While some emerging technologies are still on the roadmap, others, like advanced data analytics and visualization, are already here and actively being used at organizations around the globe. In response, the Public Company Accounting Oversight Board (PCAOB) launched the Technology Innovation Alliance (TIA) Working Group to advise regulators on the impact of emerging technologies and provide recommendations for PCAOB oversight.
Are the IT components of your Sarbanes-Oxley (SOX) compliance function ready to respond to changes in the risk landscape driven by emerging technologies? In this article, we highlight one of the most widely adopted emerging technologies and provide recommendations on how to identify and address relevant financial reporting risks. The next article in this series will help you consider relevant risks with bringing robotic process automation (RPA) to your SOX processes.
Few would dispute that today’s organizations have access to more data than ever before at their disposal – firms interact with customers, vendors and employees – all through digital channels – dramatically increasing the availability of data, yet, organizing that data into actionable insights is difficult and costly. Advanced data analytics software may be the solution – by simplifying the data structuring process, via tools like the Snowflake Data Cloud or Amazon Redshift, and presenting data in user-friendly and interactive dashboards, with tools like Tableau or Power BI, firms have access to reliable, cost-effective and scalable data analytics. But with simplicity comes opaqueness, end-users don’t have a clear line-of-sight to the data collection and reporting process. How can firms and SOX compliance functions be confident their reporting is complete, accurate and reliable? The reporting stack can be broken down into four key concepts that compliance functions should consider when managing advanced reporting solutions:
Reliable data is critical to ensure your SOX controls support accurate financial reporting and as the saying goes, “garbage in, garbage out." End-user reporting, whether custom queries, dynamic dashboarding or standard system reports, is only as good as the quality and reliability of the data entered into source systems. When key transactional or master data is entered into a system, it should be validated in some form to ensure its accuracy and validity. Without a means of establishing reliability in source data, organizations should question the completeness and accuracy of reports used in the operation of internal controls over financial reporting. Specifically, management should consider:
To facilitate advanced data analytics, modern firms are adopting new methods, such as data clouds and/or data warehouses, to structure and integrate data into usable data sets. To do so, firms must first design integrations, which effectively map data fields and tables between source systems and the data cloud. IT will often combine data from multiple systems and tables into a single data table within the data warehouse (e.g., IT may create a sales orders table within the data cloud that contains data from multiple source system tables in addition to pulling in additional data from other systems, such as a customer relationship management (CRM) application to provide additional data fields).
These data management solutions provide organizations with numerous advantages including increased transparency while reducing the load on primary transactional systems. However, they also introduce several challenges in maintaining an effective system of financial reporting controls. In the simplest terms, these systems become a part of your SOX environment, expanding the footprint over which your system of controls needs to operate. However, these tools are fundamentally designed for end-user flexibility and agility in data manipulation, which can stand in contrast to typical SOX control objectives. When using data warehouses and data clouds management should consider:
With a structured dataset, actionable insights are right on the horizon. Data warehouse solutions enable companies to leverage advanced reporting tools, like Tableau or Power BI, to create customizable reporting dashboards to display data in a user-friendly and interactive manner. These powerful tools present data visualizations which allow users to realize greater insight in the datasets that traditional flat file reporting does not enable. The reports can be customized to include/exclude specific data fields, join data tables, and perform mathematical operations, all “behind-the-scenes” and unbeknown by the end-user – this promotes ease-of-use and consistent operation. Reporting dashboards are often created by IT, published, and made available to end-users – who are then able to apply additional filters, isolate specific data fields, and generally “interact” with the data output. Management should inventory relevant dashboard reports and consider:
Modern reporting is becoming increasingly more dynamic – allowing users to “zoom-in” on specific customers, filter to in-scope regions, and perform a variety of tasks by interacting with the data. While a dashboard report can be subject to change management controls, often, the interactive output is not, as end-users are able to freely manipulate the data output via input parameters and other commands. In response, management should consider:
As the nature of reporting financial data is becoming more dynamic and interactive, so should your consideration of controls. A clear inventory of what sources and methods of reporting are being utilized provides the foundation to determine where and how controls should be designed. As you consider any of these concepts in the context of your environment, Baker Tilly is here to assist and share perspectives. Share your thoughts or concerns with us and we’d be happy to meet with you and discuss these topics and their impact on your SOX compliance program.