Q&A With VP Governance, Internal Audit At Polycom

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

You head both internal audit and governance. How did the position evolve?

I’ve been with the company for eight years and was originally the worldwide controller. After four or five years I moved to New Jersey, and at the same time we were acquiring a company on the East Coast called PictureTel … After that, we gave thought to a formalized internal-audit function for the company. We’d talked about it for a number of years, but the opportunity didn’t arise to pull the trigger until I was back on the East Coast.

Why then? Was that influenced by Enron and the like?

Seeing how disruptive that sort of crisis is to a company was a motivating factor, but something of equal weight was having the resources to do it. Having insight into the operations of the company, establishing the internal control structure at the time, and being able to provide some oversight to the processes and looking at it more from an audit perspective, all helped us decide it was the right time ...

One reason we decided to combine the role was that when you saw the problems occurring at the time, pretty much all of them stemmed from accounting and auditing issues. We felt that having somebody with experience in disclosures and accounting and auditing could do the role.

All that happened in 2002. How has Sarbanes affected your job since then?

Well, when we talk about where I spend my time, obviously 2004 was not a normal year. The vast majority of my time last year was devoted to that particular effort.

First in 2004, we set up a project-management role which I headed. I run internal audit by outsourcing staff work to KPMG; another firm, PWC, is our regular external auditor. So I oversaw the work and did a lot of scoping out the project, and set up the internal infrastructure to support our internal-controls assessment process … Particularly in the second half of last year, that took up 90 percent of my time on a daily basis.

How did Polycom establish that internal structure?

First we had a worldwide kickoff meeting early in the year, to identify who our process-owners and what our key processes were. That helped everyone understand who the people were in charge of this project, how important was it. Our audit committee chair came in and gave a discussion on the importance of this effort.

We also created a steering committee of the vice presidents who headed up the key functional areas. We met on a regular basis, and obviously as we moved to the end of the year those meetings became more frequent …

Initially when we set up the steering committee I believed it would be a process-management type organization that would disband at the end of the first year. Eventually we realized this was a great communication vehicle; rather than meet and interface with individual process owners, it seemed much more efficient to meet as a higher-level management team to disseminate information throughout the enterprise to ensure we have ongoing compliance focus.

Have you implemented any new IT tools for controls assessment?

In late 2003 and early 2004, I looked into what’s out there to coordinate all the documentation. I didn’t really see anything that great. We implemented SharePoint from Microsoft, which essentially is an ability to have your documentation organized and available for review and approval—but that’s basically a database. We didn’t put anything more sophisticated in place.

As we look at 2005 and what we want to do from a tool perspective, now I understand what I want. I’d like something that, when we do encounter deficiencies, helps me coordinate what type of remedial action must be put in place and how we track that. We did that at the 404 steering committee level; it would be nice if we could do that with a tool. Plus it will also help us get to follow-up testing if necessary … and I still haven’t found that answer yet.

Section 404 aside, what else have you had to tackle?

We found that a lot of the requirements coming out of Sarbanes and other governance organizations we already had in place. We already had a super-majority of independent directors; we already had the audit and governance committees made up solely of independent directors; we already had executive sessions of independent board members without management present.

One thing we did do was to document our Code of Conduct. Also, in late 2002, I began to read articles about compliance training programs and Web-based programs in particular. I’ve seen larger companies use these structured training programs that don’t really reach all the persons in the company. I wanted to set up a training program to fit the culture of our company but still meet the requirements of the federal sentencing guidelines. So I began looking at these Web-based compliance training programs.

Which company did you select?

We decided to use a company called Integrity Interactive.

And how did you structure the training?

I began to work with them and my general counsel, and we decided there was a core set of courses—17 in total—that we felt every employee should go through. And that it’s Web-based makes training easy for employees to go through … They can get on the Internet and bang out a course in 20 or 30 minutes. We also began to look at focusing some of that training on functional areas. Should sales people worry about financial integrity? Should manufacturing people worry about antitrust law?

Should they?

We felt that because we’re a relatively nimble company, there are a lot of blurred lines between responsibilities. And we said, “Yeah, there is a possibility that every individual can find himself involved in situations where he should understand these basics.” So everyone had to take all 17 courses, and we gave them a fixed period of time, 15 months, to get through them. That’s been very successful.

What’s your typical day like?

I look at it from a week perspective. I start out every Monday morning at the executive staff meeting, where there’s a video session with different executives around the world. I get to hear what is happening and the key action items for the company. Then I’ll take a look at the training database; every week we get a report on where everybody stands relative to where they should be in their training. And because everybody now is hitting that 15-month deadline, executives want to understand who is falling behind and whether they need to prod any people. So I make sure I get a report out to the executive team early in the week on Monday or Tuesday.

Then I’ll meet with our general counsel keeping up on issues. I track our whistleblower system … Usually there are investigations that take place, but mostly it’s people asking questions about is such-and-such against our Code of Conduct.

Who typically leads an investigation?

If it’s an actual investigation that needs to take place, first I talk with our general counsel and our external legal counsel, and we’ll agree on a process. We’ll agree that it’s something for our internal audit department to investigate, or some other approach … and then I’ll give status reports to our GC and our external counsel as well. I’ll also advise our CEO and CFO early in the process and what we’re doing to address it, if they think we should take a different approach.

And your top compliance priorities for the next 12 months?

As most companies will say, obviously ensuring a sustainable process for internal controls assessments will always be there, so that’s something we’re focusing on.

But I mentioned from our training program that the bulk of our employees have gone through the 17 courses they need to do. I think the next step is to formalize how we keep key employees updated on the changes in laws and make sure they’re refreshed and understand their obligations. So perhaps I’ll work with our general counsel to develop more interactive training, to develop more topics specific for functional groups.

Thanks, Don.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.