding the wasted time and money that comes from a more typical checklist approach to compliance. One issue the organization faced was a lack of formal procedures for managing changes for the enterprise. Changes to corporate IT systems, network infrastructure devices, and the production server environment were made in an ad hoc manner, meaning that change control protocols were not followed and changes were not documented, which led to error and a great dependence on certain people, as "they are the only ones who know how to fix it." Mastodon proposed a simple yet comprehensive IT change control process, to provide segregation of duties between initiating the change, approving the change, and implementing the change so that unauthorized changes could not be implemented into a production environment. As the technology organization for this division was very small, creativity was required in determining a solution that didn't slow down the business or add unnecessary bureaucracy. How We HelpedMastodon Consulting helped the client understand the implications of the regulations and develop an approach that would address their needs. With a blend of regulatory knowledge, experience with the systems that required modification, and extensive organizational development expertise, Mastodon helped the client successfully meet the aggressive deadline for compliance. Mastodon's services included:
Lessons LearnedWith the new compliance framework, the company has much greater control over its development environment, dramatically reducing the number and severity of errors. With compliance in place, the company can now provide a high level of assurance to customers who depend on them for outstanding service, training, applications and technical support. |