SOX and Data Integrity

Dating to the early days of computing, garbage-in, garbage out GIGO- is a simple idea used to describe how computers when fed flawed or nonsensical data would dutifully perform their tasks and produce results that were equally flawed or nonsensical. Over the years as computers have become more sophisticated and intelligent, the focus on GIGO has waned. Though the notion of GIGO may have been relegated to obscurity in recent years, it has a role to play in helping explain the damaging consequences that bad data can play in a company s efforts to comply with the Sarbanes-Oxley Act SOX-.

Data integrity is at the heart of Sarbanes-Oxley, the 2002 law that established new financial and accounting regulations for U.S. public companies. SOX requirements are first and foremost requirements to capture, manage, act on and report information. When the information collected is flawed, every other step in the process is equally flawed. As a result with bad data, attempts at SOX compliance become a pointless exercise. For this reason, data integrity is every bit as important as a company s commitment to abide by the law. There are several ways that bad data can creep into a business and impact SOX compliance and other business requirements. Erroneous data can enter a company s information systems. This can result from innocent mistakes or fraudulent activity. Given that the driving force behind the enactment of the Sarbanes-Oxley law was preventing fraud, this is definitely the most significant data integrity issue. The fraudulent introduction of erroneous data can come in many forms. To illustrate, there are plenty of real-world examples of how executives at some companies have manipulated the results of their businesses to prop up the stock and to enrich themselves at the expense of unwitting investors. Think Enron, WorldCom, Tyco, Adelphia and AIG. Innocent mistakes also can come in many forms. They can be as simple as the misspelling of a customer s name or an incorrect purchase amount, credit limit or currency exchange factor. Data inconsistencies can occur within a company s information systems. This is often caused when there is a misalignment of databases within a company or when large volumes of flawed and unchecked data are imported into a central information repository. For example, companies that have grown into global businesses - especially through acquisitions - may lack the internal systems to accurately collect and consolidate financial data from subsidiaries in other geographies. Often information collected in operations outside the U.S. must be collected differently because of local financial requirements and language differences. Companies lacking the ability to easily and accurately consolidate the information for preparing financial reports are at a distinct disadvantage. Data visibility is a problem for companies lacking the tools to cut through the clutter of highly granular transaction data. While this is not GIGO in its purest sense, it is nonetheless a data-related problem in SOX compliance. There are many companies who generate massive amounts of transactional data, but don t have the software tools and business processes to sort through this data and learn what they need to know for good decision-making. For example, problems such as deteriorating supplier performance or manufacturing quality can go undetected when the right information analysis capabilities are not present. Since business decisions are based on information and not raw data, managers lacking visibility into variances from the plan and other exceptions are at a disadvantage in complying with SOX disclosure requirements. At its most base level, it was data integrity problems at companies such as Enron, WorldCom and Tyco that created the public and government backlash that led to the Sarbanes-Oxley law. While data problems can originate from fraud, innocent human error or a company s inadequate business systems, the implications for investors and others outside the company are the same. Bad data leads to false and misleading financial reports and consequently to distrust among investors, government regulators and others outside the company. To help rebuild public trust in the American corporate sector, requirements of the Sarbanes-Oxley act are focused, in part, on the internal controls that govern preparation of financial reports. Sarbanes-Oxley necessitates corporate executives to attest that the processes that lead to the preparation of financial reports have safeguards against fraud and have been followed. On the surface, this seems like a simple, straightforward requirement. But the complexity of many companies makes the risk of bad data creeping into financial reports very real. There are software products on the market today that can help companies prevent garbage in, garbage out problems in their SOX compliance. When used in conjunction with good business processes, these products help companies meet the need for reliable internal controls and procedures and for producing assurances that these procedures have been met. In looking for a software solution to eliminate the GIGO threat, the following application capabilities are fundamentally important: Sense: Applications that support viewing transactions in real-time as they occur -- or don t occur -- across all business systems. Respond: Applications that send real-time alerts to all levels of the organization with direct SOX compliance responsibilities. The response functionality is also important for communicating up and down the supply chain in support of overall business processes. Act: Applications that enable closed loop resolution of detected events, as defined by your business rules. In recent years, public companies in the U.S. have spent billions on SOX compliance. As John Hagerty and Fenella Scott state in their November 2005 AMR Research report, SOX Spending for 2006 to Exceed $6 B, the investment in SOX this year will be on a par with 2005. Hagerty and Scott also note in the same report that the proportion of this investment devoted to information technology solutions will increase by 13 percent. These figures confirm importance executives are placing on SOX compliance and the increasing recognition that information technology has an important role to play in protecting against bad data jeopardizing their compliance initiatives. These executives can be assured that there are software products available that address the risk of bad data. Adopting the right solution can help them sleep better at night and not worry about the ghosts of GIGO creeping into their businesses. Source: line56.coma>