“…our primary goal is to keep the SOX environment as efficient as possible,” explains Wayne Radue, SOX Manager for Micron Technology, Inc.
Wayne and the team at Micron have used policyIQ to manage their Sarbanes-Oxley compliance since 2004. At Micron, access to policyIQ is distributed to Internal Audit testers, control owners and process owners, but they use Approvals to maintain strong oversight over all changes. We asked Wayne to share a little bit about how their organization uses workflow features to keep the process running smoothly and efficiently.
Groups, Groups, Groups
The key to Micron’s efficiency might just lie in their extensive use of Groups to organize their users. While they have 50 users in policyIQ, Micron has close to 100 Groups defining all of the different parts that a user might play in the SOX process. There are Groups for each Business Process, broken down into two subgroups: one for the Process Owner and another for other users involved in that business process.
The Internal Audit department is broken down in several ways, including a structure into which all IA Testers can be appropriately assigned to the business cycle that they will be testing within any given period. By utilizing such a detailed Group structure, Wayne and the SOX team at Micron do not need to concern themselves with updating pages to include the right individual tester, control owner, process owner, reviewer, etc. It is simply a matter of making sure that the user profiles are properly assigned and updated as individuals move within the organization.
Assigning and Performing Testing
When it comes to Sarbanes-Oxley testing, this is the domain of the Internal Audit team at Micron. The Business and IT Audit Managers assign the Testers to the appropriate business cycles at the start of any given testing period – and remember, they do so by simply moving the user profiles in the appropriate groups! Those same Audit Managers are the designated Approvers on the Test Template, which allows them to review the Tests as they are submitted.
Keeping the Controls Updated
When it comes to keeping Control documentation updated, Micron Technology asks the Process Owners to update the documentation in policyIQ when the control changes. By making the appropriate Process Owners Group the “Administrator” of the Control pages, the Process Owners are empowered to make changes as necessary. In some cases, they will also give individual Control Owners administrative access to the pages to further distribute the responsibility.
All changes to the Control documentation must be routed through an approval group including Wayne as the SOX Manager and the designated IT control coordinator. This ensures that the changes are reviewed for completeness and that the SOX Management team has a clear picture of how much the control environment is changing at any time.
Wayne admits, however, that the Business Process Owners are often too busy to make the changes directly. Wayne and his counterpart in IT will often make the Control changes on behalf of the Process Owners in policyIQ. The process is designed to be flexible, giving the right individuals the access to make changes – but allowing for a distribution of work that makes sense for their organization.
Every organization strives to work smarter – not harder. By utilizing a detailed and well thought out Group structure, as well as distributing the ability to make changes to all of the right users within the company, the SOX team at Micron Technology has maximized their SOX “IQ” and created an efficient and effective process for their organization.