Using Business Intelligence Infrastructure to Ensure Compliancy with the Sarbanes-Oxley Act
Written By: Lyndsay Wise
Published On: April 6 2006
The US Sarbanes-Oxley Act (SOX) of 2002 was established to protect investors from the potential for fraudulent accounting. After the exposure of several corporate scandals, such as the Enron and WorldCom affairs, the US government was compelled to pass legislation ensuring accurate financial reporting and auditing from organizations publicly traded in the United States. SOX affects any public corporation competing in the American marketplace. As a result of SOX, not only have financial controls and reporting schedules become stricter, but responsibility for accurately reporting financial results has been placed in the hands of organizational heads, namely the chief executive officers (CEOs) and chief financial officers (CFOs), to provide accurate financial and auditing data.
This means that financial departments have had to reevaluate the way they manage their controls and reporting. It is no longer possible for organizations to change data without accounting for these changes to shareholders. Now that the responsibility for accurate financial reporting has been placed on upper management, with heavy fines and potential prison terms being imposed for noncompliance, financial analysis tools, such as those provided by business intelligence (BI) vendors, are becoming increasingly important to the financial auditing process. Ensuring proper data controls, proper reporting and auditing structures, and the accurate capture of the ensuing data, are important aspects of SOX compliance and make up the essential elements of BI solutions.
There are three sections of SOX that deal directly with the use of information technology (IT). Section 302 requires management certification that procedures have been put in place to address accurate financial conditions and disclosure controls for all financial statements. Section 404 requires management certification that effective internal controls and procedures have been developed for financial report preparation. Finally, section 409 requires that timely reports be provided to investors, the US Securities and Exchange Commission (SEC), and other corporate stakeholders.
How BI Addresses the Needs of SOX Compliance
Traditionally, BI software has targeted the needs of financial decision makers. BI tools initially enabled organizations to analyze financial data, to identify trends, and to drill down on report data to reveal operational transactions, as well as to assign tasks to individual employees, in order to give management the ability to implement robust auditing processes. The driver behind these functions is the ability to capture data from several data sources across an organization, and to centralize them in a data warehouse. Aside from data centralization across the organization, data warehouses allow organizations to implement and monitor data quality activities to ensure accurate data. This reduces the potential for accidental data errors.
BI tools help vendors to meet the demands of organizations that need to comply with SOX regulations, scorecards, and business activity monitoring (BAM). General reporting and analysis functionality permits organizations to take a top-down approach to management, yet still meet SOX compliance. CEOs and CFOs who are responsible for assuring compliancy and who are accountable to the SEC often aren't directly responsible for actual report generation or in-depth budgeting. Task assignment and management of processes are internal driving forces within BI, and help companies manage employee tasks and responsibilities for each financial report and function, as well as ensuring data quality. Basically, BI allows the CEO to manage internal processes and data to meet SOX compliance, and gives CEOs the ability to micromanage tasks at each level to ensure compliance, and to identify any potential errors (as well as identifying who made them, and when they were made within the process). If proper data quality processes are implemented, organizations can guarantee that data errors do not occur within the data warehouse itself and that any key stroke errors and the like are cleansed as they enter the data warehouse, before financial analyses and reporting functions are performed to meet SOX requirements.
Although, as mentioned above, BI software can help organizations meet SOX compliancy, vendors have also taken SOX issues into account when upgrading their product suites to make sure that required standards can be met on an ongoing basis. Even though many other forms of financial reporting software meet SOX compliancy, BI solutions have the added bonus of built-in workflow processes and data integration features to ensure long-term compliancy. Data within spreadsheets can be changed, and structures are not always put in place to manage those changes. However, BI software suites have built-in task assignment and audit functions for managing, distributing, and auditing data (based on where the data comes from, who has ownership of the data, and how the data has been processed).
BI Vendors and Compliance
BI vendors already have the infrastructure to deal with data quality issues, and to monitor those issues over time. Many have also taken regulatory requirements into account to enhance their functionality by adding actual modules or features designed to meet the ongoing reporting requirements of SOX. For example, vendors such as SAS, Applix, and Business Objects integrate SOX compliance functionality into their BI suites.
SAS ensures compliance with SOX by providing the capabilities to assess and validate financial statements with sophisticated reporting and analytics, and to create an audit process with a searchable repository for financial documents, processes and controls. Financial processes are tightly controlled, and reporting cycles are greatly reduced (compared to organizations able to run month-end reports only), due to the structures already in place for cleansing, consolidating, and assessing data. Also, SAS Financial Intelligence allows users to consolidate data from disparate sources more quickly and accurately; track, analyze and report on risks and material changes; and monitor the effectiveness of compliance and governance initiatives.
Applix TM1 has built-in automated logging of all data changes at the user level to provide ongoing audit trails, with the ability to selectively reverse any of the entries. Workflow is also automated to ensure proper review of reports prior to release. TM1 also has the ability to build ad hoc reports, accurately communicating business changes. Additionally, TM1's real time dashboards help management interact with and manage the financial and accounting business components, in an ongoing way.
The finance intelligence analytics of Business Objects give users the ability to view every area of an organizations' financial data, whether from a summary level or a detailed level. For specific SOX audit and control analyses, Business Objects has implemented a Sarbanes-Oxley Analytic Solution, enabling organizations to gain immediate insight into internal controls, policies, and procedures. Additionally, by integrating Crystal Reports into its software suite, organizations are able to perform in-depth analyses of their financial reporting.
Other BI vendors, such as Cognos and Hyperion, have teamed up with consulting firms to provide SOX-specific modules, and to take into account systems requirements as well as business requirements to meet the additional needs of their clients.
Cognos, along with Business Intelligence International (BII), a Cognos Silver Partner, has developed SOX-specific modules to provide clients with the ability to integrate SOX compliancy in the use of their software. These include the SOX scorecard and status reporting module, the SOX work product reporting module, and the SOX analytics module. Along with these modules, Cognos includes data migration activities for loading data from Excel spreadsheets into consolidated databases and prepackaged reports using Cognos Metrics Manager, PowerPlay, and ReportNet. The BII-Cognos solution also has embedded automated testing of reporting audit trails and detection of controls monitoring.
Hyperion has joined with leading business consulting and systems integration firms, including Accenture, Cap Gemini, BearingPoint, Deloitte, and IBM, to help clients meet the financial reporting and auditing requirements of SOX compliancy. Taking into account the essential systems requirements needed to meet SOX compliancy, along with the critical business requirements that can be identified by partnering with a consulting firm, Hyperion has developed an enhanced solution for meeting the needs of its clients. Some of the features provided by BearingPoint-Hyperion are the tracking and visibility of data with corresponding audit trails; event detection and error checking; real-time monitoring of financials; participation by business unit controllers in the certification process; and delegated certification capabilities. Also, performance controls are used to enhance decision making, through a CFO dashboard. System processes are enabled by the sophisticated use of workflow, process management, and the independence of auditing roles and responsibilities.
Other BI and business performance management (BPM) vendors also provide similar functionality to the vendors mentioned above; however, not all BPM vendors have embedded data integration functions, which are essential for ensuring compliance. Without accurate data, the reporting and structures put in place to meet compliance may not be met. Obviously, each organization has different needs when considering a BI or BPM solution. However, when an organization considering SOX compliance evaluates these solutions, data integration and data quality functionality and controls must be taken into account.
The Sarbanes-Oxley Act of 2002 has affected organizations and the way they manage their data and reporting processes, putting a strain on how financials are managed within an organization. BI solutions provide an answer to these issues and allow organizations to address SOX compliancy on an ongoing basis. BI addresses essential data quality issues such as embedded auditing processes, dynamic financial reporting and analysis tools, and data integration functionality.
For organizations that have already implemented a BI solution, whether within the finance department or not, these tools can be used to leverage the required SOX data and to implement a process to meet SOX compliance over time. For large to midsized organizations that are considering implementing a BI software suite, any of the vendors mentioned above should be evaluated based on an organization's individual business needs. For small organizations that don't have the budget to implement one of these vendor solutions, the functionality that they provide can be matched against the organization's business needs (for SOX compliance as well as long-term compliance), for comparison with smaller BI or BPM vendors that are within their budget. Obviously, data quality, built-in auditing processes, and above average reporting functionality are the main aspects to consider, but it should be noted that both Cognos and Hyperion have built-in modules that deal specifically with meeting the requirements of SOX. This means that these vendors have already addressed many modifications or enhancements that would otherwise need to be made.