When the Sarbanes-Oxley Act (SOX) was enacted, implications for information technology (IT) organizations were hardly top of mind. Expected to restore confidence in the financial integrity of public companies, the act followed a spate of scandals that rattled stockholder confidence and the market with it. Intended to improve the transparency, accuracy and integrity of corporate financial reporting, SOX requires publicly held companies to create and maintain effective internal controls, subject to regular audit by independent agents. Procedures and reporting structures must protect corporate assets from potential loss or fraud through improved communication, systems, processes, policies, measures and reporting. The act also establishes personal accountability for chief executive officers (CEOs) and chief financial officers (CFOs) who are responsible for providing real-time, accurate disclosure of any event that could materially impact company financials, including earnings and shareholder value. SOX primarily affects public companies, but those that may engage in a future merger, acquisition or initial public offering (IPO) must also plan to comply.
The key to achieving SOX compliance lies within IT, which is ultimately the single resource capable of responding to the charge to create effective reporting mechanisms, provide necessary data integration and management systems, ensure data quality and deliver the required information on time. The good news is that benefits associated with the investment required to improve data integrity, streamline processes and produce the reporting structures necessary to assure compliance extend beyond improving shareholder confidence and meeting the letter of the law. Providing the robust reporting, data quality and data integration environment required to ensure compliance will support other, perhaps more strategic initiatives by generating higher integrity, more reliable data and, hence, better quality business intelligence (BI). Improved data flows and reporting capabilities can also be leveraged to monitor the progress of various departments, initiatives or lines of business as well as to track performance.
SOX creates some significant challenges related to managing data, and generating and reporting information. Sections 302 and 906 tie responsibility for financial reporting to management sign-off on mandated reports. Section 404 defines assessment of internal controls as management's responsibility with the onus to establish and maintain adequate financial reporting, which in nearly every case implies automation of those control mechanisms. Section 409 demands real-time disclosure of material changes in financial or operational conditions.
IT organizations must respond by creating a single, reliable, timely, accessible and transparent data delivery mechanism to monitor, analyze and report functional, financial and operational events including any that may trigger failure to achieve business objectives, material changes, risk, fraud, crime and losses. They must move quickly to put an action plan in place to meet looming deadlines.
Figure 1 illustrates some examples of the intersection between specific SOX components and associated technology-based requirements.
With less than six months to go before the first SOX deadline, IT projects tied to compliance must be given clear priority. Collecting financial data from multiple sources can prove time-consuming and impact the time necessary for validation. Any error will expose the organization to the risk of non- compliance and the associated penalties. Organizations that have not yet embarked upon a clearly defined path should review Figure 1 and initiate an immediate action plan with clear deadlines and deliverables.
So, where does one begin?
First, an auditable and reliable data integration infrastructure is necessary to manage current and future compliance mandates. Isolated financial data is insufficient for proactive analysis, which requires careful monitoring of operations (works in process, backlogs and placed orders), procurement, customer relations and various aspects of efficiency. Analysis is also dependent on a continuous measurement of business processes and projections rather than standalone data. Integration is essential to identify and alert officers of material events and anticipated change. A complete view of company performance is achieved only by consolidating data from a variety of transactional, procurement, trading, order entry and customer relationship management (CRM) applications, Web logs, audit trails and flat files. Integrating financial and non-financial data requires a mutually accepted, standardized data and business rules dictionary, collecting all general-ledger (GL) and off-balance data feeds at the lowest level of granularity, tracking and applying accounting transformation logic to the data elements such as fiscal calendars, accounts, currency, product codes and business unit codes as a point of departure. Furthermore, as indicated in Figure 1, SOX Section 409 requires that this integration occur in real or near- real time to achieve full compliance.
Creating a central repository and maintaining a combination of both structured databases and unstructured documents or data is one viable approach, especially for small to midsize companies or lines of business in large corporations. The meta data-based functionality of this repository must include version control of all data elements, lineage, impact analysis, business rules capture and advance search tools. This will provide a platform for achieving a common understanding of business processes and information across the enterprise.
Typically, multiple data feeds in different formats populate upstream components such as data warehouses, operational data stores, analytic applications and executive dashboards. The main challenge IT teams face is determining how to maintain transformation processes and minimize the number and frequency of development errors. Before leaping into a custom development initiative, it is prudent to consider industry-leading extract, transform and load (ETL) tools such as Informatica PowerCenter, Ascential DataStage, Oracle Warehouse Builder and Microsoft DTS to achieve consistent design across many diverse data sources and secure future maintainability of the solution.
Often data does not exist at the necessary level of granularity; some is not captured electronically, much less in a standardized format. Nevertheless, the organization's data integration architecture must be able to accommodate, manage and track all of the data required for compliance. This may be as simple as linking one database to another in a "shared" or "transportation- based" basic architecture model. In some cases, however, a complex "synthesis" architecture where multiple records from multiple databases (sales, marketing, accounting, etc.) are matched, consolidated and aggregated may be required to build a complete picture depicting integrated performance management. Another approach, data aggregation, combines similar transactions occurring in different time frames. Data consolidation aggregates various accounts for specific business units into a single account. A simplified view of each of these typical architectures is shown in Figure 2.
Figure 2: Architecture Options for Data Integration
In most cases, no single approach will satisfy an organization's data integration needs. Usually, a combination of architectures incorporating a variety of techniques (push-pull, publish-subscribe or request-reply) is needed.
Data integration is a key component, but not the only mechanism to streamline SOX compliance processes. As compliance and data management professionals know, data integration is only as sound as data quality and integrity. Data quality is the second crucial element in the SOX compliance initiative.
There are many definitions of data quality. Here's a practical view: data has quality if it satisfies the requirements of intended use. Why is data quality imperative to achieving SOX compliance? True compliance demands the following attributes: accuracy, completeness and understandability of data. Accuracy refers to the degree to which data represents reality. Completeness is the extent to which data is sufficient for the intended use. Understandability relates to how easily data is comprehended. SOX Section 409 requirements are tied to additional characteristics of data quality, such as timeliness and accessibility.
Organizations rely on IT to provide effective and efficient data quality management processes. A typical data quality management life cycle consists of four phases: assessment, validation, improvement and reconciliation.
Data quality assessment answers a basic question: How good is the company's data quality? The process involves defining and using metrics, both subjective and objective, and documenting the findings and recommendations for data validation and improvement a direct response to SOX Sections 302, 906 and 404.
Data validation determines technical usability of analytical data. It includes translation of business rules into data consistency rules and acceptance criteria, implementation via database design and comparing loaded data with established acceptance criteria.
Data improvement is a continuous process of data defect prevention, correction and repair. Pragmatic in nature, it consistently generates value.
Data reconciliation identifies explanations for results inconsistencies, applying accepted degrees of granularity, tracking schedules and validation rules. SOX Sections 302 and 906 place a significant emphasis on reconciliation process accuracy by holding senior management accountable for accurate financial reporting. Consistent results, providing the same numbers or results from various different reports, as well as clearly documented explanations for any variance, are required.
While data integration and data quality present the primary challenge, meta data management and business intelligence and reporting are also required to provide a complete regulatory compliance solution.
Figure 3 provides an example of a technological architecture designed to support a regulatory compliance reporting system that can address multiple regulatory requirements processes such as those demanded not only by SOX, but by Basel II, the USA Patriot Act and others. This is a complex example of a fully integrated, end-to-end enterprise solution, including source systems, data staging, data warehousing, BI and links to document management and financial management control systems.
Figure 3: Solution Architecture for Regulatory Compliance System
We've applied experience in developing executive dashboards to develop a compliance dashboard that helps monitor and manage compliance requirements once the required IT infrastructure is in place.
Experts estimate that integration activities consume 60 to 80 percent of the time required to establish compliance procedures. (It appears standardized, enterprise-wide business rules and definitions are the exception rather than the norm.) Only IT is empowered with the knowledge, capabilities and, funded appropriately, the capacity to facilitate this process by creating standards and implementing the functional systems required. Now is the time to resurrect efforts to improve data integration and data quality and convince executives of the practical value and efficiency of investing in the creation and management of a compliance solution. As the familiar adage suggests, where there is a problem, there is opportunity.
SOX imposes high standards. IT organizations face some considerably high hurdles to meet impending deadlines. A substantial, unified effort to improve data quality, and produce and document the requested information and communicate it to auditors and regulators is absolutely required. However, the benefits of improved data quality and integrity along with data transformed into reliable, actionable information will serve as a business asset and finally provide the return on IT investment long promised by data-related initiatives.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access