A Ta=
rgeted,
Top-Down Approach to Sarbanes-Oxley Data
copyright
2003 Gwen Thomas
With the advent of Sarbanes-Oxley 404, CEOs and CFOs must attest to the data
that appears on corporate financial reports. This paper describes a top-dow=
n,
targeted approach to achieving confidence in that data.
Perf=
ect
World Versus Real World
In a perfec=
t world,
data would enter your company, move through a single, completely automated
system, and then appear effortlessly in your reports.
In the real=
world,
however, your enterprise applications are supplemented by small legacy or
specialty applications. Not all processes can be automated, and not all data
comes to you clean and useable. So your people have developed processes for
interpreting, cleaning, extracting, and moving data.
Enter
Sarbanes-Oxley
In a perfec=
t world,
it would be easy for the CEO and CFO to attest to the controls for their da=
ta.
But in the real world, just the flow charts for all the IT systems and
processes that feed your reports can cover a wall. A CEO or CFO shouldn’t h=
ave
to decipher them to gain the confidence needed to sign off on controls. They
should have a mechanism that highlights any weak points in the flow so they=
can
work with IT to determine whether these points represent a concern.
So W=
hat Do
You Need?
What do you=
need to
do now to gain confidence that =
your
controls are adequate and your data is reliable?
It is tempting to consider a bottoms-up, comprehensive,
enterprise process documentation and workflow approach.
And if your groups haven’t documented their systems or processes, you proba=
bly
need this approach, even though it’s typically much more expensive than a
targeted, top-down approach.
But what if=
your
teams already have documentation and controls? What if they have a good sta=
rt,
even if formats vary between
teams and systems? What if you already have process and workflow tools and
would rather build on current efforts than=
duplicate your work in a new tool?
Think back =
to the
company financial reports. They contain a finite number (usually 100-150) of
data fields. Each piece of data arrived on those reports after following a
trail through your systems and processes.
You need co=
nfidence
in your data, which means confidence in your data trails.
You need to focus energy on steps along the data trails that don’t meet your
expectations.
You need a tool that will highlight those steps for you. And you’d like to =
be
able to accomplish all this in a few weeks.
Data=
Trails
Just as not=
all
data is the same, not all paths through your systems and processes are the
same.
·
Some
pieces of data follow a simple, predictable trail through your company.
All steps are automated.
·
Oth=
er
pieces of data follow a less simple trail that includes non-automated steps=
.
Although they require human intervention, these steps may still be standard=
and
repeatable, with documented processes and established quality control
procedures.
·
Som=
e data
trails are complicated or include steps that are less mature.
|
Simple, automated trail |
Less simple trail |
Complicated trail |
|
|
|
|
A Ta=
rgeted,
Top-Down Approach
One approac=
h to
achieving confidence in the data on your company reports is to work backwar=
ds
from your financial reports for each piece of data, achieving confidence in
every step along the data trail.
A big task?
Certainly not as big as starting from the other end.
Using this
approach, you don’t start by assessing and tagging and documenting every
process in IT and finance, even if it doesn’t directly touch your data.
Instead, start by identifying the data you’re focusing on. Then, for each p=
iece
of data, work backward from your reports, listing the steps along the data’s
trail through your IT systems.
|
Targeted, Top-Down Approach to Sarbanes-Oxley 404<= o:p> 1. &nbs=
p; Identify the data on your reports. 2. &nbs=
p; For each piece of data, trace the trail backw=
ards
from the report, through all IT systems that touch the data. For each step
along the data trail, answer fundamental questions. What =
IT
system houses the data? How =
(what
process) is the data moved to the next system? Who =
controls
the IT system objects and process in the step? Where is e=
xisting
documentation for the system and process? W=
hen do systems, processes, and controls cha=
nge,
and why? 3. &nbs=
p; View a report showing any data trails and ste=
ps
with maturity levels below your expectations. Determine whether your
operation actually has already put in place measures to ensure the qualit=
y of
your data during these steps. If so, update your records to reflect this.=
If
not, determine whether the steps represent material concern, and plan
corrective actions. |
Answers to =
these
questions should be collected by "fresh eyes" — resources o=
ther
than those who build and maintain the systems and processes along the data
trails.
|
Minimizing
disruption to your operations Use qualified resources to trace each data trail. These resources
should be experienced in data integration, with backgrounds in data
architecture, information quality, data movement, and process definition.
They should be able to gather information from your system documentation,=
and
limit time with IT resources to validating their answers. |
Choose care=
fully
how you store the answers to your questions. Store the answers outside of t=
he
applications they’re documenting. Store them outside of enterprise process
documentation and workflow applications they’re pointing to. Choose a datab=
ase
tool that will highlight weak links in your data flows and will allow
non-technical users to drill down through your data trails, the governance
responsibilities of your staff, and the impacts on your reports of changes
within IT systems and processes.
What=
You Can
Expect to Find
Simple, Automated Data Trails
Especially =
if your
company has implemented enterprise financial systems, you’ll probably find =
that
many of your data trails are simple, automated, and straight forward. You’ll
probably discover that your teams created process flows, documentation, and
controls as part of the implementation process. It should be simple to poin=
t to
the location of those records. It will probably be easy to achieve confiden=
ce
in these data trails.
Less Simple
Data Trails
The answer =
to the
"HOW" question for data whose trails include non-automated steps
(human intervention) will be a little longer. It will note the documentation
for the processes to be followed, controls for the steps, and quality contr=
ol
measures that have been implemented.
Such steps =
may not
appear mature according to the COSO / COBIT process maturity model. Are they
your most efficient processes? Perhaps not. But if your people are aware of
them and have put into place quality control measures to ensure their
reliability, you may be totally confident in these steps.
Complicated Data Trails
You may also
discover a data trail with steps that are not automated, not mature, and no=
t up
to your expectations for quality assurance. Or you may find non-automated s=
teps
along a trail that require human intervention without adequate controls or
process documentation. By iso=
lating
these steps and identifying their weaknesses, you’ve put yourself in a posi=
tion
to correct them, quickly.
The
Advantage to the Top-Down, Targeted Approach
Following t=
he data
trails for a typical company can be accomplished in weeks, rather than the
months required by all-inclusive, bottoms-up process and workflow documenta=
tion
projects. By identifying steps that don’t meet your expectations early, you
have more time to plan and implement corrective steps. You avoid the risk of
discovering problems at such a late stage that your corrective options are
limited. You have gained the opportunity to focus your budget and attention=
on
what’s not working, rather than indiscriminately "fixing what ain’t
broke."
A Se=
cond
Opinion
If you’ve a=
lready
started a comprehensive, bottoms-up approach to documenting systems and
processes, you are probably becoming more confident in your data every day.
Your teams have probably collected the materials needed to review the path =
of
your data backward from your reports through IT systems and processes. Runn=
ing
through those data trails can serve as a strong second opinion of your
operations. Answering the Who-What-When questions about each step along a t=
rail
can demonstrate your commitment to quality. And collecting your answers in a
format that allows you to demonstrate the impact on your data of a change t=
o an
IT system, process, or governance assignment does more than just address SEC
compliance. It provides the kind of insight into your operations you’ve been
asking for long before Sarbanes-Oxley.