Enron and WorldCom may be old news, but organizations continue to struggle with reigning in the ongoing costs of adhering to Sarbanes-Oxley (SOX) legislation. As the dust has settled and processes have been implemented, there is still room in many organizations for optimizing current SOX programs. How can audit technology ease the burden and make managing SOX compliance more, well, manageable?

 

Here are five ongoing SOX pains that CFOs must manage – and that internal audit can help ease:

 

1.       The Buck Stops Here

SOX requires the CEO and CFO to certify the accuracy and truthfulness of periodic (annual or quarterly, etc.) reports. If certification is made and the reports are found to be financially unrepresentative, the CEO and CFO can be found criminally liable and face imprisonment of 10 to 20 years. In addition, civil penalties can include fines of up to $5 million.

The adoption of enterprise-class finance, accounting, customer relationship, warehousing and manufacturing systems vastly improved corporate efficiency and productivity over the last decade. Yet, the sheer number of data elements these computing systems define, has made it more difficult for financial professionals to expose potential governance problems or internal control breaches in a comprehensive and timely manner. Now, slashed budgets and reduced reporting timeframes place greater and greater pressure on corporate professionals to perform more for less. CFOs require integrity, accuracy and completeness of data to confidently certify financial statements and create solid internal controls.

Solution: CFOs need a trusted partner with expertise in information technologies, internal controls and financial audit to help them design controls in compliance with SOX. Enter: Internal Audit.

 

2.       So Many Systems…

To get a complete view of enterprise performance, CFOs face major challenges in extracting data and intelligence out of multiple core systems (ERP, CRM, legacy systems). Data warehousing solutions originally devise for business intelligence purposes often aggregate slices of data, but do not complete transactional information. So, whereas they solve the problem of data integration, they lack in the financial reporting requirement for completeness.

The reason that financial professionals still rely on spreadsheets stems directly from the difficulty of accessing and aggregating transactional data from across the information systems in an organization. Relying on spreadsheets is inherently dangerous because they lose the audit trail and even tiny transposition errors can expose them to risk.

Solution: Audit technology’s combination of data extraction and analytics with a reporting tool provides a solution that reduces the risk of transposition errors, and addresses the completeness requirement while maintaining a complete audit trail.

3.       So Little Time

CFOs must comply with accelerated reporting timelines with an extended range of reports and filings. 10-Q reports must be filed within 15 days of quarter end, and each 10-Q must include management attestation to the correctness of and the effectiveness of internal controls.

Sample testing is not enough to provide organizations substantial information on regulation and compliance.  Data analysis technology allows auditors to efficiently review 100% of data populations to detect potential violations early, reducing their impact and overall exposure.

Solution: Internal audit, working with the CFO, can assess, design and rapidly implement internal control systems which are low cost, low maintenance and yet robust and comprehensive.

 

4.       Untrustworthy Data

Data quality plays a very key role in financial reporting and regulatory management disclosures. Because data informs reports, ensuring accurate and complete data becomes paramount when creating financial reports. A shift in accountability has occurred, placing much of the responsibility for day-to-day data quality management on operational executives who understand the data and its purpose and therefore are in a better position to engineer processes that improve its quality.

As a result, overall corporate responsibility for data quality has shifted more and more to the chief financial officer whose role as champion for corporate compliance and control standards has always relied on the integrity of data in underlying systems.

Solution: Internal audit can help by providing data quality services as a component of an overall business assurance assessment and remediation project. Audit analytic technology reduces the time to remedy data quality issues when compared with custom or proprietary data quality software. In addition, it can conduct powerful transactional analyses such as classification that are specific to financial reporting.

 

Some form of independence from daily processes is necessary to ensure that monitoring serves as an effective control. Periodic management reviews of performance do not represent a continuous monitoring system. Instead, such reviews are considered control activities. Monitoring involves external oversight of internal controls by internal audit.

Audit technology runs alongside mission-critical operational systems, to streamline the process of checking for compliance with internal controls and business rules. Accessing production data without impacting either host system performance or data stored therein, analytic technology works independently of organizations’ transaction processing systems, impartially assessing transaction patterns that match known suspicious behaviors.

Solution: An independent, autonomous monitoring system allows logical tests for identifying control breech or dubious transaction activity to be run without impacting core systems. 

---

Watch a webinar on how Take-Two leveraged technology to automate the evaluation of a key SOX business control to mitigate fraud risk.

---

 

David Chiang, CA.CIA, CMC, ACDA, is a recognized professional on the use of audit analytics to monitor organizational compliance. He has presented his theories and case studies at numerous internal audit and system control conferences throughout North America.

As a Chartered Accountant, Certified Management Consultant and Certified Internal Auditor, David has extensive experience in analysis, fraud detection, and system integration consulting. He is currently General Manager and Director, Professional Services with ACL Services Ltd. – a Vancouver-based software company that provides audit analytic technologies to the Governance, Risk and Compliance market.

 

David is a member of The Institute of Internal Auditors (The IIA), Canadian Association of Management Consultants (CAMC) and Canadian Institute of Chartered Accountants (CICA). He was twice elected to the Council of the Institute of Chartered Accountants of BC (ICABC), which is responsible for the governance of the accounting and audit profession in BC. He currently serves on the ICABC Professional Conduct Enquiry Committee and Rulings Committee.