[Owasp-board] Discussion on Proposal 6

Andrew van der Stock vanderaj at owasp.org
Fri Oct 9 12:17:42 UTC 2015

I am really keen to reduce the amount of bureaucracy involved in expense
management, but this is a really well trodden path in every single SME to
major enterprise.

My main concern is no upper bounds on pre-approved expenses. This means
that a local chapter that managed to get an approval for a $50k conference
centre fee, say AppSec AU in 2011, would mean that all chapters would be
automatically allowed to claim that expense too. I want to enable that,
whilst not allowing us to be hit with hundreds of large conferences being
organised throughout the year. We simply don't have the staff bandwidth nor
the funds to do that today.

Typical financial governance is pre-approval for expenses under a certain
dollar value, and a single sign off within the Foundation approval for
expenses between say the cut off and say a $10k limit, and senior
management approval above $10k. In my view, we can hit the home run we all
are looking for, whilst still maintaining good financial governance over
major expenses whilst not ruling out ANY type of expense that a chapter
might be able to come up with.

My view is that we go through all the paid out expenses over the last two
years, and work out some limits. We can tummy tussle over the exact limits,
but I feel the following would be a good start:

$0 - $1500 should cover nearly all expenses paid to date along with the
above proposal's list of pre-approved expenses
$1500 to $10k should be an approval level granted to a project coordinator
or chapters coordinator. All expenses are subject to sign off prior to
incurring the expense
$10k ... $100k is within the signing range of the Executive Director, and
would require pre-approval before incurring the expense
Above $100k would require Exec Dir + Board approval.

That way, local area conference bills of $50k don't hit us without
forewarning, and yet we have the flexibility of allowing LAScon and AppSec
Cali to work without a special rule or budgetary process. The majority of
projectors, catering, room fees, and so on would never be huge amounts of
work for Foundation staff.

I think it hits what you're trying to achieve without opening us up to some
serious financial problems down the track.


On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Here is the current text for proposal 6:
> *If a request for funding has been approved for one chapter or project,
> then it can be considered an acceptable expense for all chapters or
> projects.  If they have an account balance which covers that expense in
> full, then they should be considered pre-approved for spending.*
> *Tobias:*
> I agree in spirit, but I think this needs clarification and am a bit
> concerned about liberal interpretations of what is the same expense type.
> Expenses tend to not be exactly identical and I like to safe chapter and
> project leads from searching the public expense lists for precedence. As
> one example if a flight ticket is approved for a chapter leader to attend
> the AppSec chapter leader workshop, that should not mean we also approve a
> flight ticket to Bahamas for holiday for another chapter leader.
> Technically both are flight expenses for chapter leaders. (I know I am
> splitting hairs...)
> Suggested revision:
> Proposal 6: If a request for funding has been approved for one chapter or
> project, then it can be considered an acceptable expense for all chapters
> or projects. Our operations team shall periodically (at least once every 3
> months) review the list of published expenses and if new expense types come
> up add them to the published list of acceptable expenses. If the chapters
> or projects have an account balance which covers that expense in full, then
> they should be considered pre-approved for spending.
> *Josh:*
> I think that we need to trust people to do the right thing.  To my
> knowledge, we have never had a person try to request reimbursement for a
> trip to the Bahamas because someone got a flight paid for to AppSec.  Also,
> keep in mind that this is a reimbursement process so our Operations Team
> determines whether a request is legit.  To me, it would seem like you're
> putting a lot of extra work on the Ops Team with little added benefit since
> they are still going to have to find a way to write it up so that it will
> not be misinterpreted.  I think we have reasonable controls in place to
> prevent abuse and our liability here is minimal.  I don't see a need to
> revise it in this manner.
> *Tobias:*
> Well, I don't think to maintain a list of good examples is unnecessarily
> heavy workload. And in the long run, searching through a long unstructured
> list of published expense claims will be more work load for both the staff
> and the community to check for good expense precedents. If we do this one
> time per quarter, the effort is clearly limited. If we (staff and leaders)
> have to review an unlimited year long list for precedent, this seems much
> more effort.
> *Josh:*
> In theory we are supposed to be maintaining a list of good examples
> already.  Some of them are listed in the Chapter and Project Leader
> Handbooks.  That said, they aren't anywhere close to all of the possible
> things one would want to spend their money on.  The idea here was simply to
> maintain the running list of all expenses that are approved or denied
> (proposal 5) and use that to drive spending.  Again, I think this comes
> down to a matter of trust.  We need to trust our Leaders to do the right
> thing.  We need to trust the staff to ensure that the reimbursement is
> legitimate before sending them a check.  With so many complaints about
> difficulties withe the reimbursement process (as much as I've never seen
> them), we should be looking for ways to strip away the red tape, not add
> more of it.
> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151009/20b750f2/attachment.html>

More information about the Owasp-board mailing list