Ensuring Compliance with Automated Controls
A recent cartoon depicts a personnel director asking a pinstriped job applicant: “How do you feel about doing time?” And late-night TV comedians have had a field day as regulators, legislators, lawyers and accountants have scrambled to restore confidence in corporations and markets rocked by accounting scandals.
The Sarbanes-Oxley Act, passed in July 2002 and designed to restore that confidence, holds responsible both the corporations whose financial information is critical to the economy and the audit industry that attests to the accuracy of that information. The Act holds CEOs and CFOs of public companies personally responsible for the accuracy of the financial information their companies report and imposes stiff penalties for false certifications. Based on charges of document shredding in several high-profile cases, the Act includes a stringent document retention policy and mandates a comprehensive system of internal controls.
It is this last item, embodied in Section 404: Management of Internal Controls, that will have the most impact on the day-to-day lives of CFOs and CIOs. It requires management to establish and maintain adequate internal controls and procedures for financial reporting, and to assess the effectiveness of those controls. The idea is that the increased focus by management on internal controls will reduce the possibility of errors and fraud in financial reporting.
It sounds simple. But the internal controls for financial reporting in most U.S. companies are currently lenient at best. In many companies, the information is collected from multiple systems and consolidated into spreadsheets for planning, budgeting and reporting. Spreadsheets are, by definition, handled manually and prone to human error. Numerous studies show that the average human attention span is only 15 minutes, after which errors such as number transposition increase dramatically. No matter how well-defined and well-documented the rules that produce the data, once it is imported into a spreadsheet for further manipulation, control is lost and with it the ability to ensure accuracy.
Preparing for Compliance: Automating Controls
Section 404 makes dependence on manual processes riskier than ever. To ensure adequate controls, Finance and IT must coordinate efforts to acquire or develop a system that automates the collection, verification, audit, balancing and reconciliation of financial information across all corporate applications and platforms. Key requirements for this system include the ability to:
- Transform human logic into audit, balancing and reconciliation rules. It is end users in the finance organization—including the CFO—who know the balancing rules and, not incidentally, who are responsible for the accuracy and validity of the data. The system must capture the user’s understanding of the required balancing logic and transform that logic into rules that then automate—and document—the process. The tool must be easy enough to use for users at any level to “teach” the system the business rules that govern financial reporting.
- Perform cross-application and cross-platform balancing and reconciliation. Corporations typically support many applications across several platforms, from a legacy general ledger system on OS/390 to an enterprise resource planning system in a Unix environment to customer relationship management and human resources applications on Windows NT. But how do you know if the HR system is passing the right information to the general ledger or if the reports generated by the ERP system are correct? It is critically important that your system be able to balance, reconcile and verify data within and across all applications, data types, database structures, operating environments and platforms.
- Trigger corrective action and notification. What do you want to do when an out-of-balance condition occurs? You must be able to set these actions conditionally and for a wide range of measures. For example, if today’s accounts receivable is out of balance by $5, you may want to simply report the error and keep processing. If it is out of balance by $10,000, you may want to start an item reconciliation process in which the underlying detail transactions are verified and trigger a workflow process that incorporates the original documents along with the exception report. If the same rule is out of balance by $1,000,000, you may want to invoke those processes and also send an immediate e-mail alert to the manager responsible for that line of business.
- Link values back to the document of record. The system must be able to drill back into the originating financial document and generate a hard audit trail of the entire business process. Just as important as having the controls and proving that they have been properly applied is the ability to easily access the original documents and dynamically link them to the process that produces financial reports. This creates a closed loop that fulfills the requirements of the Sarbanes-Oxley Act.
There are tools available today that enable companies to easily and cost-effectively automate the controls and processes mandated by the Sarbanes-Oxley Act. One example is the ViewDirect Compliance suite of products from Mobius Management Systems, Inc. These solutions enable corporations to leverage their investments in financial systems and IT infrastructure and meet the new requirements with confidence.
Mobius is a leading provider of integrated solutions for total content management. The company’s ViewDirect TCM suite includes an integrated repository, a facility for accessing content across disparate repositories, and a broad range of solutions that meet all content requirements