1. "Sarbanes-Oxley Act" - http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
2. 'Intro to Compliance - Sarbanels Oxley & your EDW' from http://www.b-eye-network.com/blogs/linstedt/archives/2009/01/post.php
3. 'Gauging your BI Maturity for SOX Compliance' from http://www.technologyexecutivesclub.com/Articles/businessintelligence/bimaturity.php
Enabling Corporate Governance using BI
In this article, we shall explore the nature and notion of compliance - specifically Sarbanes Oxley (SOX) and what it means to your Enterprise Data Warehouse (EDW).
The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called Sarbanes-Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.
The legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. It does not apply to privately held companies. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
History & Context
A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds at Enron (see Enron scandal), WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002.
In a 2004 interview, Senator Paul Sarbanes stated:
“ The Senate Banking Committee undertook a series of hearings on the problems in the markets that had led to a loss of hundreds and hundreds of billions, indeed trillions of dollars in market value. The hearings set out to lay the foundation for legislation. We scheduled 10 hearings over a six-week period, during which we brought in some of the best people in the country to testify...The hearings produced remarkable consensus on the nature of the problems: inadequate oversight of accountants, lack of auditor independence, weak corporate governance procedures, stock analysts' conflict of interests, inadequate disclosure provisions, and grossly inadequate funding of the Securities and Exchange Commission.”
Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, were self-regulated. They also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk, damaging the auditing firm's bottom line.
Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management.
Securities analysts' conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest.
Inadequate funding of the SEC: The SEC budget has steadily increased to nearly double the pre-SOX level. In the interview cited above, Sarbanes indicated that enforcement and rule-making are more effective post-SOX.
Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Others interpreted the willingness of banks to lend money to the company as an indication of its health and integrity, and were led to invest in Enron as a result. These investors were hurt as well.
Internet bubble: Investors had been stung in 2000 by the sharp declines in technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors.
Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings. Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets.
How does SOX tie with my EDW/BI initiative
As the requirements from the Sarbanes-Oxley Act of 2002, or “SOX”, have been assimilated into corporate mindsets, the following has become abundantly clear: SOX is rebuilding the confidence of the investing public, not just for your company, but also for the markets in general. The companies that have embraced this challenge, and have done it well, appear well positioned to reap the rewards of increased investor trust, better internal controls and operations and peace of mind.
Companies have undertaken costly and time consuming control review and documentation efforts, often based upon comprehensive frameworks such as COSO, COBIT, ISO 17799 and ITIL. These efforts are aimed at complying with Section 404 of the Act (SOX 404), which requires management to report on its assessment of internal control over financial reporting.
The challenge is to narrow the focus of your ongoing compliance efforts on the areas which matter the most. Business Intelligence (BI) is one such area, as it touches upon several of the keys for SOX compliance: data integrity, reporting, controls, and security/access.
Over the years we have learnt that data is an asset and the data in an EDW can potentially affect a company's financial bottomline. Good, Bad, and Indifferent - data is an asset - regardless of how it's perceived. Data that is captured, or created on the fly is an asset. It doesn't matter if it's good or bad data. Financial decisions are made based on data every day, sometimes every second. In some cases (like NASA), data affects peoples lives. Clearly, data is worth something on the financial books.
Now that data is seen as an asset to the corporation, and that it's considered tied to financials, it should be available for audits, and compliance. The compliance must come from the people themselves within the organization; however the data can shed light on the firm's compliance or non-compliance abilities.
As we all know an EDW is a "A SINGLE VERSION OF THE FACTS for a specific point in time" and the data has the potential to tell the auditors what the company DID and how they REACTED to a specific situation that occurred within the organization. The data in the EDW can also create an AUDIT TRAIL of decision making along the way. This EDW is therefore crucial to uncovering the facts about what people knew when. It goes without saying that EDW must become a system of record "capture mechanism" in order to meet compliance initiatives.
In fact many people around the world are now discovering that the only way to uncover corruption, fraud, or pure misjudgment is to look at the good, the bad, and the ugly data in the EDW - and how it changed (or didn't) over time. The EDW tells the story of the companies' evolution, ranging from new source data, to changing of the business rules.
How can one "assess the effectiveness of audit controls" without looking into the EDW for a data trail of how the company is operating? How can one "Understand the flow of transactions" without tracking how the flow's business rules changed the transactions along the way?
These questions serve to point out the significance of an EDW in capturing the history of the raw transactions BEFORE and AFTER the changes in order to meet compliance.
It pays to remember here that SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. For example, the 2007 FEI survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 million. Costs of evaluating manual control procedures are dramatically reduced through automation and the importance of EDW cannot be overemphazised.
Changing the data on the way IN to your EDW can cause a compliance audit failure in the future, especially if the source system is retired, is destroyed, or is unable to "restore" the system of record that created the data in question. The EDW is the ONLY place in the future to house this information.
Or in other words, compliance initiatives are difficult (if not impossible) to meet without a historical tracking of RAW data sets, integrated, and stored in the EDW.
Fortunately while several companies have achieved SOX 404 compliance in the short-term, they need to give serious thought to moving towards a more robust BI architecture.