Policyguru to the Rescue - Small Changes Big ResultsRose Hightower
December 17, 2008 — 1,545 views
Q: How does a policy differ from a procedure and why do I need both?
Policy is defined as wisdom in the management of affairs. In accounting and finance terms, a policy establishes a standard or sets the direction and intent of the Company. Policy sets the tone from the top and is worded so that a consistent approach may be developed, monitored and maintained within each of the geographic or regional areas and still be valid. Generally based on external regulations, industry standards and cultural preferences a policy statement describes the 'concepts' and 'principles' which must be implemented throughout the company.
For accounting and finance professionals, think of policies as those outward facing statements which would appear under that label in the annual report or 10K / 10Q submissions, proxy reports, contracts, web pages or the like. When you review your outward facing documentation you'll notice that some 'policy statements' are composed at a 'high level' such Revenue Policies while others are written at a more detailed level such as the vendor payment terms and conditions. Other documents which you think ARE policies may not be such as the Corporate Code of Conduct. So in the end, it is no surprise that a consistent definition cannot be applied to what is a policy.
You would be surprised or perhaps not, that after all this time in designing, developing, reviewing and facilitating the adoption of policies and procedures; this question comes up on a regular basis. I have found that when management wants to debate these terms, they really don't want to discuss the document's content. To avoid getting into this circular argument, my favorite answer is 'it depends' and advise the documentation team to just get on with it.
Procedure refers to a specific way to implement the policy, it is the 'who, what, where, when, why, how-to' of the policy. It is often easier to define the procedure and let the policy statement fall out. To define the procedure, look for input, actions and activities to be performed and outputs. Procedures and processes are represented in a hierarchy and can have sub processes providing increasing levels of detail until desk instructions are produced.
In order to establish an enterprise-wide procedure, consider writing it at the highest common denominator which must be followed for the policy to be implemented. When reviewing and evaluating procedures, the level of detail I find is often mixed with very specific information provided for one or two steps while other steps are not addressed.
Consider the following established by the Accounts Receivable (A/R) function:
- The Company extends customer credit and collection terms and conditions to achieve company sales goals.
First of all is it a policy or a procedure? Coming from the A/R function, it is more like a policy statement. However according to the sentence the Company's policy is that the Sales function defines the credit and collection terms and conditions on a deal by deal basis. If that is your company's intent, then this is a valid policy statement and perhaps the policy statement belongs to Sales and not A/R.
If not, then a better alternative would be:
- It is IDEALTM, LLP's (Company) policy to establish effective credit and collection standards that support company goals to maximize sales while balancing the risk of bad debts from uncollected Accounts Receivable (A/R).
Why would you need both? Consider the policy statement by itself; it will lead to each business or geographic area interpreting and implementing it in different ways. To ensure that a common, consistent, auditable approach is established, a high level procedure needs to be defined within the scope. Procedures require review and changes more often than policies. Procedures may be different if there are different systems and/ or a mix of organizational structures within the company.
This procedure would go on to list and then further describe the various phases of
A/R credit and collection such as:
Credit Administration performs the following:
- A) evaluate customer credit worthiness and establish credit limits
- B) monitor customer accounts to determine the credit risk
- C) inactivate or terminate credit limits by placing the customer on 'credit hold'
- D) create and maintain customer credit management records.
And for Collections:
The Accounts Receivable aging report is the primary report used to monitor and track outstanding customer receivables, due to the Company:
- A) analyze and predict future cash flows
- B) present Customer account balances including current and overdue status
- C) determine the amount required within the Allowance for Doubtful Accounts
- D) determine the internal measurements for Days Sales Outstanding (DSO)
Personally, I like to keep the policy and procedure together on the same document. When this is not practical, I reference the policy within the procedure document. It serves to reinforce the necessity for the procedure and provide the reader with a broader vision of where and how the procedure fits into the scope of the business.
Send examples of policy statements to the [email protected] for evaluation and comment.
Who owns and approves policies?
Policies apply to the entire organization and the intent of policies is as equally important as the content of what is being communicated.
Corporate policies are enterprise wide and apply to all employees e.g., Records and Information Management policies, Compliance policies, Delegation and Sub Delegation of Authority
Functional policies may be enterprise wide; however they apply to a specific procedure or sub section of employees e.g., Accounts Receivable policies apply to all geographic locations and is limited to those functions which interact with A/R; i.e., sales, treasury, accounting, legal. Many of the accounting and finance policies and procedures identified within the 10Q, 10K are functionally specific. However they must be known and implemented in multiple functional areas for them to be effective.
Policy ownership and approval must be at the executive level. However for practical purposes, executives often invite participation and/or coordination from subject or process matter experts. Policy ownership, means that the executive sponsors the policy, reviewed the statement, holds those accountable for its implementation and is ready to take action if and/or when the policy is violated.
Corporate policies are 'owned' by the Chief Executive Officer and/or President; that means that ALL corporate policies must be reviewed and approved by the CEO and/or President.
Functional policies must be owned by the highest executive overseeing that function; e.g., the Chief Financial Officer owns and approves ALL accounting and finance policies.
I am not a fan of the Board of Directors 'owning' policies. However in some companies, especially those which have had recent financial restructuring, restatements or significant deficiencies the Board may decide that they must drive the policy making and approving process in order to provide due diligence and shareholder oversight.
In order to ensure buy-in and participation from the executive team, I suggest having the executive date and sign the policy statement before it is communicated to employees.
The executive should assign or delegate an employee to address employee questions and comments, evaluate suggestion for improvements and to oversee the policy's implementation.
Are you having difficulty defining policy ownership and/or getting executives to own and approve policies; I want to hear your stories. Send them to the [email protected].
Q: How many policies are enough?
There is no correct or magical number. This will depend on the Policy and Procedure scope and mandate. Generally we are talking about dozens and not hundreds.
The scope and number will depend on several factors including and not limited to:
- the type of business you are in and the degree of external regulation,'
- the type of industry and variations on 'go to market' strategies,'
- whether operational and administrative responsibilities are centralized, decentralized or outsourced
- whether it is public or privately owned'
- its debt / equity structure where external creditors may require additional support or evidence that policies are in place and are indeed being followed.
In a Corporate environment policies need to be developed for:
- Business Continuity'
- Compliance policies such as: Data Privacy, Anti-Fraud, Business Practices, Risk and Compliance
- Corporate Code of Conduct
- Delegation and Sub delegation of Authority
- External Communication and sharing of Material Non-Public information; i.e., Insider Trading
- Records and Information Management
The following functional areas must have defined policies
- Accounting and Finance
- Human Resources
- Information Technology
- Occupational Health and Safety
- Research and Development
- Real Estate and Facilities
- Technical Support
- Travel, Entertainment and Expense
Accounting and Finance policies at a minimum must include:
- Account Reconciliation
- Accounting for Long Lived Assets
- Accounts Payable
- Accounts Receivable
- Cash and Banking
- Compensation, Salaries and Payroll
- Financial Reporting
- Inventory valuation
- Product Pricing
- Revenue recognition
- Source and use of exchange rates
- Use of Accruals and estimates
Provide an overview of your company and send your table of contents for an assessment as to whether you are focusing on the right titles. For additional information contact the [email protected].
Q: How often should policies and procedures be reviewed and/or updated?
Policies are rarely changed unless there is a change in the way the company conducts business; e.g., the introduction of a shared service center. At least once every two years policies should be re-evaluated, and updated.
Part of every good documentation program, alerts employees that a document has been added, changed or deleted. This communication serves to remind employees that this is still important and they should review and refresh their cross functional understanding and impact of the statement. Having the policy re-worded or re-formatted reminds employees that this is still important and they need to pay attention.
Procedures may require updating more frequently as processes are improved, changed. In companies where continuous improvement is part of the culture, procedures are dynamic and will change more frequently. Now, having said that consider that in an effective continuous improvement environment the design, implementation and testing of procedures should not occur more frequently than every six months. Remember that with each revision of a procedure, there are upstream and downstream implications. Procedural documentation after the process has been proven. In well run companies, I suggest reviewing procedures at least annually, with continuous monitoring occurring at each cycle via the reporting of key measures.
Most companies review both policies and procedures every two years.
How do you determine when policies and procedures need to be updated? Send your comments to the [email protected].
Q: I need to write a policy and procedure and I don't know where to start.
To get started and to monitor the document through its life cycle, I advise the following steps:
- 1. Getting started is the most difficult. In order to ward off procrastination, determine the end date and go backward from there. If there is no pressure for an end date, your day job will override the 'important but not urgent' task of documenting the policy and procedure.
- 2. If you were planning the documentation program, I'd suggest starting with a vision, mission, goal and scope; however for a document, I'd suggest to start with 'what you know'. I'm a process person, so I like to begin by drawing out the process, warts and all. For number people, begin with the measures or financial statement reporting and deconstruct to find out more about the process. For verbal people, begin by making lists and sort into key process phases. For facilitators, bring together key people along the information flow stream and get them to brainstorm and discuss the process. These are all part of the data gathering stage.
- 3. Classify, categorize and summarize the data gathered. Organize this information without analyzing it. Accounting and Finance professionals really like to get into the analysis and can't help problem solving. Make notes about how you would improve the process, assigning actions and next steps to owners; however don't get lost in the analysis stage.
- 4. Accounting and Finance professionals are generally NOT good writers. They have to work at it; so begin to compose the content and don't worry about writing in complete sentences or editing. Your notes from #3 helped you to categorize the data and there should be a flow which describes the process. To fill in the blanks in the process, I use capital letters or highlighting to address where I think certain steps belong, but where I don't have the necessary detail to complete the document. Don't NOT write, because you don't know the next step. Use a template or checklist to help you figure out what to include. Find examples of similar processes and use these as a starting point or guide in developing your own document. Consider your audience and what level of detail and information they are likely to need.
- 5. Circulate this draft to: a) validate your understanding, b) complete the missing process stages. Bring key people together to discuss, validate and/or confirm the facts. Consolidate the feedback received and update the document. Resolve disputes by looking at the process from a higher view, practice consensus and team building skills. Determine who to circulate the document to may be difficult, begin by circulating to those who helped you gather the data then broaden your scope to include others who might be useful in filling in gaps and/or have similar processes which you would like to emulate. Some companies may have a standing committee to review documents.
- 6. Refine the document and repeat steps 4 and 5 until the group has granted its approval. On the second circulation, I recommend including a cross functional group or a broader reach in order to test assumptions and gain additional feedback. So it doesn't become a career, tell people that you will only circulate the draft two or three times before it becomes final and is forwarded to the executive sponsor for signoff.
- 7. Depending on the executive sponsor's level of interest, he / she may want a formal presentation of the documentation and its related process and measurement backup or he / she may want to review and ponder it quietly. You need to know your executive. In my experience, managers included within step #6 shall re-write the document and executives in this step will provide little if any feedback. Unless new or different information has come to their attention, they will generally rely on the due diligence provided by their reports and approve the documentation.
- 8. Once approved, the document needs to be edited once more to ensure all comments and edits are reflected and issued on the public bulletin board; electronic or physical. A communication needs to go out employees and perhaps education and/or training needs to be arranged.
- 9. Serve as a general contact for questions or issues concerning implementation, measuring or reporting. Monitor feedback as to when the document needs to be updated or changed.
Share your stories about where you got stuck and how it was resolved, or share where you ARE stuck; sometimes all you need is a sounding board. Ask the PolicyGuru to assess, evaluate and review one, some or all of your policies and procedures. Describe the scope of what you would like assessed and ask for a quote by submitting your request to [email protected]
Q: Why is there so much emphasis on process and documentation?
A documented process in an environment where continuous monitoring and improvement occurs is a strong indicator that the company is operating 'with purpose' and is 'in control'.
"Operating with purpose" is a term I use when assessing whether a company's goals and objectives are aligned with the activities actually conducted and whether the goals or objectives can be achieved. It is a good bet that by evaluating and monitoring results, the company will be able to continuously evaluate whether they have selected the appropriate goals and objectives and whether the attitude, skills, knowledge and resources available will ultimately achieve those goals.
The opposite of 'operating with purpose' is 'operating by accident' or in an ad hoc manner. While specific milestones and achievements may be reached, it was not clear how they were achieved; therefore they are not replicate-able.
The word process refers to a definable, repeatable, predictable, measurable, integratable series of tasks. For a process to be complete, it must have all these dimensions:
- Definable in that there is a specific scope encompassing the series of tasks; there is a beginning and an end. There are defined inputs, defined work activities and defined outputs. There are no tasks which remain undefined to the process. Example: G equals E plus F.'
- Repeatable in that is there are consistent, recurring tasks which make up the process. To ensure consistent outcomes, each time the tasks are undertaken they are performed in the same way. There is little or no room for variation to the sequence of the tasks. Example: task E always precedes task F.'
- Predictable in that once the tasks begin, consistent, comparable outcomes result. It can be computed so that when the inputs are known the outputs are expected and if the outputs are known the inputs are calculable. Example: E plus F equals G.'
- Measurable in that performance measures are embedded into the process as an indicator of the predictability of the process. Example: 1E plus 1F equals 1G.'
- Integratable in that processes are dependent on, connected and interact with other processes. Example: B and C are part of D.'
If the objective of an effective control is to ensure that a definable, repeatable, predictable, measurable outcome occurs each time a process is followed, then why not produce documentation in support of the process. Documentation is used to communicate, instruct, monitor and validate that the process is current and relevant in achieving operational alignment and success.
Note that you could have a definable process and still not have control, if you haven't designed in the appropriate control elements into the process. Therefore it is a myth that a defined process equals control OR that documentation equals control.
For an assessment of whether you are you running your company with purpose or by accident; contact the [email protected] for assistance.
Q: How do documented processes improve governance?
According to the International Federation of Accountants (IFAC) Governance refers to a set of responsibilities and practices exercised by management with the goal of providing strategic direction and tactical guidance to ensure that company goals and objectives are achieved, risks are identified and managed appropriately and resources assigned responsibly. The key messages are that governance is a process which when practiced reinforces integrity and accountability into any established process and demonstrates leadership.
Documentation is about definition and communication providing direction and substance when used for financial reporting purposes. Using a top-down approach, documentation is about establishing and communicating the principles, rules and behaviors to the greater employee population. Documentation is used to provide authority and accountability to employees to act within defined parameters. Using a bottom-up approach, documentation is about informing management about how work actually gets done; i.e., identifying the steps required to process transactions.
Regardless of the method used to document new or existing controls, the goal remains the same-to accurately describe the company's control procedures and internal control posture, as they currently exist. The preparer of this documentation should have an in-depth understanding of:
- The entity's current operations and existing control procedures;
- Internal control concepts, as described in the COSO framework;'
- The financial reporting process; and
- The assertions and disclosure requirement represented in the financial statements
Once the documentation becomes established as an accurate reflection of internal control, and standardized updating procedures are in place, actual changes to the processes must be reflected in the documentation. At least annually, process owners must review and attest that the documentation is current and accurate.
Is your documentation sufficient to address governance needs; send a copy of your table of contents to the PolicyGuru for an evaluation or request an evaluation of your documentation program to www.idealpolicy.com
Q: Since process occurs at the transactional level, what is the role and responsibility of the senior accounting and finance leaders?
COSO has defined specific roles and responsibilities for senior accounting and finance leaders when it comes to process documentation. Roles and responsibilities as aligned with the COSO segments and may be expressed as:
Management Oversight and Culture: The Board of Directors is responsible for approving strategies and policies.
Senior management is responsible for:
- Implementing the strategies approved by the Board of Directors;'
- Establishing appropriate policies; and,'
- Monitoring the effectiveness of those policies.
Managers are responsible for establishing a network of processes with the objective of controlling the operations in a manner which provides the board of directors reasonable assurance that:
- Data and information published either internally or externally is accurate, reliable, complete, and timely.'
- The actions of company officers, managers and employees are in compliance with the company policies, standards, plans and procedures, and all relevant laws and regulations.'
- The company's resources (including its people, systems, data/information bases, and client goodwill) are adequately protected.'
- Resources are acquired economically and employed effectively; quality business processes and continuous improvement are emphasized.'
Risk: Senior management is responsible to Identify and evaluate, document and mitigate factors that could adversely affect the achievement of the company's objectives.
Control Activities: Senior management is responsible to ensure that:
- operational areas are in compliance with established policies and procedures; and,'
- control activities are an integral part of the daily operations.'
Information and Communication: Senior management is responsible for establishing effective channels of communications to ensure that all staff are aware of policies and procedures affecting their duties and responsibilities.
Monitor: Senior management is responsible for establishing and monitoring the effectiveness including the accuracy, timeliness and completeness of the documentation program.
Evaluation of Internal Controls: Internal audit / control function is charged with the responsibility for ascertaining that ongoing operational processes are adequately designed and are functioning in an effective manner.
Is your documentation sufficient to address governance needs; send a copy of your table of contents to the PolicyGuru for an evaluation or request an evaluation of your documentation program to www.idealpolicy.com.
Rose Hightower, Accountant, MSc, is the owner of IDEAL Consulting Solutions International, LLC, a firm specializing in consulting in implementation of internal control policy and procedure programs for companies. Bringing over 20 years experience from IBM and as a finance manager and providing service as a professor her program contains practical lessons and simple solutions for any size company. She is known as ‘the Policy Guru' and offers direction to clients via her website www.idealpolicy.com