That inefficiency, not to mention the redundant certification and testing processes that plague the majority of compliance efforts, does not sit well with John Verburgt, associate director of compliance at the Chicago Mercantile Exchange (CME), the first publicly traded U.S. financial exchange. A financial systems/compliance expert, Verburgt joined the CME in June 2004 with the mission of creating a lean and mean compliance function in the area of internal control over financial reporting.

"We wanted to give the CEO and CFO comfort each quarter when they certified the current state of internal controls," he explains. "That's a big task." But not one, he asserts, that requires big words. "Everyone talks about 'information transparency,' but I prefer the term 'intuitively obvious.' We want to present compliance information in such a way that the message it communicates is intuitively obvious."

Verburgt delivered that clarity in the CME's certification process by assembling a five-person compliance team; helping internal control owners shape, define and monitor their own internal controls; diligently measuring the effort's progress; and using a compliance application and a BI tool to store, control, manage and report key compliance data.

Since April 2005, control owners have certified the definition, effectiveness and timeliness of their internal controls on a quarterly basis. "This gives us an up-to-date barometer of what's going on in terms of the way we're managing our internal controls specific to Sarbanes-Oxley," Verburgt says.

That success has motivated CME's compliance team to apply a similar rigor to streamlining and strengthening the internal-controls testing process. "We're going to get so good at testing by leveraging automation to the point that much of the testing will become seamless and noninterruptive," Verburgt notes. "Our control owners already bake compliance requirements into their normal routines. Our goal is to test internal controls quarterly so that we can include test results to build additional confidence in our quarterly compliance review."

Structure: Finding Solutions vs. Merely Complying

The seeds of CME's move to quarterly internal control certifications at the control level were sown in the company's decision to shift Sarbanes-Oxley compliance from the internal audit function to a team within the corporate finance function. CME hired Verburgt from McDonald's Corp., and he worked closely with internal auditors as he built his team. Verburgt reports directly to the CME controller, whose organization reports to CFO James Parisi.

The compliance team consists of five members. "The number-one skill set I looked for was subject-matter expertise," Verburgt explains. "I needed to get somebody who was really good at monitoring fixed-asset accounting, so I hired our fixed-asset expert."

He also hired an internal auditor whose expertise includes controls testing, scoping and risk analysis; a financial reporting expert; and an IT guru. "I also looked for people within our company who possessed Big 4 experience because that's a relationship our team needs to manage," Verburgt adds. "You really need to understand how external auditors operate."

Verburgt brought a unique way of thinking -- one that reflects his IT background -- to the compliance realm. While most compliance functions view Sarbanes-Oxley and other regulations as a collection of rules to be followed, Verburgt took a more expansive view. "I didn't want to look at this as an extension of the audit plan," he says. "My approach is to find the solution to this."

The problems Verburgt and his team sought to solve included too many identified controls, too much paper documentation (which breeds mishandling and other errors) and duplicated work.

"One of my first goals was to eliminate all Word documents and Excel files from our approach to storing all compliance information," he says. "We use zero Word and Excel files now, which relieves the burden of version control and aggregating/analyzing our information stored in multiple files on the network."

CME uses Movaris and Business Objects tools to collect, store and report all of its compliance information. A single-source database contains all of the company's internal-control information. The compliance group models and reports its information requirements just like any other business entity. "We're at a point now where people respect that there is a process to the way we manage our content," says Verburgt. "I hold that in high regard because without that information, there's not a lot you can do."

Movaris provided the standard platform for CME's control data and the methods by which the compliance team maintain and examine that information. Verburgt says the tool "allows us to talk to a large audience in a very short amount of time." Using BusinessObjects XI allowed CME's compliance team to analyze, model and distribute their information -- including the SOX measures it has developed -- to their end users to help sustain SOX compliance.

Process: Owners Define Their Terms

CME's initial internal controls documentation effort went well. When populating the Movaris tool with that information, CME did so with a specific plan in mind: use the internal-controls documentation to drive quarterly certifications at the control level.

Not only would control owners document their controls, but they would also certify them, using the same criteria the CEO and CFO must follow under Section 302, on a quarterly basis.

That certification serves as a self-examination where the results are shared with management, specifically the exceptions that are being reported by the control owners. "Our certifications are highly respected and are part of the control consciousness at CME. Our control owners leverage the spirit of disclosure and understand the importance of reasonable assurance," says Verburgt. "They had a very good comprehension of what Sarbanes was intended to do and also the type of understanding and monitoring they need to perform so that we have confidence that the controls in their area are operating as designed."

That confidence resulted from the extensive engagement with the control and process owners. A common process employed in Sarbanes-Oxley efforts is to require control owners to attend a "discovery session" in which the compliance team asks them what they do, why they do it and what they're trying to prevent; records their answers; and then documents the controls for them.

"We figured it would be more effective to get the language about the control right from the horse's mouth, from the people who perform these processes daily, weekly, monthly or annually," Verburgt notes. "Since they own the control, they should have total control over the language used to define the control. It's proved invaluable … our control portfolio is always up-to-date by default."

Execution: Survey and Measure

To achieve that state, CME's compliance group sends a five-question survey to all control owners on a quarterly basis. Some control owners receive monthly electronic surveys due to the frequency with which the internal controls and the processes they protect are executed. The first two questions concern the control definition. The other three questions target change, evidence and timeliness.

Control owners who respond to the survey also may enter comments and attach evidence. For example, to demonstrate that an A/P control was properly executed, an A/P clerk might attach to the survey response an invoice containing the proper approval signature. Other control owners might use the comment form to explain, for example, that they retired an internal control due to the implementation of a software upgrade.

Some of the more compliance-savvy control owners, for example, request monthly surveys and blend the controls-certification process into the their monthly to-do lists and related reports.

Verburgt says that the survey-response process forms a "communication infrastructure directly down to the source that allows us to report directly to the top" -- to Parisi and CEO Craig Donohue -- "on a quarterly basis."

The system thrives because the compliance team measures and reports the results of the certification surveys and responses. The team measures the total number of key internal controls, the total number of control owners, survey responses that indicate the control is operating as designed, survey responses that indicate a change has occurred in the way the control is designed to operate (i.e., exception reporting) and the number of feedback comments received each quarter. In the Tracked Data table at left are some examples of the information the compliance team calculates and tracks.

Although CME will not share the numeric values of its measures, Verburgt reports that the coverage rate has steadily declined during the past three quarters. That means that each control owner is responsible for fewer internal controls, which should help ensure better oversight of those controls.

Verburgt prefers to see the review multiple in the 1.2 to 1.5 range; a low 1.0 means that none of the internal controls are reviewed by more than one control owner, while 2.0 is too high and probably signifies inefficiency. A review multiple of 1.0 is also nearly impossible to achieve in most mid-sized to large organizations where shared-service centers or centralized accounting functions exist. For example, if an A/P control is performed in a shared-service center, each A/P clerk from individual business units must certify that the control is properly defined and working. Of course, metrics apply differently in diverse organizations and industries.

Tackling Testing Next

"Our big metric for 2007 will be testing redundancy," says Verburgt. "How many times do we have to test this control to keep everyone satisfied?"

To get at that answer, CME's compliance team plans to ask and answer another question: How much does it cost to conduct each test of an internal control? That answer should make everyone -- including external auditors -- deeply reflect on whether an internal control requires duplicate testing.

"We've mastered the art of certification, and next we're going to break new ground by being very efficient in the way we test controls," Verburgt says.

Currently, the vast majority of publicly listed companies test Sarbanes-Oxley-related internal controls annually; CME plans to move to a continuous test model aligned to the control frequency. "To further strengthen the confidence of our CEO and CFO when they certify, we will give them test results," Verburgt concludes, noting that his team has already developed a prototype for that approach. "We can take a control definition, put it right next to a control test and then show our library of evidence, including all of the notations we've collected, in electronic form. Once we can bring that into the fold and make it the way we work, I would love to put our audit program's SOX compliance against anyone's."