Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Sarbanes Oxley

Meeting Sarbanes-Oxley Section 409 Requirements


Find the needle in the haystack in real-time or your job is on the line

By Michael Cunningham
Michael Cunningham
Founder, President and CEO
Theoris
If you are a compliance expert or a corporate executive at a publicly traded company in North America, you are probably aware of the requirements mandated by the Sarbanes-Oxley regulations. I look at them as a blessing in disguise as the new laws are an opportunity for companies to really show that they are committed to solid corporate governance practices. For companies who are still striving to implement best practices, this is also an opportunity to come to the forefront and possibly improve company performance and reporting.

There are multiple sections contained in the Sarbanes-Oxley compliance regulations and each of them presents their own challenges to different people in different areas of the organization. Section 409 requires that a company disclose information regarding material changes in the financial condition of the company.

More importantly is that these changes must be captured and reported in real-time. Section 409 has not yet gone into effect, but it is clearly on the horizon and its potential impact is far-reaching. The Securities and Exchange Commission (SEC), which is responsible for issuing guidelines for SOX, has yet to define exactly what is meant by "real-time" from an IT perspective, but it is clear that new ground is being broken in this area. What is clear today is that all events which could affect a company's finances, stock price or intellectual property (among other things) must be captured, documented with a process that can be audited and reported in a rapid fashion. This includes operational risk with IT systems such as:

• Major or extended system outages

• Loss of critical data

• Security breaches

• Intellectual Property and Digital Rights Management issues

• Major computer virus and worm attacks

So how does a company determine what events must be reported? The event must be reported if it has a material impact on a company's financial status. That means, for example, a security breach at a credit card company where personal information is lost or stolen will need to be disclosed, whereas a breach where no sensitive data was compromised most likely is not. On the other hand, even a minor system outage that affects inventory and possibly revenues qualifies as something that needs to be reported because it can affect the company?s revenues as well as their brand and market reputation.

In a similar fashion, other non-IT related events might include things like needing to recognize bad debts, loss of production capacity, changes in credit ratings for the company or large clients, mergers, acquisitions, major discoveries and more. What is clear is the fact that whether or not the event is IT related, the IT department must be heavily involved in supporting the reporting requirements as defined in Section 409 with a combination of solid processes and technology.

The new role of IT and Technology in SOX Compliance
So far, the early stages of SOX have only impacted financial analysts, auditors and accountants in companies, the paradigm is shifting to IT departments and will serve as a cornerstone to making SOX compliance a reality. Effective management and protection of a company's critical information assets requires a solid IT strategy and policy, supported by well-conceived systems and internal controls. Clearly, many companies will be facing increased IT costs over the coming years in order to keep up.

There are many organizations emerging that have made the decision to lead the industry in implementing technologies for SOX compliance such as workflow management software, reporting systems and data quality management solutions. Indeed, effective and efficient SOX compliance means not only following the law but acquiring real business advantage. With such a daunting task, experts agree that the only viable approach to complying with such a mandate is to implement compliance solutions that are capable of addressing regulatory concerns while concurrently improving the tangible performance of the business in terms of cost reduction, increased sales or shareholder value.

The challenges presented to executives
One of the biggest challenges financial executives face is how to effectively cull information from disparate sources to ensure proper evidence collection and documentation. In many cases, companies are not only being asked to streamline their financial reporting ? but essentially their entire enterprise ? if they are to truly and accurately address compliance. Many of these executives have already invested significant resources in internal controls assessments with their auditors and consulting firms.

Unfortunately a by-product of such assessments is that now the executives are aware of issues and must deal with them. In particular, Section 409 demands real-time disclosure of material changes in financial or operational conditions. When combined with other SOX provisions, not only are executives required to do so, they also have personal ?skin in the game?. Recent convictions of several high-profile executives also serve to indicate that ?this law has teeth and will bite?.

One technology makes it to the forefront for easing Section 409 requirements
IT organizations must respond by creating an effective, economical data delivery mechanism to monitor, analyze and report functional, financial and operational events - including any that may impede the achievement of business objectives, result in material changes, or increase the probability of risk, fraud, crime and other losses. Companies must move quickly to put an action plan in place to meet looming deadlines. One of the most promising technologies being implemented in organizations today is a capstone real-time reporting solution, which supports meeting the stringent and time-sensitive requirements. These solutions present critical business information through interactive dashboards that graphically highlight operational and financial anomalies in key areas of the business such as revenue, cash flow, status of a merger or acquisition, headcount, inventory and sales.

All of this information is consolidated and derived from data sources across all key areas of the organization as well as a host of external sources including supplier systems, customer information, relevant industry metrics, competitor information, and other third party benchmarks. This data is presented in a simple dashboard view with graphs and charts that combine rules-based logic with drill down capabilities and warning indicators. However, performance management dashboards for Sarbanes-Oxley section 409 can prove even more valuable than simply ?a check in compliance box?. Here?s an example:

Imagine you are an executive at a major organization and you?ve just arrived at work. You are handed a hard copy report from an existing business intelligence reporting system and it shows that your sales are on target and you are likely to meet your revenue objectives. What you are not aware of is the fact that your main inventory plant in Penang Malaysia has just been hit by a major storm and all systems are down. In addition, the US Dollar has dropped by 120 points as a result. The inventory loss is going to greatly affect retail sales as a result, but you are doing business as usual based on your hard copy report.

Now imagine that it is a new day in the same company. While enroute to your office, you receive a text alert message on your cell phone regarding the plant outage enabling you to call an emergency staff meeting of key executives. Upon arrival at your office, you are able to view a comprehensive operational and financial model with charts indicating POS sales verses booked sales in real-time.

A map that ties back to your operational plant control system shows that your distribution center is down and your order processing chart is glowing red. Your financial chart also indicates that the dollar is down. Within fifteen minutes you are in the emergency staff meeting where you and your team can jointly assess the situation and evaluate options. Then based on the group?s collective evaluation, the CFO, Public Relations and Operations Management are jointly prepared to address the situation and response with a proactive contingency plan.

Dashboards do more than just mine data from ERP systems and other business intelligence systems. They tap into a myriad of operational and financial systems to provide a top level view of the business and the risks associated with doing business, in real-time. See figure 1 Executive dashboards are more than just a replacement for hard copy reports. They provide a snapshot with rules-based alerts, drill-down analytics and other features to help decision-makers monitor a company?s most prized performance indicators such as financials, reporting, sales and revenue.

They are the ?crystal ball? to an entire organization?s financial health and operating performance. To deploy a dashboard successfully, the software vendor must have a very open architecture so that IT departments can easily tap into back-end systems and access data from the most trusted source and avoid unnecessary costs and delays. And while legislators have not yet clarified all the deadlines associated with Section 409, failure to enact real-time monitoring capabilities immediately can result in missed opportunities and unnecessary expense.

A real-world scenario
In 2004, executives at a major corporation identified the following issues that needed to be addressed in order to improve their operations and support compliance with Sarbanes-Oxley and other initiatives:

• Conflicting management information from various data sources

• Extensive IT intervention to deliver critical business metrics in a timely manner

• Data quality issues

• Limited business intelligence infrastructure

• Manual intervention and paper-based reporting

Executives and operational managers needed more timely and comprehensive reporting capabilities. However, the information they required was buried in hard copy management reports, with no easy or intuitive way to get a comprehensive view of the key performance indicators (KPIs) in an effective context. Knowledge transfer delays between risk managers, IT staff, and developers contributed to operational inefficiencies and missed business opportunities.

They also needed direct access to the supplier information and commodities exchanges to manage their raw materials costs and investments in a highly volatile marketplace. Manually compiled spreadsheets and reports were cumbersome and did not deliver an accurate, timely picture of the business. Added to this was the pressure to comply with Sarbanes-Oxley regulations, which require real-time reporting of financials.

To respond to these challenges, the company required a cost-effective solution that could be deployed quickly and access multiple data sources with minimal disruption to existing processes and technology investments. Executives needed a browser-based solution, which could incorporate raw data and derived performance metrics from spreadsheets, reports and web content in a single, easy to understand view.

The limited IT resources would be used sparingly to avoid disruption to other business activities and a heavy capital expenditure was not an option. Decision makers and risk managers needed the ability to access information in real time, so they defined their requirements and agreed upon the KPI?s for the monitoring solution. With a limited IT budget and staff they have grown the business quickly utilizing packaged software and limited database technologies. Much of the financial and risk management is accomplished using a variety of reporting tools and spreadsheet technologies.

After reviewing various approaches to addressing their management information needs, the company chose Theoris Vision Software as their solution. The solution was installed and business users were trained in less than two days. Full production deployment was accomplished in less than three weeks. How did this happen? Of the many business intelligence dashboard companies on the market, Theoris provides a ?capstone? approach to business intelligence.

They have specific advancements built into their technology that allowed IT managers to quickly and easily tap into existing systems to pull the relevant data for accurate metrics monitoring. Following the initial deployment, the company worked with Theoris to redefine their KPI?s and reporting structure in an effort to achieve significant business benefits immediately. Furthermore, business analysts and managers were able to develop separate, personalized ?dashboard? views for each executive without any programming. The company has realized a multitude of business benefits including:

• Identified significant cost reduction opportunities

• Improved efficiencies in operations and communications

• Enhanced risk mitigation capabilities thru alerts and analytics

• Lower cost of IT tools and maintenance support

Not all companies or corporate executives are sold on the business intelligence dashboard concept for meeting Sarbanes-Oxley Section 409 requirements. In my long history of working in this field, performance dashboards that balance meeting section 409 requirements with operational improvements offer the best opportunity for increasing overall shareholder value.

If key corporate executives and managers are able to tap into previously hidden, valuable business information and make more timely and accurate business decisions, I can assure you the financials of a company and their overall performance will increase. When I?m presented with the question ?Why should I look at another solution when I have already invested heavily in a data warehouse and traditional business intelligence solutions?? The underlying answer is that each of these technologies was designed for a particular purpose (e.g., improving performance of batch query and reporting activities) within an information silo and was not designed to provide a real-time 360? view of critical business indicators across a dynamically changing business and IT landscape.

In addition to the need to comply with the regulatory aspects of Section 409, don?t you owe it to your company and shareholders to implement the best possible management practices you can afford to maximize profitability and customer value.?Performance dashboards provide real-time visibility of the organizations most important activities with an easy to view and understand ?capstone? for all underlying systems.

It is important to note that not all performance dashboard solutions are considered equal; almost all of the vendors tout the same features and functionality to confuse the marketplace. To help executives and IT managers in their quest for to get the ?full picture? of what?s happening in their company, I have compiled the following criteria that should provide some guidance for what comprises an effective performance dashboard solution:

• Does the solution easily provide visibility across all trusted data sources in the organization?

• Does the solution allow organizations to integrate internal data with external benchmarks from peer groups and competitors?

• Does the solution integrate with existing security protocols to ensure that critical information is available to, and only to, those individuals who need to see it?

• Does the solution allow you to access key supplier information and other relevant data sources to understand issues that may directly or indirectly affect your financial performance?

• Is the solution easily modifiable to respond to changes in the organization?s reporting structure?

• Is the system easy and affordable to use at all levels of the organization? And finally, does it give you the information you need and make your job of focusing on the core business functions easier?

Executives who are wrestling with how to address the requirements of Section 409 would do well to focus on performance first rather than simply doing the minimum to ?check the box?. Also it is important to challenge traditional IT paradigms and focus on business results rather than what is convenient for the IT department. But more importantly, it?s important to think about what you want your legacy to be in terms of ?What was the impact your leadership had upon your business??



Michael Cunningham
Founder, President and CEO
Theoris
 Michael Cunningham founded Theoris (formerly Software Synergy Inc.) in 1984 with a vision of software that would move companies beyond the limitations of traditional business intelligence.

Prior to founding Theoris, Michael served as the development director for the founding team of an international computer consulting company where he was responsible for new business acquisition and customer satisfaction.

Cunningham received his BS from Indiana State University and his MA in organization management.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY