Is There A Hole In Your Sox? (Compliance)

Analytics and Sarbanes-Oxley

Managing SOX compliance with self-service BI tools like Qlik, Tableau and PowerBI

 

Next year SOX will be old enough to buy beer in Texas. It was birthed out of the “Public Company Accounting Reform and Investor Protection Act”, affectionately known thereafter by the names of the senators who sponsored the bill, the Sarbanes-Oxley Act of 2002. Sarbanes Oxley Sarbanes-Oxley was the offspring of the Securities Act of 1933 whose chief purpose was to protect investors from fraud by providing transparency into corporate finances.  As that act’s progeny, Sarbanes-Oxley reinforced those aims and attempted to promote accountability through good business practices.  But, like many young adults, we’re still trying to figure it out.  Twenty years on, companies are still trying to figure out what the act’s implications are for them specifically, as well as, how best to build increased transparency into their technology and systems to support compliance.

 

Who is responsible?

 

Contrary to popular belief, Sarbanes-Oxley does not apply only to financial institutions, or only to the finance department.  Its goal is to provide greater transparency into all organizational data and related processes.  Technically, Sarbanes-Oxley applies only to publicly traded corporations, but its requirements are sound for any well-run business.  The Act makes the CEO and CFO personally accountable for the data presented.  These officers rely, in turn, on the CIO, CDO and CSO to ensure that the data systems are secure, have integrity and are able to provide information necessary to prove compliance.  Recently, control and compliance have become more of a challenge for CIOs and their peers.  Many organizations are moving away from traditional enterprise, IT-managed Analytics and Business Intelligence systems.  Instead, they’re adopting line-of-business-led self-service tools like Qlik, Tableau and PowerBI.  These tools, by design, are not managed centrally.

 

Change Management

 

One of the key requirements for compliance with the Act is to define the controls in place and how changes in data or applications should be systematically recorded.  In other words, the discipline of Change Management.  Security, data and software access need to be monitored, as well as, whether IT systems are not functioning properly.  Compliance depends on not just defining the policies and processes to safeguard the environment, but also to actually do it and ultimately be able to prove that it has been done.  Just like police evidence chain of custody, compliance with Sarbanes-Oxley is only as strong as its weakest link.  

 

The Weak Link

 

As an analytics evangelist, it pains me to say this, but the weakest link in Sarbanes-Oxley compliance is often Analytics or Business Intelligence.  The leaders in self-serve Analytics mentioned above –Qlik, Tableau and PowerBI –  Analysis and reporting today is more commonly done in line-of-business departments than in IT.  This is even more true of Analytics tools like Qlik, Tableau and PowerBI which have perfected the self-service BI model.  Most money spent on compliance has focused on financial and accounting systems.  More recently, companies have rightly expanded audit preparation to other departments.  What they found was that formal IT Change Management programs had failed to encompass databases or data warehouses/marts with the same rigor used for applications and systems.  The Change Management policies and procedures area of compliance falls under General Controls and is grouped with other IT policies and procedures of testing, disaster recovery, backup, and recovery and security.

 

Of the many steps required to comply with an audit, one of the things most often overlooked is to: “Keep an activity trail with real-time auditing, including a who, what, where and when of all operator activity and infrastructure changes, especially those that could be inappropriate or malicious.”  Whether the change is to system settings, a software application, or data itself, a record must be maintained which contains, at minimum the following elements:

  • Who requested the change
  • When the change was performed
  • What the change is – a description
  • Who approved the change

 

Recording this information about changes to reports and dashboards in your Analytics and Business Intelligence systems are just as important.  Regardless of where the Analytics and BI tool is on the continuum of control – the Wild West, self-service, or centrally managed; whether spreadsheets (shudder), Tableau/Qlik/Power BI, or Cognos Analytics – to be in compliance with Sarbanes-Oxley, you’ll need to be recording this basic information.  The auditor doesn’t care if you’re using pen and paper or an automated system to document that your control processes are being followed.  I concede that if you’re using spreadsheets as your “analytics” software to make business decisions, you might also be using spreadsheets to record the change management.  

 

However, chances are good that if you’ve already invested in an analytics system like PowerBI, or others, you should be looking for ways to automate recording the changes in your business intelligence and reporting system.  As good as they are, out-of-the-box, analytics tools like Tableau, Qlik, PowerBI have neglected to include easy, auditable change management reporting.  Do your  homework.  Find a way to automate the documentation of changes to your analytics environment.  Even better, be prepared to present to an auditor, not just a log of changes to your system, but that the changes conform to approved internal policies and processes.

 

Having the ability to: 

1) demonstrate that you have solid internal policies, 

2) that your documented processes support them, and 

3) that actual practice can be confirmed 

will make any auditor happy.  And, everybody knows that if the auditor is happy, everybody’s happy.

 

Many companies complain about the added costs of compliance, and the cost of compliance with SOX standards can be high.  “These costs are more significant for smaller firms, for more complex firms, and for firms with lower-growth opportunities.”  The cost for non-compliance can be even higher.

 

The Risk of Non-Compliance

 

Sarbanes-Oxley holds CEOs and directors accountable and punishable by up to $500,000 and 5 years in prison.  The government does not often accept a plea of ignorance or incompetence.  If I were a CEO, I would surely want my team to be able to prove that we had adhered to best practices and we knew who had performed every transaction. 

 

One more thing.  I said that Sarbanes-Oxley is for publicly traded companies.  That’s true, but consider how the lack of internal controls and lack of documentation might hinder you if you ever wanted to make a public offering.  

Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.