What’s in Store: Enterprise Reporting and Sarbanes-Oxley

One leading research firm says that enterprises need to actively investigate their reporting solutions and determine whether they comply with three key areas of Sarbanes-Oxley legislation.

Many enterprise environments are approaching compliance with the Sarbanes-Oxley Act with an enthusiasm just short of fear and trembling.

There’s good reason for that. Sarbanes-Oxley places a not inconsiderable burden on IT, both in the form of document management and process management issues, especially in terms of reporting compliance.

According to consultancy Ventana Research, enterprise IT organizations must ensure reporting compliance with Sarbanes Oxley in three key areas: integrity of their financial systems (section 404), timeliness and accuracy of financial reports (section 302), and improved monitoring to detect internal fraud (sections 404 and 409). Each of these issues presents its own sets of challenges and requirements, writes Robert Kugel, a VP and research director with Ventana.

First of all, notes Kugel, companies must identify risks associated with their financial processes—such as the potential for unauthorized purchases or inaccurate cost allocations—and figure out how to develop controls that address them. Reporting systems have a substantial role to play in this aspect of Sarbanes-Oxley compliance, he writes: “[I]t is likely that reporting systems can anchor the risk management of the process because they can eliminate the root cause of the vulnerability … through auditable and verifiable automation, or through centralization of systems, respectively.”

Then there’s compliance area number two—timeliness and accuracy—which is a reporting issue through and through. To recap, sections 302 and 906 of the Sarbanes-Oxley legislation require CEOs and CFOs to certify in their annual and quarterly reports that the financial information contained therein presents an accurate snapshot of a company’s financial condition. At the same time, Kugel notes, the SEC also requires that public companies with market caps in excess of $75 million must accelerate their filing of annual and quarterly statements. Taken together, he says, these two requirements mean that companies must select reporting systems that support financial closures and more timely report creation. “[C]ompanies will need systems to automate financial report creation, and must show that these reports are not vulnerable to errors and fraud,” Kugel writes, cautioning: “[A]lmost all public companies must revamp at least some of their reporting process with new software.”

As companies tackle the third area of Sarbanes-Oxley compliance—fraud and audit reduction—Kugel says that they have an opportunity to “creatively” employ reporting systems, especially once they’ve automated the paper trail of processes associated with buying and shipping physical goods. “From a reporting standpoint, the availability of a wider range of enterprise data [from automation] may make it feasible to implement a ‘fraud dashboard’ to address the needs of internal audit staff and external auditors,” he writes. “This would include both financial and finance-related data … as well as ratios of the financial and operational data that may not already be tracked.”

Another advantage of this approach, Kugel says, is that companies would have access to this information on a near-real-time basis. “[T]he system would automate the data collection and some of the data analysis functions that are done ad hoc and manually today,” he speculates.

Kugel and Ventana Research caution Global 2000 companies that are affected by Sarbanes-Oxley against thinking that just because they’ve got enterprise reporting solutions in place, that they’re compliant. More to the point, he argues, all of today’s reporting solutions fall short of the mark of what is needed for compliance today and going forward. “Currently all reporting systems fall short in offering authentication processes. Audit trails to verify the source of the data behind the data behind the data are difficult or impossible to construct,” he writes. “Although today’s systems may be adequate today, the bar for financial controls always moves higher. Reporting software vendors that address this issue will have an important point of differentiation in the market.”

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.