In an article that was just published by the American Chronicle, I pose the question, “Does Your Compliance Data System Prove Your Innocence?” I then continue on, giving the reader the a self-evaluation on their internal data system, and how well it currently supports the compliance function of the company.

What I allude to in the article, is a concept that I call a Compliance Data System. Let me give you a brief introduction to what I am talking about, and the need it fills for your company.

First of all, let’s look at the objective. What we’re trying to do with a Compliance Data System, is build a system for the audit team of a company. It would be a pretty intelligent corporate strategy to get all the audit related activity handled in a consolidated matter, but most likely you won’t see that. So, for the sake of discussion, let’s focus on Sarbanes-Oxley ( SOX ).

In a nutshell, your company will use an external auditor to conduct the formal audit, which is typically one of the “Big Four” auditing firms ( KPMG, PwC, Deloitte, E&Y ). SOX rules prevent the external auditor from “helping” the company pass the audit, so they might hire another accounting firm ( which could be another Big Four firm ) to help the internal audit team. The internal audit team is responsible for preparing the company for the external audit. These are your end users.

As you might have guessed, this rolls up into the Finance function, so being an IT professional, this department shouldn’t be new to you, however the audit function within Finance might be an unexplored area.

The big thing your internal auditors are after is “control”. The will need to demonstrate for the external auditors, that there is sufficient internal control over their financial reporting. The key risk ( remember, risk means uncertainty ) that they’re trying to control, is the risk that that their published financial statements are inaccurate. The impact of having inaccurate financial reporting can be devastating to your company, especially the CEO and CFO who both must certify that these numbers are correct. If you aren’t familiar with the Enron or WorldCom story, have someone give you the reader’s digest version, or Google it yourself. I’ll spoil the ending for you – it’s not pretty.

So, financial inaccuracies happen in a few ways, but here’s the most common:

·         Mistakes ( human or machine ) – This is the finance version of “bugs”. Hey, unfortunately they happen, so we have to deal with them.

·         Lack of knowledge – The rules of accounting ( known as Generally Accepted Accounting Principles or GAAP ) that Finance has to follow are complicated. Lack of understanding can cause improper processing.

·         Tampering and / or fraud – However sad, it’s true that some people will do the wrong thing, if given the right opportunity, motive, and means.

So the controls you will see in place to prevent these from happening, typically fall into three categories:

·         Reconciliation – If you can get two or more systems that should have the same aggregated totals to reconcile, you have a good chance of avoiding mistakes.

·         Approvals – Making sure more knowledgeable people ( managers ) are supervising the activities, will prevent mistakes, and lack of knowledge errors.

·         Segregation ( or  Separation ) of Duties – This is a term you will hear a lot, when discussing internal controls. This means making sure one person does not have too much control over a process. For instance, consider if you had the authority to approve your own raise! Or in a more practical sense, if the same person receiving the money was also depositing the money, there could be a temptation for fraud.

So when your company is going through an external audit, your internal audit team will need to prove that they are following all the GAAP rules properly, and that there have been no mistakes or tampering. They will do this by demonstrating that they have a set of internal controls, and that their controls are effective in accomplishing these goals.

So, if all their financial processing is done in your data systems, how are they going to do that without you?

They can’t.

So, they typically do one of a couple of things. Either they:

1)      Try to leave you totally out of the loop, and leverage some of the systems you’ve already built like transactions systems, and data warehouses. They will then pull out their ubiquitous tool – the spreadsheet – and start filling in the gaps as best they know how.

2)      Or, they ask you to write a couple of reports for them, to help them out.

What they usually don’t consider, is that they can partner with you to build a Compliance Data System that will make their spreadsheets look like some Facebook add-in.

A Compliance Data System is downstream from a transactional system, so it definitely falls into the “data warehouse” category of systems. If you think about the traditional Corporate Information Factory, it will probably sit side-by-side with the Enterprise Data Warehouse ( EDW ), and there’s a lot of opportunities in leveraging the concepts of an Operational Data Store ( ODS ); either merging your compliance work into the ODS itself, or creating an ODS specifically for compliance. Of course, compliance-centric data marts are a wise idea also.

I don’t think you should underestimate the architecture here. Ralph Kimball has been talking recently about an “Audit Dimension”. Although I applaud his recognition of the need, I don’t think one dimension is going to do the trick here.

The key to remember, is that you’re building this for the internal audit team, for the purpose of surviving an audit. The mistake people usually make, is trying to use their general purpose data warehouse. This is a bad idea because the alignment is off.

You can follow my guidance and advice for the rest of the process, but just having that one guiding principle will set you on the right course.  Consider as an option, building a miniature Enterprise Data Warehouse purely for the purpose of compliance, with the requirements driven by the internal audit team. Or, perhaps a Class 2 ( refreshes more than once a day ) Operational Data Store to act as an early warning system for Segregation of Duties violations. These are just a few examples.

You’ll hear more ideas from me in future posts, but I just wanted to get your mind thinking in this direction. Start partnering with your internal audit team – and your company will be better for it.

0 comment(s) so far...

Login to Add Your Comment