Sarbanes-Oxley and Your Company “Public Company Accounting Reform and Investor Protection Act” Claudia Imhoff, PhD and President Intelligent Solutions, Inc. © Copyright 2003, Intelligent Solutions, Inc.
Download ReportTranscript Sarbanes-Oxley and Your Company “Public Company Accounting Reform and Investor Protection Act” Claudia Imhoff, PhD and President Intelligent Solutions, Inc. © Copyright 2003, Intelligent Solutions, Inc.
Sarbanes-Oxley and Your Company
“Public Company Accounting Reform and Investor Protection Act”
Claudia Imhoff, PhD and President Intelligent Solutions, Inc.
© Copyright 2003, Intelligent Solutions, Inc. All Rights Reserved.
Sarbanes-Oxley Act of 2002
“To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.”
•
To restore investor confidence…
Is It Needed?
What do you think?
•
A major US company’s chief resigns after authorizing large payments to top execs while negotiating a deal to slash average workers’ pay*
•
A multinational with significant business in the US restates its revenues by nearly $1 billion**
•
A leading American firm based in a southern city is charged with massive financial fraud; its CEO, living an extravagant lifestyle, is indicted***
The list goes on and on!
*American Airlines - 2003 ** Food service giant, Ahold - 2003 ***HealthSouth and Richard Scrushy - 2003
What is IT’s Role?
Compliance is more than just financial legislation
•
At its heart, it is about ensuring the validity and transparency in creation and documentation of financial statement information
•
It means having the right IT systems in place
“With the current environment, there can be nothing more important than getting the systems put in place to ensure compliance with Sarbanes-Oxley and boost investor confidence in the company” -- Joe Eckroth, CIO, Mattel Corp*
AMR predicts that Fortune 1000 companies will spend about $2.5 billion this year on compliance-related projects
*CIO Magazine, “Your Risks and Responsibilities” by Ben Worthen, May 15, 2003
Agenda
The Parts That Concern Everyone
• • • •
Material Changes Internal Controls International Concerns Private Companies
What’s Needed
Summary
SOX in Review
Section 404 – About 100 Words Long
•
Annual reports must be signed by the CEO and CFO attesting to their accuracy
•
Corporations must prove they have controls in place to assure accuracy (validity and transparency) of info
Section 409 – Real-Time Disclosures
•
Material events must be reported in an as-yet undetermined, but faster (48 hours?) timeframe
Section 802 – Criminal Penalties for Altering Documents
•
Penalties range from fines to prison sentences
Material Changes – Reported at Light Speed
What’s material?
• • •
Loss of a major sales contract to a competitor?
Cancellation of a significant partnership agreement?
Cost overruns on IT projects and other capital expenditures?
•
A large marketing expenditure?
Shift to real-time computing can be particularly onerous.
•
Heavy reliance in operational systems on batch processing?
•
Existing BI infrastructure can’t handle updates in real time?
Material Changes – Reported at Light Speed*
(continued)
What does real-time reporting really mean?
•
Difference between “right” time and real time.
Reporting on a material change two days after it occurred is NOT real time.
Reacting to one is.
•
Do all employees know what constitutes a material change?
CEOs, CFOs and others must be connected to the everyday occurrences throughout their enterprises.
* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.”
CIO Magazine
, May 15, 2003
Material Changes – Reported at Light Speed*
(continued)
Most IT infrastructures can’t handle real-time changes.
•
Lack of integration between data, processes, technologies.
•
Links between systems are not robust, even undocumented.
•
No repository of quality, current data.
* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.”
CIO Magazine
, May 15, 2003
Material Changes – BAM and Real Time Enterprises
Business Activity Monitoring (BAM)
•
Real-time access to critical business performance indicators to improve speed and effectiveness of business operations*
Extending BI beyond strategic/tactical decisions to yield actionable info immediately impacting business
•
Shorten the time horizons
Monthly to weekly
Weekly to daily Daily to intraday
* David McCoy. “Business Activity Monitoring: Calm Before the Storm” Gartner Document LE-15-9727, April 2002
Material Changes – BAM and Real Time Enterprises
(continued)
Faster reaction is critical to operational effectiveness
•
Today’s techniques for data analysis not suitable for managing business operations if monitoring must be close to real time
•
BAM fills this capability
Material Changes – The Real-time Challenges
X X But terribly fractured X X reporting Best for Good solution for real time critical event driven needs Trickle feeds with low overcome latency very high latency X Snapshots in time High latency Operational Systems Early Warehouses “Active” Warehouses Operational Data Stores BAM
Internal Controls – More Than Just Getting the Numbers Right?
Must have alerts, alarms, instant messages about:
• • •
Hints of fraudulent internal activities Inaccurate or inappropriate accounting transactions Operational or financial “perturbations”
Need automation of manual audit tasks, rules based enforcement of policies.
The Executive Dashboard grows up!
Internal Controls – More Than Just Getting the Numbers Right?
(continued)
Executive Dashboard
•
Not a quarterly look at the “numbers” any more
Requires executives to dig deeper into their financial records.
Not episodic but a steady stream of information – a daily onslaught!
•
Sophisticated set of gauges, graphs, trend lines
Drill though capabilities.
Easily used and understood meta data.
Internal Controls – More Than Just Getting the Numbers Right?
(continued)
Executive Dashboard
•
Based on auditable, integrated data from a variety of sources
Operational systems.
BI systems.
External data.
•
Supporting real-time and historical analyses
React to a trend?
Observe an exception?
SOX Goes International
Discoveries of malfeasance offshore has a material affect on international corporations
• •
And must be reported as such Sea change from the way it is handled today
Many non-US companies are deciding against a US IPO because they cannot be SOX compliant
•
German automaker, Porsche, canceled its US IPO because its supervisory boards and audit committees have employee reps – not independent by SOX rules
Private Companies Aren’t Immune
Private companies do not have to abide by SOX regulations unless they . . .
• • •
Plan to go public – IPO – in the future Are acquired by or merge with a public company Have government contracts that require compliance
Acquiring companies will be performing much more stringent due diligence
Public and private companies must adhere to whistle-blower provisions
Many currently public companies are considering going private to avoid SOX compliance issues
Private Companies Aren’t Immune
(continued)
Minimum steps private companies should take:*
• • • •
Add independent directors to your board Create an independent audit committee Review internal accounting procedures Educate directors, officers and employees on requirements pertaining to reporting of misconduct
• •
Provide education on fraud prevention Enlist the help of data-auditing solution providers
* META Group 2003 report, “More Private Firms Working Toward Sarbanes-Oxley Compliance”
And Just When You Thought You Were Done
COSO
•
Recommends companies adopt a framework to properly authorize all transactions – safeguards against improper use, documented set of internal rules that control how data is generated, manipulated, recorded and reported
Basel II
Operational Risk
Even the Patriot Act . . .
•
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (P.A.T.R.I.O.T)
•
Turn over your database, please . . .
Agenda
The Parts That Concern Everyone
What’s Needed
• • • • •
A BI environment Meta data Solid technology architecture Evidence of good audit processes and procedures A Road map
Summary
A Business Intelligence Environment
An environment in which business users receive data that is:
• • • • •
Reliable Consistent Understandable Easily manipulated Timely
For analyses that yield overall understanding of:
• • •
Where the business has been Where it is now And where it will be in the near future
A Business Intelligence Environment
(continued)
BI serves two main purposes:
•
It monitors the financial and operational health of the organization
Reports, alerts, alarms, analysis tools, key performance indicators (KPIs) and dashboards
•
It regulates the operation of the organization
Two-way integration with operational systems, information feedback analysis BI, without the ability to act on it, is not worth much
A Business Intelligence Environment
(continued)
Most companies cannot track changes to financial data as it moves around internally
•
Massive ERP and CRM systems to collect data but then feed it into spreadsheets!
•
Spreadsheets – manual process, prone to human error – widely used for planning and budgeting.
Reliance on human processes not cutting it
• • •
Must have automated systems.
Must have solid audit trails.
Must be able to reconcile information either by integration (preferred) or at least a shared data model.
Meta Data
Data about the data, activities, environment
It is the key to:
• • •
Assuring that numbers are what they say they are Verifying that procedures are what they say they are Visibility into the “numbers”
It is your audit trail throughout the environment
It must be “real time” as well
•
Much of SOX compliance can be garnered from meta data rather than data
•
Its architecture will mimic the Corporate Information Factory
The Corporate Information Factory
Information Workshop Library & Toolbox Workbench Information Feedback API API API External ERP Internal Data Acquisition Legacy Data Warehouse CIF Data Management Operational Data Store TrI Exploration Warehouse DSI Data Delivery Data Mining Warehouse DSI OLAP Data Mart DSI API
Other
Operational Systems Systems Management Meta Data Management Data Acquisition Management Operation & Administration Service Management Oper Mart TrI Change Management
The Corporate Information Factory
THE architecture to ensure data integration, quality, validity and transparency for BI applications
Benefits
• •
Reusability of components Standardization
Technology
Nomenclature
Interfaces
•
Increased flexibility in terms of selecting
Tools
Technologies
Techniques
•
Audit trails following movement of data
The Corporate Information Factory
(continued)
Permits optimization of each technological component to perform at its optimum
Evidence of Good Audit Procedures
Now is the time to restart the data quality, integration and standardization projects you postponed
•
Re-engineering of business processes and data
Use SOX compliance as a selling tool to improve overall technology environment
• • • •
Standard ID, codes, numbering schemes Standard business definitions, names Standard calculations and algorithms Standards compliant software and hardware
A Roadmap
Develop detailed plans for controls on financial systems
•
Create a steering committee of top execs to ensure cooperation
Put in place a technology infrastructure, based on a proven architecture, that facilitates data use and integration from different systems
A Roadmap
(continued)
Look for places where data integrity can slip through the cracks
•
Watch for “customizations” to key systems – ensure adequate audit trails
Standardize all technological aspects where possible
• • •
Operational systems BI environment Infrastructural components
A Roadmap
(continued)
Set up systems to automatically notify all key constituents (senior execs, board members, investor-relations managers) of material events
•
Transparency
IT projects must be intertwined with accounting processes to ensure compliance with and identification of SOX aspects
•
Validity
Agenda
The Parts That Concern Everyone
What’s Needed
Summary
Summary
Still unsure of actual requirements
•
Reacting today may leave companies playing catch-up in the future.
• •
What’s “material”? What’s “real-time” reporting?
Focus on visibility, accountability and better governance – IT plays a significant role in each of these.
Data integration becomes king
• •
Best time to create world-class integrated environment.
Use compliance to standardize corporation’s IT architecture and nomenclature.
•
No more “best of breed” purchases?
Need “right” time data
•
BI is a critical component.
Summary (continued)
Look at the bright side, here’s your opportunity to:
• • •
Decrease IT maintenance costs Improve data integrity across the organization Allow for better visibility of data throughout the organization
•
Improve internal control mechanisms
On the not so bright side, will risk taking become a crime?
• •
Innovation versus SOX Take the opportunity to examine real business issues undermining the business
Summary (continued)
Finally, will SOX restore investor confidence?
• •
TBD!
Execs focusing on compliance but not on changing the culture that fostered unethical behavior?*
•
This may be the most difficult change of all…
* See “Liar, Liar” by Joshua Kurlantzick, Entrepreneur Magazine, October 2003 for more on cultural change
Questions?
Claudia Imhoff, PhD Intelligent Solutions, Inc.
303-444-6650 www.IntelSols.com