Enron and WorldCom may be old news, but public sector organizations continue to struggle with the ongoing costs of adhering to OMB Circular A-123, the public sector directive of Sarbanes-Oxley 404 (SOX) legislation.
Adopting much of what is contained in the SOX Section 404, the federal government had to begin to re-evaluate its policies relating to internal control over financing reporting and management’s related responsibilities. The dust has settled and processes have been implemented, but there is a continued push for organizations to optimize their compliance and business activities.
A risk and control data testing strategy can ease the burden and make managing A-123 compliance more manageable. Here are five pain points that must be addressed, and how a data-driven approach to compliance by way of a risk and controls monitoring program can help facilitate the process:
To get a complete view of enterprise performance, CFOs face major challenges in extracting data and intelligence out of multiple core systems (ERP, CRM, legacy systems). Data warehousing solutions originally devised for business intelligence (BI) purposes often aggregate slices of data, but do not provide complete transactional information. So, whereas they solve the problem of data integration, they lack information required to complete in-depth testing and provide assurance over the financial reporting requirement for completeness.
Further, spreadsheet risks run rampant. The reason that financial professionals still rely on spreadsheets to support testing stems directly from the difficulty of accessing and aggregating transactional data from across information systems in an organization. Relying on spreadsheets is inherently dangerous because they lose the audit trail and even tiny transposition errors can expose them to risk.
Rx: A controls monitoring program ensures the effectiveness of your internal controls and supporting compliance activities by reducing the risk of spreadsheet transposition errors. The technology behind enterprise continuous monitoring combines secure data extraction, integration, and analysis. A complete audit trail demonstrates your testing activities address integrity and completeness requirements.
Rx: Automated testing of internal controls allows management to cover a number of key process areas and provide timely insight into potential internal control breakdowns. Automated data analysis—the engine of a continuous monitoring program—allows auditors to efficiently review 100% of data populations to detect potential violations early, reducing their impact and overall exposure. Business process owners, working with management, can assess, design and rapidly implement internal control systems that are low cost and low maintenance, yet robust and comprehensive.
Data quality plays a pivotal role in financial reporting and regulatory management disclosures. Ensuring accurate and complete data is paramount when creating financial reports. A shift in accountability has occurred, placing much of the responsibility for day-to-day data quality management on operational executives who understand the data and its purpose, and therefore, are in a better position to engineer processes that improve its quality.
As a result, overall responsibility for data quality has shifted to the CFO, whose role as champion for corporate compliance and control standards has always relied on the integrity of data in underlying systems.
Rx: Business process owners can help by providing data quality services as a component of an overall business assurance assessment and remediation project. By continuously assessing transactions, a risk and controls monitoring program reduces the time to remedy data quality issues when compared with programs undertaken with custom or proprietary data quality software. In addition, it can perform powerful transactional analyses techniques, such as classifications that are specific to financial reporting.