Sarbanes-Oxley Legislation Takes Effect

The Sarbanes-Oxley Act (SOX) is one of the most far-reaching pieces of legislation affecting corporate America in years. Ultimately, its purpose is to restore investor confidence in publicly traded corporations in the U.S. Specifically, the key wording is "... to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."

While chief executive officers (CEOs) and chief financial officers (CFOs) are the focus of the Act, CIOs will be affected as well. It is technology that will give corporations the assurance that they are in compliance –­ specifically business intelligence (BI) technology. Compliance is more than just financial legislation. At its heart, it is about ensuring the validity and transparency of the creation and documentation of information in financial statements. This month's column examines the significant sections of the Act and addresses what is required of BI environments to ensure the required visibility and validity of data.

2004 is the first full year of SOX compliance, so it is appropriate that we start the New Year with a review of what this means for many organizations. Currently, the plan is for the bill to be in full effect by the end of June 2004. Therefore, all companies having a fiscal year that ends after June 30 will have to be in full compliance from the beginning of the year forward. Financial reporting from January 2004 forward will have to be in compliance. What does this mean to publicly held companies? Let's briefly look at three sections that have a big impact on executives.

  • Section 404: This section is only approximately 100 words in length, yet it packs a powerful punch. Specifically, it states that the CEO and the CFO, attesting to the accuracy thereof, must sign annual reports. In addition, corporations must prove they have proper controls in place to assure this accuracy (the buzzwords SOX uses are validity and transparency) of information.
  • Section 409: This section covers what SOX calls real- time disclosures. The Act requires that public corporations report material events in an as-yet undetermined, but certainly timely (perhaps within 48 hours of discovery), manner.
  • Section 808: This section is the one that gets the attention of most CEOs because it covers the criminal penalties for altering documents. These penalties range from fines to actual prison sentences for reporting false or fraudulent financial statements to the public.

These sections are wreaking havoc on some major corporations today because, regrettably, they cannot track changes to their financial data as it "moves around" internally. Why? Because the common technological infrastructure consists of massive enterprise resource planning (ERP) and customer relationship management (CRM) systems that do a fine job of collecting data, but then feed it to spreadsheets for analysis and reporting! These spreadsheets represent significant manual processes prone to human error, yet they continue to be widely used for planning, budgeting and reporting on financial situations.
Unfortunately, this heavy reliance on manual processing is not sufficient in this post Enron, WorldCom, Tyco and HealthSouth world. Corporations must create automated systems to do their reporting, and these systems must have solid audit trails behind the movement and consolidation of data (validity). Secondly, corporations must be able to reconcile information either by its integration (preferred method) or at least by a common data model and then share the data throughout the enterprise (transparency).

What role does BI play in SOX compliance? It creates an environment that fosters this transparency and validity of the data flowing through an enterprise. There are four information technology (IT) environmental components that are prerequisites for this to occur.

First, you must have a proven BI architectural road map ­– one that guarantees the enterprise view and accessibility of consistent, reliable, maintainable data. My recommendation here is (you guessed it) the Corporate Information Factory (CIF). Its adherence to corporate standards, the enterprise focus and BI best practices have made it an ideal road map for making certain that your technology is doing all it can to ensure SOX compliance.

Second, new business activity monitoring (BAM) software will play a critical role in securing a real-time reporting environment. BAM was defined in a recent Gartner report as "real-time access to critical business performance indicators to improve speed and effectiveness of business operations." In addition, Colin White wrote an excellent overview of BAM in the September 2003 issue of DM Review. I have some ideas of my own about how BAM fits into the evolution of real-time reporting. In Figure 1, you can see that we have evolved a number of technologies that have played a role in the need for integrated, real-time reporting.

Figure 1: BI Today and Real-Time Challenges

Operational systems, while certainly real-time, are unfortunately still so fractured that they can only report on their small sliver of the overall enterprise situation. Early data warehouses at least accomplished getting the data integrated but had high latency in terms of the data currency, eliminating their ability to satisfy real-time requirements. Active or real-time data warehouses have overcome much of the latency but still do not achieve the required currency of information for SOX. The operational data store (ODS) moved our corporations much closer to the ideal state. In fact, many companies today have achieved a low enough latency in their ODSs to be able to claim the necessary timeliness for SOX compliance.

The creation of BAM software has given us a new way to create real-time visibility into critical business events, thus enabling businesses to become much more adaptive and responsive to customers, competitors and economic conditions. BAM software captures and reports on events that modify the state of the business processes. Many of these events may fall within the SOX definition (yet to be clarified) of material events. BAM works with consolidated data either from an ODS or other source of current enterprise data to investigate activities using an analysis engine, to create and distribute reports and scorecards to appropriate dashboards or portals, and to send critical alerts to business users or to operational systems through messages or transactions.

Third, the executive dashboard, much ballyhooed in the past few years, must reach a more sophisticated level of technological prowess to be useful in compliance. No longer can the CEO or CFO simply take a quarterly look at the "numbers." SOX compliance now requires executives to dig deeply into their financial records not at an episodic level, but rather at a steady stream of information. Basically, the chief executives will receive a daily onslaught of numbers, trends, alerts, etc. The executive dashboard must handle more sophisticated sets of gauges, graphs and trend lines. These dashboards must support drill-though capabilities while still remaining easy to use and understand. They must ensure that the executives can understand and react appropriately to real-time and historical analyses. For example, they will need to react to a trend, but continue to observe an exception.

Finally, the fourth component necessary for a BI environment to ensure SOX compliance is perhaps the most difficult and most necessary –­ a solid meta data architecture. BI technology is only as good as the underlying data that it uses, and the goodness of the underlying data must be documented through the meta data repository. SOX compliance will be heavily dependent on a solid technological environment, which, in turn, must be based upon auditable, integrated data from a variety of sources (multiple operational systems, other reporting systems and even external data). For this to be viable, your meta data must be impeccable. Meta data becomes the key to assuring that the numbers are what they say they are and to verifying that the procedures are what they say they are. Meta data gives us the visibility into the "numbers" themselves by becoming an audit trail for the data throughout the environment.

For this to happen, meta data must assume a much more important role than it has in the past. First, it must become "real-time" too –­ just as the data it documents has. Second, meta data must have an architecture that promotes its integration and accessibility. Keep in mind that meta data today is also located in a variety of sources –­ CASE repositories, extract transform and load (ETL) and access tools, operational sources copybooks, data dictionaries, etc. Therefore, your meta data architecture should mimic the one you use for your BI environment –­ that is, it will be similar to the Corporate Information Factory. It will have a meta data acquisition process to capture, integrate, transform, cleanse and load the meta data into a common repository. Then it must have a meta data delivery process that delivers the appropriate meta data into the hands of the business user along with the BI data. It may be that in the future, much of SOX compliance will be garnered from your corporation's meta data rather than its actual data!

Next month, I will continue with SOX compliance by describing how it has created a mandate for CIOs to standardize their corporations' IT architecture, nomenclature, technology and applications. The timing could not be better for these critical initiatives. The next column will also look at some unexpected and perhaps unwelcome consequences that may result from SOX compliance.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access