Hello, New CIO, Do You Understand Sarbanes-Oxley?

As a CIO of a financial organization, you have a great deal more to think about beyond just asset management and document management. Your main concerns include keeping your organization’s data safe and navigating the rules of Sarbanes-Oxley (SOX).
SOX is not the new kid on the block; legislation passed it in 2002 in response to notorious accounting scandals at WorldCom, Enron, and other public companies. It was instituted upon the premise that if we could ensure the quality of corporate financial reporting based on secure internal controls, we could enhance the integrity of our records management and financial system. SOX ushered in a number of new requirements for company management and boards as well as for the accounting profession. Among the more noteworthy aspects, per Section 404 of the Act, CEOs, CFOs, and CIOs must personally affirm their responsibility for maintaining an adequate internal control structure and procedures for financial reporting and (per Title III) can be individually liable for shortcomings in the accuracy and completeness of corporate financial reports.

Less well known is just how corporate management and the auditing community design and evaluate internal controls. They rely on the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization that provides thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence. COSO promulgated the foundational guidelines in its Framework as far back as 1992 and updated its guidelines in May 2013. Generally speaking, the updated guidelines accommodate a business landscape that has changed considerably over the past two decades. Of interest to those who are naturally drawn to this blog is that the new Framework draws special attention to technology assets. The updated guidelines set a deadline — today — for companies to adopt their new Framework for internal controls.
The new Framework is composed of five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components embody 17 principles representing the fundamental concepts of internal control. The principle of interest to Finance/Accounting and IT executives is a control activity: “The organization selects and develops general control activities over technology to support the achievement of objectives.”

What does this mean for corporate staff? The new Framework has implications for IT asset management (ITAM), IT service management (ITSM), and data security — a set of disciplines we call technology asset management.
Internal auditors will be obliged to scrutinize their IT and procurement departments much more carefully than ever before. The quality and degree of housekeeping around ITAM will have to escalate dramatically. Organizations will need to know persistently whether software entitlements match actual usage (no small feat). Organizations also will have to know where devices are located so they’re not just asset tagged and forgotten. At a time when it is more likely that companies will record furniture rather than software on their balance sheet, the accounting profession is finally addressing the assets that generate significantly more return — and risk — to shareholders.

A company that has outsourced IT to a third party should be especially interested in the updated COSO Framework. Outsource service providers can give companies the false comfort that the ITAM box is checked, but they often fall short of comprehensive control.

Considering how vulnerable companies have been to security threats and how increasingly public security failures have become, we predict that these new SOX guidelines will be an important catalyst for improvement.

Technology asset management is hard to get right. It is a practice that cannot be executed simply by purchasing software. Instead, a rigorous SOX and governance plan should be created with one’s organization’s needs in mind.

Giving a speech image

Five Rules to Giving A Better Speech

I was reminded the other day how important it is to read a room and adjust your speech to your audience. No one wants to hear you talk about yourself for an hour. People want to hear things that are directly connected to them. Before you speak to a diverse audience take a minute to understand their “WIIFM” what’s in it for me. Leaders of companies someone’s lives in a bubble of numbers, decisions and risk verses reward. That’s what their entire day looks like. From the moment they get into the office they have one of the above on their mind. As much as they would like to downplay it, when they are in a room of employees, they don’t people. They see wages, healthcare, 401k cost, FTE’s, tax filings, etc. Sometimes its hard to switch to seeing people as people.

Here are five rules to giving a better speech:

Good Leaders Don’t Talk About Themselves or Their Company
When you’re giving your speech think of how many times you are using the word “I”. If over 70% of your speech is using the word “I” or the phrase “for me” refocus and think about your audience.

Have Someone Else Write Your Speech
Often, we are in a rush and cobble some words together on a paper and call it a speech. A speech should have seven elements to it.

Who are you? Briefly let your audience know why they should be listening to you – “I’m the VP of operations at Spacely Space Sprockets. I handle your accounts”

Why are you talking to them? – “I wanted to talk with you today because….”

What are you going to talk about? “Over the next hour I will discuss some of the changes in operations…”

What’s in it for them? – “Without your assistance we would not have won….”

What in it for them, again? – “Going forward everyone at Spacely Space Sprockets will receive…”

Thank them for listening – “Again, I know you have many things you could be doing….”

Let them know you’ll follow-up – “I’ll have Jane from HR follow-up with you on….”

Practice Your Written Speech on Your Friends or Spouse
Notice I didn’t say your employees. Your employees no matter how long they have known you will only tell you what you want to hear. Even if they do tell you truth they will not tell you the whole truth. Your friends or spouse are not afraid of losing their jobs. You may not like what they have to say, but it will be said out of honesty.

Keep Your Audience Guessing
Steve Jobs wasn’t the best speaker in the world, but he kept you guessing in his announcements of new Apple products. He kept his audience on the edge of their seat. Not because of new Apple products coming out in the fall. Instead, he would keep his audience guessing because he knew spent the last year thinking about what his customers wanted. Not what he wanted. When you speak what your audience wants you will always have their attention and you will always keep them guessing.

Don’t Make Your Speech into a Ted Talk
I love Ted Talks. They are motivating, captivating and I always walk away learning something new. Unless your rolling out a new cure for cancer, leave the cleverness at home. Ted Talk presenters rehearse, have the support of a large production staff and have been waiting for the moment to be on that stage all their life. You are told you need to speak to your employees two days ago. Keep your speech uplifting and work in your sense of humor and personality as much as possible. More importantly, keep your speech short and to the point.

It’s okay to veer off course if you keep the above in mind. One wants to see you read a script for an hour. They came to see you speak not to see you read.

What has been your experience as an audience member or a speaker. Let me know in the comments section.

[CIO] 7 Common SharePoint Roll-out Mistakes (and How to Avoid Them)

Every day I speak with CIOs, and the feedback is always the same: “Carl, we have spent so much time and resources on SharePoint, and we still don’t have a product we can use.”

Here are:  7 Common SharePoint Roll-out Mistakes

Mistake # 1 Lack of Planning and Goals

You can’t build a bridge without a plan and goal in mind. The same is true for SharePoint. You can’t roll out SharePoint without first factoring pros and cons into your decision.

SharePoint requires an extensive amount of planning before, during and after its deployment. The first part of planning starts with understanding how SharePoint will be used and what problems it will solve in the short term and long term.  For example: Human Resources is always looking for solutions to help them improve onboarding and offboarding.

If you’re not sure how you are going to use SharePoint, you will fail. Your goals should be small and easy to obtain in a short time. Too often, organizations have long multiple-year plans for SharePoint without proving its return of investment in the short term.

Mistake # 2 No Documented Governance

No one likes to spend hours on documentation no one will read, but the purpose of documenting your governance plan is to have something to fall back on as users start to use SharePoint. Governance will cover who had access to what, how your sites are played out and who is responsible for documents and content. Without a governance plan, your site will come out looking like the Wild Wild West.

Mistake # 3 You Didn’t Ask Your Users What They Want

Often only one or two people are pulling the strings with SharePoint, leaving the rest of the organization out of the decision-making process. This will ultimately have a bad impact on your rollout. Ask users what would help them be more productive. You will be amazed at the answers you would receive from them. You don’t have to promise them everything on their wish list, but they will appreciate you listening to their concerns.

Mistake # 4 No Internal Marketing and Insufficient Training

If you wait until the end of the rollout to inform and teach your users about SharePoint you have already failed. It’s best to send out weekly updates to department managers and have your SharePoint team create a duplicate SharePoint site ahead of the rollout so users can start training.

Mistake # 5 Lack of Leadership/Sponsorship

In order for you to have a successful SharePoint rollout, someone’s got to own up to it. Ideally, senior management should play a large role in pre-rollout meetings and its direction for the company. IT should not be the only one in charge of SharePoint’s direction for the company. One of the very first steps is to establish steering committees that will focus on SharePoint’s role and progress. The steering committee should meet regularly even after SharePoint has been rolled out.

Mistake # 6 Underestimating SharePoint’s Cost and Power

SharePoint is sometimes confused with its counterpart, Microsoft Office. So many times I hear, “Users don’t need directions because it’s just Microsoft Office. It’s easy.” SharePoint works extremely well with Microsoft Office, but it is not Microsoft Office. SharePoint should be treated for what it is: an ECM system. SharePoint is also like an octopus with many tentacles to your enterprise resources like Active Directory, Exchange, network drives and Domain Controllers. Care and planning should take place to ensure all of your resources work together smoothly.

If you have not budgeted to have at least one dedicated SharePoint (size of SharePoint team depends on size and scope of organization, goals, etc.) resource to manage your SharePoint farm, just forget it. Stop now. SharePoint requires a resource that is skilled in its administration, security and development. A big mistake organizations make is asking the Windows server administrator, who is already overtasked, to be their SharePoint resource too. If your organization is new to SharePoint, your first step should be to hire a SharePoint architect to lay the groundwork and provide the proper guidance.

Mistake # 7 Creating an Unrealistic Project Plan

A few years ago there were loads of SharePoint consulting firms pushing aggressive 60- or 90-day SharePoint rollouts. The only people that benefited from these rollouts were the consultants who sold unsuspecting organizations on thinking they would be able to rollout SharePoint in under 90 days (size of organization, goals and deployment schedule will be a large factor). Technically you can configure, setup and integrate SharePoint in 90 days, but that’s only 20% of what’s involved. A significant amount of time and resources should go into planning, topology and metadata mapping, training, auditing your current environment and working with departments to insure the organization’s needs are met. Depending on how fast your organization works, that process alone will take 60 days. When creating your SharePoint plan, layout dependencies, add buffers for meetings, quality assurance, configuration management and training.

Implementing Compliance and Governance with SharePoint

Over the years I’ve seen some pretty bad SharePoint implementations. Some was the fault of the consulting company, some was the fault of the organization. Each of the implementations had the following in common:

  • Unrealistic Goals and Requirements (too much, too soon)
  • Limited Budget
  • Jack of All Trades , Master of None Consultants
  • Lack of Corporate Involvement
  • Lack of Corporate Communication and Adoption
  • Undefined Governance Plan and Strategy

In “Implementing Compliance and Governance with SharePoint” I discuss how to take SharePoint serious as an organization and design a governance plan that is aligned with your corporate governance and compliance plan. Each chapter provides real world solutions on how to resolve SharePoint’s security and governance shortcomings. Implementing Compliance and Governance with SharePoint will be available for purchase and download in March 2015.

Table of Contents

About the Author

Chapter 1: Introduction
Chapter 2: Aligning SharePoint with Organizational Goals and Requirements
Chapter 3: How to Create a Successful Governance Board
Chapter 4: Auditing your Current SharePoint Permissions
Chapter 5: Understanding Document and Record Compliance
Chapter 6: Aligning SharePoint with your Data Loss Prevention Program
Chapter 7: Developing a Strategic Governance Project Plan
Chapter 8: Building a Successful Training and Communication Program
Chapter 9: How to Get a Grip on your SharePoint Environment
Chapter 10: Building a SharePoint User Adoption Plan
Chapter 11: Repair Damaged Credibility and User Moral
Chapter 12: Understand SharePoint Search
Chapter 13: Protecting Documents and Records with Rules and Permissions
Chapter 14: Understanding Digital Signatures and Document Encryption


11 Tips to Help You Master SharePoint User Adoption

Set Expectations Early
To your users, SharePoint is this large system that can do many things for their department. You want to set the expectations early on what the organization will support and what the users will be able to do with SharePoint. If possible, involve your executive sponsor in meetings to highlight his or her support and the importance of SharePoint to your company.

Don’t Overwhelm the Users
SharePoint role outs are normally handled by IT and what is easy for an IT departments to understand may not be so easy for, say the Human Resources administrator to understand. Start with the basics and build from there.

If It’s Not in SharePoint OTB (out of the Box), We Don’t Need It Right Now
As mentioned in the previous point, start with the basics. Once users have utilized all the features of SharePoint OTB, only than is it a good time to think about customizations and 3rd Party tools.

Be Clear About How Users Are Measured
Make sure users understand they are responsible for SharePoint’s health. For example set deadlines on when documents and records should be uploaded and tagged in SharePoint.

Answer The “What’s in It for Me?” Question
Don’t just make demands—get people excited as well. The best way to do so is to show how SharePoint will make life easier—for example, with greater access to documents, easier to find using documents using search, and the ability to create Apps without waiting for IT.

Provide Hands-On Training With Real-Life Scenarios and Information
Don’t tell users to go to YouTube to find SharePoint tutorials. Instead create in-house SharePoint videos using real employees and real user cases. For example, HR could create a screencast called “How I use SharePoint for onboarding new employees”.

Create and Reinforce Processes
Treat SharePoint as an opportunity to roll out more effective processes that makes life easier for users. For example, because all document live inside of SharePoint it is now easier for documents to follow the corporate life cycle for proposals (draft to final).

Help Users Learn the Lingo
Create cheat sheets with SharePoint terminology, simple overviews of your processes, and step-by-step summaries of the most important features like tagging and content types. These job aids will serve as handy, easy-to-use references.

Offer Incentives
Motivate your users to dive right in with contests, incentives, and a little competition. For example, you could award a $200 prize to the first users to complete all the metadata tagging for the 100 documents that have been uploaded in the last week. You can also use a leader board in a SharePoint list to show how individual users compare in adoption to generate some healthy competition.

Get Feedback
To get off to a good start, it’s important to clear up any assumptions and to find out what’s on your users’ minds. Remember users will be the ones spending up to 8 hours a day working in SharePoint. Their feedback is very important and should always be considered.

Provide Constant Follow-Up Training
Some people think you train users once and you’re done. But successful training isn’t a one-shot effort. Be sure to follow up after a few weeks because by then, your users will have a new set of questions. A great way to provide follow-up training is to recruit enthusiastic power user’s to follow up with their peers and use what they find out to create highly targeted lunch and learns for various user groups.