What a difference four years make.
In March 2004, defense technology company DRS Technologies had no internal audit department, faced significant challenges in meeting its first Sarbanes-Oxley Section 404 deadline, and relied on consultants to handle much of its initial SOX groundwork.
When Boeing veteran Steve Patterson joined DRS as its vice president, internal controls, later that month, he recalls that “it almost felt like I was working for PwC rather than the other way around.” Patterson's mission was daunting: Build an internal audit department from scratch at one of the world's fastest-growing defense technology companies during the brunt of Year One Section 404 compliance while competition for internal audit talent was fierce.
To date, the mission has been a resounding success thanks to Patterson's work on three crucial fronts: people, process, and automation. “As we built up the internal auditing organization, my initial sense flipped and it felt as though the PwC internal consultants did work for me, not the other way around,” says Patterson, who emphasizes that the battle to strengthen governance, risk management, and compliance (GRC) never ends.
Other important changes, including a useful risk-assessment approach and movement toward a more centralized enterprise-wide GRC program, also accompanied the development of the internal audit function. The tactical precision with which Patterson, his colleagues, and his bosses, CFO Richard Schneider and CEO Mark Newman, made key GRC decisions enabled internal audit to blossom during a busy stretch.
Following five years in public accounting with Arthur Andersen, Patterson worked in finance and internal roles for Rockwell International for about seven years and then for Boeing, after Boeing acquired the aerospace and defense company. By the end of his eight years with Boeing, Patterson was a senior manager in the corporate internal audit group.
DRS Technologies recruited Patterson to start up an internal audit function in 2004. The company supplies integrated products, services, and support to military forces, intelligence agencies, and prime contractors worldwide. It develops, manufactures, and supports a broad range of military systems, including thermal imaging devices, combat display workstations, electronic sensor systems, power systems, rugged computer systems, military trailers and shelters, and more.
At the time of Patterson's hiring, fast-growing DRS outsourced internal audit to PwC. Since 2003, DRS Technologies has posted a compound annual revenue growth rate of 40 percent. The growth, primarily through acquisitions, resulted in a largely decentralized structure and more than 30 business units. “It was a crazy first year,” recalls Patterson, whose first steps on the job included reducing an unwieldy number of internal controls and purchasing software to assist with Sarbanes-Oxley compliance.
After pruning the number of key internal controls that required testing, Patterson examined dozens of different compliance software tools through webcasts, calls with peers, and vendor presentations. DRS settled on OpenPages in the summer of 2004 and set out to install the software — until something occurred to Patterson.
“If we took the time to automate some of our compliance processes at that point, it may not have allowed us to cross our first SOX finish line in time,” he reports.
Instead, Patterson, the PwC internal auditing consultants, and Patterson's business unit partners focused their energies on addressing areas with high rates of noncompliance. “Even though we bought the tool in that first year, we decided to put in on the back burner because we were working so hard to test and remediate controls,” he adds.
The decision paid off: DRS Tech-nologies met its Year One Sarbanes deadlines without any material weaknesses and with only a handful of significant deficiencies, which were in line with its size and growth.
View "A Timeline of Perspective Decision Making [1]" here.
Year Two compliance, which began following the company's March 31, 2005, fiscal year-end, involved the implementation of the OpenPages tool and beefing up head count in the new internal audit function.
The implementation proceeded smoothly, with some relatively minor modifications. For example, some of the predefined objects and fields within the application were changed to match the frequency (multiple times a day, weekly, semi-annually, etc.) with which specific internal controls were executed. These changes were made primarily by creating and/or customizing drop-down menus. The rest of the implementation consisted of loading all of the necessary compliance documentation into the tool.
Recruiting proved more challenging. “I never dreamed that it would be this hard to start up an audit function,” Patterson acknowledges. “When I came from Boeing, I thought that I'd be up and running in six months. Now, almost four years later, I see that creating something from scratch is enormously difficult.”
The biggest challenge involved finding the right people, largely because DRS Technologies competes for auditing talent against every other company in every industry as well as the public accounting firms.
During his first year with DRS Technologies, Patterson hired two internal auditors. During his second year, he encountered more difficulty in finding and hiring the right people, so he reshaped his recruiting strategy.
Through his compliance discussions with the corporate controller, Patterson learned of an external executive recruiter with a knack for matching finance skills to a company's skill needs. Rather than using five or six executive search consultants to find internal auditors, the internal audit and finance functions put the successful recruiter on retainer and used him exclusively. “The approach has been successful,” Patterson explains. “He has a knack for finding the right people, being able to tell the DRS story, and getting people excited about wanting to come in.”
The company has increased the starting salary offers to internal auditors. Additionally, the corporate controller and Patterson developed a financial leadership development program (FLDP) with the blessing of their boss, CFO Schneider. The FLDP consists of a job rotation plan and other developmental opportunities tailored to the career desires of each internal auditor and finance manager. Finally, Patterson and Schneider arranged for CEO Newman to have future lunch sessions with the entire internal audit function at least once a year. “It's an opportunity,” Patterson notes, “for our group to sit down and ask, ‘What keeps you up at night, Mark?’”
The new recruiting, hiring, and development tactics seem to be working. When Patterson first started hiring, some candidates would show up for their initial interviews 30 minutes late. Now, he finds recruits waiting in the lobby — even during blizzards. “One of our new hires had to wait for the receptionist to arrive on the day of his interview,” Patterson recalls. “There was a snowstorm, and he had left his house at 5:00 a.m. to make sure that he would be on time. This is the kind of talent that I want: someone who anticipates obstacles and responds proactively.”
As the internal audit function has grown, Patterson has decreased his reliance on the PwC consultants, some of whom still remain to audit information technology (IT) controls. Yet the function remains lean and mean: nine equivalent internal auditors for a company with 10,000 employees and $2.8 billion in revenue for 2007.
To increase the department's reach and efficiency, Patterson and his team have expanded the use of its compliance software platform.
The expansion consisted of automating the Section 302 certifications through an online interface. DRS Technologies' Section 302 certification process is highly detailed — each business unit controller completes 25 separate sections of a 302 form each quarter — and penetrates deeply into the organizational ranks. Once the business unit controller completes the form, it is routed to the business unit general manager. From there, it flows upward to a strategic business unit (composed of several business units) controller and president; one of four business segment executives; and, finally, on to the corporate controller and CFO.
Until 2006, DRS's third year of SOX compliance, this certification process was conducted manually. The forms that the corporate controller received would be plastered with yellow sticky notes, calling attention to important changes and issues.
Working with an OpenPages consultant to automate this workflow “has greatly improved upon the chaos that was there previously,” says Patterson. “Conditional routing,” notes OpenPages Product Manager Mike Flouton, ensures that the right stakeholders are given oversight authority for the right certification tasks based on a complex set of criteria. “The workflow deployed for DRS is also self-adaptive, so it is intelligent enough to handle ownership changes and personnel restructuring on the fly,” he adds, noting that DRS was one of the first customers to take advantage of the technology's workflow automation capability to supplement the 302 certification process. “This allows the software to adapt to changes in DRS's business — not the other way around — minimizing the burden on their users.”
The launch of an ongoing audit risk assessment has also helped Patterson's function concentrate its internal auditing resources on the areas of greatest need. Over roughly 24 months, the internal audit function “risk-rated” every single business unit from a financial reporting perspective.
The risk ratings currently consist of 21 categories, including tone at the top, quality of financial systems, and turnover at the controller position (see the “Rating Risk” side bar), which are updated four times a year. “Once a quarter, I sit down with the controller and CFO and we pore over the ratings,” Patterson explains. “I explain that this is how I see the world and ask them to let me know how they see it. We come to an agreement on the ratings through this discussion.” At least once a year, Patterson also sits down with the segment controllers to discuss the ratings and responses of each of the business units in their area of responsibility.
Based on “risk scores” of the 21 financial reporting-related categories, business units receive a green, yellow, or red rating. Internal audit focuses more attention — and specific remediation plans — on red business units. Patterson reports the risk ratings to the audit committee during his quarterly meetings with the group. “It's one of my big discussion points with the audit committee,” Patterson notes. “I have to be prepared to provide great detail on what's being done in response to any business unit that has a red mark. The audit committee wants to know what internal audit is doing in response, what business unit management is doing, why a red rating occurred, and whether or not it caught us by surprise.”
The ratings have also captured the attention of business unit leadership. At the company's most recent annual off-site planning meeting, several business unit general managers and controllers approached Patterson to ask his advice on how they could elevate a yellow rating to green.
“Every controller and GM out there knows what their risk rating is,” says Patterson.
Additionally, both internal audit and the company's external auditors (KPMG) use the ratings to help make their activities more efficient and effective. Internal audit has reduced the amount of Sarbanes-Oxley compliance-related testing it conducts in green business units by about 50 percent. This change has freed up the function to devote more time and energy to test higher-risk business units, in accordance with the Public Company Accounting Oversight Board's (PCAOB's) Auditing Standard Five (AS5) guidance.
Patterson emphasizes that the risk rating is a “living, evolving document.” For example, when internal audit grew concerned about slow responses to its audits from a couple of business units, it added a new category to the risk ratings: “responsiveness to internal audit.”
The company's overall approach to GRC also qualifies as evolutionary. The next phase of internal audit's risk ratings will expand the categories beyond financial reporting to operational risks as well as compliance with government regulations specific to the defense industry.
This marks one of several ways that the company is moving toward a more centralized approach to GRC or enterprise risk management. “That's our current challenge,” says Patterson. “Where do we go with enterprise risk management and who really owns it?”
Patterson is seeking answers to these questions through the same highly collaborative approach that he relied upon to build the internal audit function. He's been discussing opportunities to expand the OpenPages platform to the government compliance area, whose director is looking for ways to improve efficiency and effectiveness.
In other words, there's very little risk that DRS Technologies' approach to governance, risk management, and compliance won't look even more sophisticated and integrated four years from now than it looks today.e
See "Getting a Read on Where Risk Resides [2]."
Hear compliance expert Eric Krell discuss [3] the tactical precision with which DRS Technologies makes risk and compliance decisions.
Links:
[1] http://businessfinancemag.com/files/misc_file/0404_TimelineofPerceptiveDecisionMaking.gif
[2] http://businessfinancemag.com/files/misc_file/0408_GettingaRead.gif
[3] http://businessfinancemag.com/audio/defense-contractors-grc-offensive-0327