[Owasp-leaders] Project money

Tobias tobias.gondrom at owasp.org
Thu Jul 17 10:59:57 UTC 2014


Hi Larry,

thank you very much for your idea and I agree with you. Proper spending
and management of our funds is essential for our organisation. So this
would be a general "up" from me.

Maybe some additional thoughts on your points:

"I am proposing the following change. Purpose here is to create a
two-person authorization to pay expenses and to create transparency of
project expenses."

A: In my understanding the current procedure is a two-person
authorization: the project leader and the OWASP Projects Manager being
the two person to authorise the spending. (note: in general project
leaders can not spend funds on themselves.) Do you think we need more
controls?

Regarding your specific suggestions:

"Monies to be paid must meet the following criteria:
1. A description of the expenses on how this relates to the project.
2. Expense must be published on OWASP wiki project page prior to being paid.
3. OWASP staff member and a project leader/project support person or a
designated OWASP project person must validate and prove the expense."

#1: I believe, when you submit requests for reimbursements today you
already have to fill in the description in the reimbursement form.
#2: I am a bit concerned with administrative overhead for the project
leads to do that. As they already filled out the reimbursement form with
all that information, maybe we could try to use automated reports that
document all expenses (instead of manually adding content to the wiki).
And considering that our staff is currently over-busy, I would not want
to put the admin burden on staff to verify for each transaction that the
expenses have been published on the project wiki page.
#3: I agree with that. And my understanding is that that is already the
case in practice. Project Lead submitting the request (first
authorisation step) and project manager (which was staff) validating
request (2nd authorisation step)

As I have the feeling, that we are already doing #1 and #3, I am not
quite sure where to go from here. I would see the benefit of looking
into how we can produce automatic spending reports and publishing them
to the projects.

Am I missing something?

All the best, Tobias


Ps.: small question: may I ask, why you would want to exclude OWASP
broad member or elect OWASP board member from being a project designate?
Do you see a conflict of interest here? (Just fyi: today, individual
board members do not have any special authority to sign-off in this
chain, except for Michael who has been designated as interim ED for a
while for the time after Sarah's departure, so only in his executive
function, but not his role as board member.). Equally board members are
not forbidden to take part in normal OWASP activities or lead projects
or chapters as any other OWASP leader. E.g. I am for example helping out
on the London chapter board, and as in any other chapter with such
co-leader roles, I sometimes review and agree with my chapter leaders
requests for funding for chapter expenses for local events....
(two-person review and authorization). Do you see this as a problem?



On 13/07/14 03:37, Larry Conklin wrote:
> Because of previous email(s) the subject of project money has come up.
> I want to let everyone know to the best of my knowledge the money for
> the Code Review project has been spent correctly and nothing is amiss.
>
> I do believe there is an opportunity to improve the expense payment
> process of project expenses. Please feel free to change to text(add,
> delete, change). A discussion on actual policy is much better then a
> useless email(s) discussion that does not make any change(s) to
> improve OWASP. Our mission is to important.
>
> The current URL for OWASP policy grant spending:
> https://docs.google.com/a/owasp.org/document/d/1yX68nS20qj7QNTcDkKCD3hSfFEbJaBKjoWjc2wF_aLA/edit
>
>  
>
> I would like to see the board make an up or down vote to on the
> following change to the policy and have this change be made part of
> the actual policy instead of being a guideline.
>
>  
>
> Here is the guideline I want to be made as actual policy....
>
> 3. /All expenses to be made using grant awarded funds must be
> pre-approved by the OWASP Projects Manager./ 
>
>  
>
> I am proposing the following change. Purpose here is to create a
> two-person authorization to pay expenses and to create transparency of
> project expenses.
>
>  
>
> Item 3: Expenses to be paid out of project funds (grant and non-grant
> funds) should be submitted to OWASP staff to be paid. The submitter
> will be the  project designate with a complete description of the
> expenses (project designate cannot be a OWASP broad member or elect
> OWASP board member).  Prior to submitting the expense to be paid the
> expense must be published on the project wiki page. Monies to be paid
> must meet the following criteria.
>
>
>  1. A description of the expenses on how this relates to the project.
>  2. Expense must be published on OWASP wiki project page prior to
>     being paid.
>  3. OWASP staff member and a project leader/project support person or
>     a designated OWSP project person must validate and prove the expense.
>
>
>       Larry Conklin, CISSP (Co-Leader for Code Review Project)
>
> L
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140717/78765ae7/attachment-0001.html>


More information about the OWASP-Leaders mailing list