Breaking Down Barriers to Monitoring Reports

Sarbanes-Oxley is the buzz within all public companies today as they work towards complying with the new regulations. Even private companies are joining in as a recent survey noted that 58% of private companies are instituting changes to improve their accounting practices in response to the new act.

Of particular note are the following sections:

Section 302 - CEO and CFO certifications of quarterly and annual reports;

Section 409 - Disclose to public on a "rapid and current basis" material changes to financial condition or results of operations. Although the SEC has not fully ruled on the definition of "rapid and current basis", it is expected that it will be in line with 8-K filings or five business days but may go to as low as two business days;

Section 404 - Requiring annual assessments of the effectiveness of internal controls over financial reporting, including an attestation from an external auditor.

The Need for Improved Control Monitoring

One main effect of SOX is that the new regulations will require CFOs to dig much deeper into how their companies control their financial reporting, and how they disclose material changes in their operations.

For many companies, the documentation and validation of internal controls will be an entirely new experience and will take months — if not years — of consistent effort to be completed. This effort will identify a host of control gaps and high risk areas for more current monitoring.

To successfully managing the high risk areas, as determined through the process above, companies must be able to monitor transactions independently and continuously close to the point at which they occur.

Data analysis technologies capable of continuous monitoring that run alongside ERP systems can add an additional control layer and improve the process of checking compliance with controls and exception reporting. And while this may seem "futuristic" or even unattainable, it doesn't have to be. By focusing on the most risky areas, a company can start slowly while maximizing their return on investment.

And as to ROI, a recent study by IDC showed that business analytics returned an average payback of 112 percent with the majority of organizations having a full investment payback in less than one year. For the record, "lightweight" continuous monitoring applications include companies like ACL; higher-end approaches come from Cognos, SAS and Business Objects.

Breaking Down Common Barriers

Such monitoring is not without its obstacles which take many forms. The most common barriers, and some suggestions for "breaking through" them, are listed below:

Obstacle #1 — "Continuous Monitoring Is So Large and Ambiguous, I Don't Know Where To Start"

Response -

First, take a quick assessment of the organization, which can be done in as little as a couple of days. Have lunch with some key finance function representatives, meet a few "old timers" who want to set the place right, and in essence find out what is most wrong with the organization.

For instance, an organization may discover it has a high risk in the way it captures and processes related vendor discounts. Through automated monitoring at a tactical level, business process owners can monitor daily or weekly transaction flows through their accounts payable and procurement systems.

Monitoring reports would be considered a control activity, as well as a sign of a properly functioning information and communication channel. Reports may include identifying all vendor discounts added during the period, the average number of days to apply a discount by vendor, and a list of the top five vendor discounts currently outstanding.

At a more "dashboard" level, the controller or CFO may only want to see the total number and dollar amount of outstanding vendor discounts on a monthly basis.

The key here is to focus on developing a few key monitoring applications to act as a "proof of concept." That way, a more complete enterprise-wide solution can be build iteratively on small successes without massive up-front infrastructure requirements.

It is even possible to request a limited timeframe software license from the market vendors to further test the concept. With the high success rate of these applications, these vendors are generally confident you will become a long-term customer.

Obstacle #2 — "My Company Will Not Provide Me Access to Data"

Response - Managers and auditors alike have had difficulties in the past obtaining data for analysis. Many of these barriers are being overcome as corporations increasingly store their data in more accessible channels — like ODBC links to data — but the barriers are still present.

Traditionally, management's access of data has been limited or obfuscated entirely by the concerns of the information technology department.

And as IT migrates to a "shared-service" model in providing information, it usually attempts to control the flow even more so the department doesn't get stuck with a system built by the business owners.

To IT's defense, it is common for a business owner to build a system "on the fly" with limited documentation, unclear logic, and an expectation that the IT team would now need to support the ugly-duckling orphaned system.

In response, management should first try to work with the IT Team in developing reports for their highest risk areas.

If such requests are delayed or postponed indefinitely due to conflicting IT priorities, data access should be requested with no expectation that IT will support the resulting system.

Further, assuming a high-risk area is selected for the initial reports, it is usually a safe bet that the report findings will be so material that IT will need to get involved by placing the final reports into a production system for more periodic monitoring.

The process for requesting data should be as follows:

Identify the key risk areas;

Draft reports to act as control activities to manage the risk areas;

List the specific data fields that would be required to run the above reports;

Prepare a formal letter to IT management requesting the specific data and the reasons for requesting such data.

Obstacle #3 — "I Have No Time To Review Reports And Do My Job"

Response - In today's challenging market, amidst personnel reductions and shareholder pressure to increase top-line growth, it's not uncommon for most managers to hold the belief that "I can only do; I have no time for review."

With all of the streamlining and reengineering of organizations, departments are working at bare minimums.

This leaves little time for analysis.

Employees need to move towards "sharpening their saw" through improved analytics and business intelligence.

Using these tools, employees can identify new efficiencies that will ultimately save time and may even prove that additional staff should be added due to the cost/benefit of process improvements.

Please keep in mind that studies have shown business intelligence solutions to be a top return on investment automation in the myriad of technology failures.

With the permission of the Compliance Week editors, I've placed several free tools at Auditsoftware.net to help management with these issues further.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.