Two professionals meet at a computer to review analytics
Article | Part I

Four key concepts to consider when using advanced reporting solutions in your SOX program

Addressing financial reporting risks when adopting emerging technologies

While some emerging technologies are still on the roadmap, others, like advanced data analytics and visualization, are already here and actively being used at organizations around the globe. In response, the Public Company Accounting Oversight Board (PCAOB) launched the Technology Innovation Alliance (TIA) Working Group to advise regulators on the impact of emerging technologies and provide recommendations for PCAOB oversight. 

Are the IT components of your Sarbanes-Oxley (SOX) compliance function ready to respond to changes in the risk landscape driven by emerging technologies? In this article, we highlight one of the most widely adopted emerging technologies and provide recommendations on how to identify and address relevant financial reporting risks. The next article in this series will help you consider relevant risks with bringing robotic process automation (RPA) to your SOX processes.

Advanced data analytics

Few would dispute that today’s organizations have access to more data than ever before at their disposal – firms interact with customers, vendors and employees – all through digital channels – dramatically increasing the availability of data, yet, organizing that data into actionable insights is difficult and costly. Advanced data analytics software may be the solution – by simplifying the data structuring process, via tools like the Snowflake Data Cloud or Amazon Redshift, and presenting data in user-friendly and interactive dashboards, with tools like Tableau or Power BI, firms have access to reliable, cost-effective and scalable data analytics. But with simplicity comes opaqueness, end-users don’t have a clear line-of-sight to the data collection and reporting process. How can firms and SOX compliance functions be confident their reporting is complete, accurate and reliable? The reporting stack can be broken down into four key concepts that compliance functions should consider when managing advanced reporting solutions: 

  1. Source data
  2. Data warehouse and data cloud solutions
  3. Dashboard reports and data visualization software
  4. Interactive report output
Source data

Reliable data is critical to ensure your SOX controls support accurate financial reporting and as the saying goes, “garbage in, garbage out." End-user reporting, whether custom queries, dynamic dashboarding or standard system reports, is only as good as the quality and reliability of the data entered into source systems. When key transactional or master data is entered into a system, it should be validated in some form to ensure its accuracy and validity. Without a means of establishing reliability in source data, organizations should question the completeness and accuracy of reports used in the operation of internal controls over financial reporting. Specifically, management should consider:

  • Which data elements (e.g., customer orders, vendor invoices, customer pricing) are relied on for end-user reporting? 
  • Are there effective controls in place to validate that data entered in the source system are complete, accurate and valid?
  • If data is automatically interfaced to the source system via scheduled job or application programming interface (API), are there effective controls in place to validate the complete and accurate transfer of data?
Data warehouse and data cloud solutions

To facilitate advanced data analytics, modern firms are adopting new methods, such as data clouds and/or data warehouses, to structure and integrate data into usable data sets. To do so, firms must first design integrations, which effectively map data fields and tables between source systems and the data cloud. IT will often combine data from multiple systems and tables into a single data table within the data warehouse (e.g., IT may create a sales orders table within the data cloud that contains data from multiple source system tables in addition to pulling in additional data from other systems, such as a customer relationship management (CRM) application to provide additional data fields). 

These data management solutions provide organizations with numerous advantages including increased transparency while reducing the load on primary transactional systems.  However, they also introduce several challenges in maintaining an effective system of financial reporting controls.  In the simplest terms, these systems become a part of your SOX environment, expanding the footprint over which your system of controls needs to operate.  However, these tools are fundamentally designed for end-user flexibility and agility in data manipulation, which can stand in contrast to typical SOX control objectives.  When using data warehouses and data clouds management should consider:

  • How have data tables/fields been mapped between the source system(s) and data cloud? 
  • Are relevant stakeholders aware of the composition (and source) of each custom table within the data cloud?
  • Are there effective controls in place to validate that data mappings between the source system and data cloud are appropriate?
  • How does data interface from the source system to the data warehouse? Are there effective controls in place to validate that data interfaces completely and accurately?
  • Are IT General Controls (ITGCs) in place and operating within your data warehouse to ensure ongoing reliability over the reporting used in key SOX controls and processes?
  • Is access to maintain critical financial reports restricted to a limited number of appropriate users?
Dashboard reports and data visualization software

With a structured dataset, actionable insights are right on the horizon. Data warehouse solutions enable companies to leverage advanced reporting tools, like Tableau or Power BI, to create customizable reporting dashboards to display data in a user-friendly and interactive manner. These powerful tools present data visualizations which allow users to realize greater insight in the datasets that traditional flat file reporting does not enable. The reports can be customized to include/exclude specific data fields, join data tables, and perform mathematical operations, all “behind-the-scenes” and unbeknown by the end-user – this promotes ease-of-use and consistent operation. Reporting dashboards are often created by IT, published, and made available to end-users – who are then able to apply additional filters, isolate specific data fields, and generally “interact” with the data output. Management should inventory relevant dashboard reports and consider:

  • How was the dashboard report built – are there underlying structured query language (SQL) statements that are used to build the dashboard report “behind-the-scenes?”
  • Are there effective controls in place to validate the completeness and accuracy of the dashboard report logic? Was the dashboard report subject to ITGC change management controls?
  • Who has access to modify dashboard reports? Is access restricted to IT personnel or can end-users modify the report logic?
  • If dashboard reports are not subject to ITGCs, is there a process in place to validate the completeness and accuracy of the report each time it’s used?
Interactive report output

Modern reporting is becoming increasingly more dynamic – allowing users to “zoom-in” on specific customers, filter to in-scope regions, and perform a variety of tasks by interacting with the data. While a dashboard report can be subject to change management controls, often, the interactive output is not, as end-users are able to freely manipulate the data output via input parameters and other commands. In response, management should consider:

  • Whether input parameters are used prior to generating (or refreshing) the report. If so, are there effective controls in place to validate the appropriateness of the entered parameters?
  • Whether the dashboard report allows for interactive commands, “zooming-in”, creating pivot tables, bucketing, etc. If so, are there effective controls in place to validate the appropriateness of the interactive commands.
Where to begin

As the nature of reporting financial data is becoming more dynamic and interactive, so should your consideration of controls. A clear inventory of what sources and methods of reporting are being utilized provides the foundation to determine where and how controls should be designed.  As you consider any of these concepts in the context of your environment, Baker Tilly is here to assist and share perspectives.  Share your thoughts or concerns with us and we’d be happy to meet with you and discuss these topics and their impact on your SOX compliance program.

Joe Shusko
Principal
Together, team members climb a mountain to reach the summit
Next up

Getting risk appetite right in uncertain times