The Newsletter of the STC Policies & Procedures Special Interest Group ● 3rd Quarter 2006
NEWS
INSIDE
Step by Step: Your Greatest Opportunity ...
By Elizabeth McQueen
Member Profile – Abena Edugyan
SOXing it to 'em
By Justin Baker
Developing P&P for Emergencies
Editor's compilation
Your Advertisement Here!
Got a hot product or service you'd like our 1,000+ members to hear about?
Contact the Editor to inquire about rates: Lois Marsh.
SOXing it to ‘em...
Fall 2001. Enron. Bankruptcy. Thousands of Enron employees out of work. Their retirement plans wiped out. And this was just one of many accounting scandals to come…
Summer 2002. Congress. Anger. Thousands, perhaps millions, of American citizens affected by accounting scandals and corporate corruption. It was time to set American corporations back onto the path towards ethical rectitude…
And the Sarbanes-Oxley Act of 2002 was born.
The Sarbanes-Oxley Act of 2002, otherwise known as SOX, is legislation passed by the United States Federal Government to forcibly set American corporations back onto that path towards ethical rectitude.
The majority of this legislation focuses on the control of organizational finances; one focus in particular is the mandatory establishment of a specific framework of internal controls. Internal controls are the components of an organization’s human and IT processes and infrastructure that control the organization’s workflow.
These internal controls ensure that applicable government regulations and industry standards are built into the organization’s processes and infrastructure; in general, internal controls ensure that the organization’s workflow is structured, controlled, and ethical.
A Contender
In at least one major American organization, software developers are busy building these internal controls into the IT side of the organization’s processes and infrastructures while managers are busy building internal controls into the human side of the organization’s processes and infrastructures.
And technical writers are documenting all of it into a large policy and procedure framework.
The P&P Pyramid
The policy and procedure framework of this particular organization is modeled into a pyramid structure with five layers composing the framework. The first, and top, layer is the Directives layer. The Directives layer comprises the legislation, regulations, and standards that are external to the organization; the SOX legislation is an external directive that probably has the most immediacy right now.
The second layer of the framework, or pyramid, is the Policies layer. The Policies layer comprises the goals and high-level strategies of the organization; these goals and high-level strategies incorporate and are constrained by the directives in the first layer.
The third layer is Standards, which focuses on the internal controls that will provide the boundaries for the fourth and fifth levels (Enterprise-Level Procedures and Sub-procedures).
The internal controls in the Standards layer of this particular organization’s policy and procedure framework are derived from a variety of external, authoritative sources including the Control Objectives for Information and Related Technology (COBIT), which is a general framework of IT best practices and internal controls. There are a variety of internal controls in any business including accounting controls and financial-reporting controls; many types of controls are derived from a variety of external authoritative sources.
Enterprise-Level Procedures is the fourth layer in this particular framework and can really be thought of as general processes and standard operating procedures. These Enterprise-Level Procedures are then localized in departments throughout the organization to reflect procedural details as well as procedural deviances. These localized processes and procedures are known as Sub-procedures;
Sub-procedures are the fifth, and bottom, layer of the pyramid-like policy and procedure framework.
The Writer’s Role
This particular policy and procedure framework translates into a veritable plethora of documentation work for technical writers. Technical writers are employed at all levels to document the various policies, standards, enterprise-level procedures, and sub-procedures. The majority of technical writers are employed to develop the department-specific sub-procedures, which may number into the hundreds if not thousands.
In this particular policy and procedure framework, templates are used at all layers. The templates contribute to document-development efficiency, particularly with enterprise-level procedures and sub-procedures. The templates for the sub-procedures have a considerable number of internal controls built into the template text. This keeps the technical writers from having to become experts in internal controls, especially the types of internal controls that the SOX legislation focuses on.
And because the sub-procedures are primarily localized enterprise-level procedures, a considerable amount of the process and procedure is built into the sub-procedure template text as well. The primary goal of the technical writers developing the sub-procedures is to define the procedural details and procedural deviances.
The Writer’s Value
In this policy and procedure framework, the value of the technical writer is in interviewing subject matter experts to define the process details and process deviances. The value of the technical writer in this situation is also in managing the document-development process; as any policy and procedure technical writer knows, many SMEs are difficult to mine information from.
For emerging policy and procedure frameworks there is the additional value of creating the templates that are used at all levels of the frameworks. And in a larger context, technical writers are contributing to an ethical restoration in American business that will benefit employees, stakeholders, and society in general. And while the SOX legislation may be new, the internal controls the SOX legislation mandates are not. These internal controls are controls that existed before the SOX legislation; the SOX legislation is just a legal force to ensure that the internal controls that are supposed to be in place are in place.
The Outcome
SOX legislation is a slap on the hand from the Federal Government for behaving so badly.
The force and immediacy of SOX legislation may eventually fade from view, but the need to institute and document internal controls in the form of policy and procedure frameworks never will, thereby ensuring plenty of work for policy and procedure technical writers for a long time to come.