Business Intelligence Best Practices - BI-BestPractices.com

Collaboration. Communication. Community.

 
 
 Printer-friendly
 E-mail to friend
  Comments
ADVERTISEMENT
Gauging Your BI Maturity for Sarbanes-Oxley

by Kevin Graves
You will see where your company stands on the BI maturity continuum and grade your organization in seven SOX-related measures.

While the ramifications from the Sarbanes-Oxley Act of 2002, or “SOX,” are still being assimilated into corporate mindsets, the following is clear: SOX is intent on rebuilding the confidence of the investing public, not just for your company but for American markets in general. Companies that embrace this challenge, and do it well, will be best positioned to reap the rewards of increased investor trust and peace of mind.

The PCAOB (Public Company Accounting Oversight Board—a private-sector, non-profit corporation created by SOX to oversee the auditors of public companies) and the auditing firms it regulates have all offered guidance on SOX compliance, yet no one has produced the magic checklist that companies can follow to ensure they avoid the dreaded “qualified opinion.” Companies are, therefore, embarking on costly and time-consuming control review and documentation efforts, often based upon comprehensive frameworks (including COSO, COBIT, ISO 17799, and ITIL). These efforts are aimed at complying with Section 404 of the Act (nicknamed SOX 404), which requires management to report on its assessment of internal control over financial reporting.

At the end of the day, however, you don’t get any points for volume. The challenge is to narrow the focus of your compliance efforts to the areas which matter most. Business intelligence (BI) is one such area, as it touches upon several of the keys for SOX compliance: data integrity, reporting, controls, and security/access.

This article explores the integration between BI and SOX. You will see where your company stands on the BI maturity continuum, grade your organization in seven SOX-related measures, and learn some practical action steps that will ultimately improve your compliance, satisfy key stakeholders, and competitively reposition your company.

Placing Your Company on the BI Continuum

Much like the college professor who wouldn’t give full credit for an undocumented answer, even when correct, neither the SEC nor potential investors will be impressed with financial results lacking the appropriate audit trails and controls that prove company officers fully comprehend and trust their own data. Fortunately, most companies already have the necessary tools in place (or at a minimum, know they are available in the marketplace) to move deliberately forward in reaching necessary SOX 404 compliance by the June 2004 deadline.

To assist in determining the BI health of your organization, the following five-stage continuum will help you diagnose the current level of BI maturity your organization has achieved. Seven key areas you can improve to enhance your BI infrastructure and move your company further along the continuum follow descriptions of the five stages.

GaugingYourBI

Stage 1 Companies—Anemic

Stage 1 companies are clearly deficient when it comes to their investment in a BI infrastructure. One of the key characteristics of Stage 1 is the continued dominance of uncontrolled spreadsheet reporting. Whether for current reports, forecasts, or trending, these manually intensive—and manually vulnerable—tools must become part of pre-SOX reporting history. Fortunately, while these companies may have a difficult starting position, they can still achieve SOX 404 compliance in the interim while simultaneously moving smartly toward a more robust BI architecture.

Organizations must initiate a central data repository and lock down the financial data used for financial reporting and decision making. Additionally, those spreadsheets we mentioned must be discarded in favor of implementing a standard and scalable BI platform from which robust and flexible reports can be generated securely.

The good news is that SOX 404 provides an excellent opportunity to immediately justify a systematic process of controlling the financial data and how it is used and reported. While a full-scale data warehouse investment is certainly beyond the realm of most Stage 1 companies in the short term, taking the above steps will put them well on their way to building the critical foundation, infrastructure, and standards that will be needed longer term. In addition, a solid roadmap will be created to bring additional reporting areas under a common organizational umbrella at a later time with sufficient controls, standard procedures, and complete documentation.

A Stage 1 company will have a majority of “D” and “F” ratings in seven key categories identified in the Grading Your Position section, later in this discussion.

Stage 2 Companies—Adapting

What about companies sitting in the midst of a substantial, but renegade, BI environment where data kingdoms have multiplied and feral data marts incorporating their own versions of financial truth need to be reined in? These are the Stage 2 companies that are slowly adopting BI principles and already have many of the necessary tools to achieve initial SOX 404 compliance.

The key steps to take here: centralizing existing data repositories, conforming overlapping dimensions, and locking down the financial data needed for financial reporting, internal decision making, and external reporting. Importantly, this also provides the requisite first step to rein in the runaway data marts and begin using a “single version of the truth.” While this has always been the promise of any modern data warehouse initiative, the practice has often resulted in data mart silos (with conflicting business rules, disparate source systems, and so on) to reduce incremental costs and implement the warehouse more quickly.

As with Stage 1 companies, SOX provides Stage 2 companies an exceptional opportunity and immediate justification for beginning a systematic process of reining in the untamed data marts and restoring order and consistency to the financial data. In the past, full-scale data warehouse implementations were avoided due to the high cost and long lag times (often years) before initial results could be seen. Now, as employees and departments have grown familiar with the tools and value of BI, the final step is to coax them all to begin feeding from the same secure, accurate source.

Thus, the first major step toward an enterprise-level BI infrastructure can begin now, incrementally, with all of the financially sensitive data. By seeking SOX 404 compliance and implementing the necessary controls, procedures, and documentation around financial reporting, these companies will also be creating a rapid roadmap for bringing other stray data marts back into the fold as appropriate. Plus, incorporating financials into reporting eliminates squabbling over the correct source—one version of the financial truth will have finally arrived.

A Stage 2 company will have a majority of “D” ratings with a couple of “Cs” and possible “Fs” in the seven key categories in Grading Your Position.

Stage 3 Companies—Approaching

Stage 3 companies are approaching a mature BI environment; however, the controls and practices that were once acceptable pre-SOX must now be addressed and re-aligned. Do the financial systems upon which quarterly and annual reports are based have interfaces to other systems (e.g., billing) without the same controls and security? Perhaps someone who has no privileges to the financial system may yet have access to alter the pricing structure of a major customer that ultimately feeds the financial system. If these authorizations are not clearly documented and audited within the systems, should the CEO sign off that the appropriate controls are in place to eliminate material errors in the financial data?

Another area to investigate is whether the information spread to various data marts is well regulated and accurate before influencing corporate decisions. Is there, in fact, a “single version of the truth,” or are departments taking the data and interpreting it (and modifying it) to suit their own diverse purposes? Without proper internal controls on this data, shareholders will not have confidence that the most effective or efficient decisions are being made on their behalf. All else being equal, if investors’ trust is not well founded in a Stage 3 company, their portfolio dollars will tend to flow to competitors with a superior position on the BI continuum.

A Stage 3 company will have a “C” average in the seven key categories.

Stage 4 Companies—Acceptable

Stage 4 companies represent an acceptable level of initial SOX 404 compliance. These organizations have a mature BI environment with consistent reporting, appropriate controls, and excellent documentation. In other words, Stage 4 companies represent the baseline of manageable and appropriate compliance against the backdrop of a solid BI infrastructure.

The temptation for these companies already at (or nearing) Stage 4 is to rest and focus elsewhere. But let’s revisit the intent of SOX one more time—rebuilding investor trust and peace of mind through appropriate controls and transparency. Have the Stage 4 companies made needed financial data transparent to the owners of the business? Have they established the appropriate infrastructure to provide investors with useful information, and, when needed, material changes within the newly prescribed timeframes? Learning about Stage 5 companies will shed new light on potential improvements for Stage 4.

A Stage 4 company will have a majority of “B” ratings in the seven key categories, but should have no category scoring lower than a “C.”

Stage 5 Companies—Advanced

The Stage 5 company is advanced and always evolving by moving beyond compliance to provide true value and transparency to shareholders. The Stage 5 approach results in a competitive advantage by capturing investor dollars that could have been directed toward less-transparent competitors.

This sought-after transparency is the result of being able to provide near-real-time information to shareholders via the Web—and not to just provide it, as in the footnotes of the past, but to allow investors the ability to interact with the information by drilling down, asking questions, and comparing to previous periods. This capability can be brought about by the emergence and customization of BI tools that are focused on investor relations via an external data mart.

While investor interaction and data “pulls” are opening doors to previously unknown levels of transparency and confidence building, there is even more to the story. The external data mart opens the door to a conversation with current and potential investors. When structured properly, companies will be able to learn what is important to investors and how they are using and interacting with the data and financial statements being provided. Based on what they learn about existing shareholders from analyzing data usage, companies can dramatically improve their communications and relationship with the investment community at large.

A Stage 5 company will have at least three or four “A” ratings in the seven key categories, with no category scoring lower than a “B.”

Grading Your SOX 404 Progress

The following table outlines seven key areas that need to be addressed when considering your current compliance level and assessing your SOX 404 risk.

Summary

While sweeping in nature, the Sarbanes-Oxley Act of 2002 really represents an opportunity to advance your internal controls and financial reporting capabilities where they ideally would have been long ago. Several developments have recently begun to take hold in concert— investor confidence is slowly on the mend, compliance activities for SOX are well underway, and the BI market has continued impressive advancements. Those facts, coupled with the major data warehouse investments of recent years, lead to a very reachable goal of achieving timely compliance with SOX 404 without undo burden on existing plans and budgets—no matter where your company currently resides on the BI continuum.

Even more striking is the ability to reach out to, and interact with, stakeholders in ways never before deemed possible. Looking back years from now, Sarbanes-Oxley may indeed be seen as the stimulus of these new capabilities, but increased investor confidence will widely be recognized as the underlying significance.

 

 

Grading Your Position in Seven Key Areas
Data Repository
“F”
  • No enterprise-wide data stores or data architecture plans in place
  • Limited BI investments, even among individual departments
“D”
  • Limited enterprise data available for financials
  • Multiple BI investments spread across various departments
“C”
  • Source systems are secured and feed a central repository
  • Enterprise standards for BI have been chosen and have been deployed on a limited basis
  • The existing repository and BI
“B”
  • The data warehouse is secure and is generally accepted by the business as the single source of truth and data integrity
  • An enterprise data architecture is modeled for flexibility and scalability
“A”
  • Feral data marts have been reigned in and brought into alignment with a centralized data architecture
  • The BI environment has been optimized for reporting
  • An external data mart has been created for interaction with analysts and investors
Reporting
“F”
  • Spreadsheet reporting is common and manual consolidation of key financial data and indicators is the norm
  • Reporting capabilities within individual software packages is not integrated
“D”
  • Organizational reporting is accomplished with significant manual intervention
  • Most reporting is still departmental and not integrated
“C”
  • Some alignment between departmental reporting has been achieved
  • Organizational financial data is centralized and handled via the BI environment
“B”
  • Reports are secure and fed from a single, consistent data source
  • Manual intervention is not available (and even unnecessary due to tool flexibility and capabilities), especially for financial data
  • Transaction systems are not impacted
“A”
  • Reporting is near real time but does not impact transaction systems
  • Financial reporting is fed from a single data source and is an ongoing product rather than a quarterly or annual scramble
Security
“F”
  • Reporting security is handled via transaction systems or on an ad hoc basis
“D”
  • Database security is leveraged to secure sensitive data
  • No comprehensive, consistent security policy in place
“C”
  • Single sign-on security has been employed throughout the infrastructure and is often validated via the HR system
  • An organizational security policy exists and is enforced
“B”
  • The source systems, data warehouse, and data marts are secure and provide appropriate audit fields
  • A single sign-on is validated via the HR system
“A”
  • The features of “B” level security, plus…
  • An optional "registry" capability exists on the external data mart to provide limited demographic information and to enable monitoring of investor interactions
Customer Privacy
“F”
  • Customer-sensitive information often exists on unsecured, unencrypted spreadsheet reports and data extractions
  • Proper customer privacy protection is not ensured
“D”
  • The organization has a loosely enforced customer privacy and encryption policy to protect sensitive information
“C”
  • A strict organizational privacy policy is implemented and enforced
  • Occasional audits of all data extractions that include sensitive customer information (name, address, account number, Social Security number) are conducted
“B”
  • The flows of customer-sensitive information are securely stored and transmitted, and encrypted where necessary, for customer protection
  • Privacy audits are mandatory and consistent across the organization
“A”
  • Customer-sensitive data stores and flows are secured and encrypted as needed
  • The privacy policy in regard to information collected via the external data mart is clearly stated and readily available on the Web site
Documentation
“F”
  • Documentation of source and reporting systems is limited and disjointed
  • Employees are unaware of documentation standards and templates
“D”
  • Most systems are documented, but common standards are not employed
  • Usage of change logs to monitor data access is handled on a system-by-system, department-by-department basis
“C”
  • Documentation standards and templates are available via a corporate intranet and are clearly communicated
  • Central policies exist governing data access rules and usage of change logs in identifying potential policy violations or security breeches
“B”
  • Clear authorization policies exist and are regularly enforced
  • Comprehensive system documentation that includes full descriptions of all business rules employed is available
  • Metadata is architected, captured, and integrated throughout the BI environment
“A”
  • Robust authorization policies are enforced and audited
  • All systems are consistently documented and shared
  • Metadata is architected, captured, and integrated throughout all systems, including the BI environment
System Controls
“F”
  • No enterprisewide backup and disaster recovery plan exists
  • System maintenance schedules are ad hoc
“D”
  • Backup and recovery plans are handled on a system-by-system basis
  • System maintenance schedules are well documented, as well as primary system usage downtimes
“C”
  • An enterprise backup and disaster recovery plan exists
  • The BI environment is part of the enterprise recovery plan
  • Usage windows are clearly defined and system maintenance is well-coordinated
“B”
  • A comprehensive, enterprisewide disaster recovery plan is in place and prioritization standards are clearly documented and adopted
  • Organizational controls are consistently interpreted and applied to source systems, the data warehouse, and reporting systems
“A”
  • Key systems are the external data mart are replicated to ensure zero downtime
  • Organization controls and maintenance plans are standardized and consistently followed
Development Methodology
“F”
  • No standard development methodology is followed
  • Standard change management procedures do not exist or are not followed
  • Bug fixes are not consistently reported or tracked
“D”
  • One or more development methodologies may be used
  • Standard change management procedures have been established, but no change management committee exists
  • Bug tracking and fixes are handled on a system-by-system basis
“C”
  • A standard methodology has been adopted to ensure organizational consistency
  • Change management procedures are current and consistent across the organization
  • Application bugs that affect financial data are assigned high priority
“B”
  • A standard development approach exists along with a clearly defined change management process and committee
  • Methodology training and support are readily available to employees
  • Any known bugs surrounding financial systems data are given highest priority and/or have already been resolved
“A”
  • The standard development methodology has been widely taught and adopted, while periodically audited for improvements
  • The change management process and corresponding committee are in place and clearly communicated
  • Any known bugs surrounding financial systems and data have been resolved
  • Firewall security is emphasized for the external data mart

The following table provides some direct actions that your organization can take to immediately begin improving its SOX 404 compliance and reducing its risk in the seven key areas described previously.

 

Improving Your Position in Seven Key Areas

Data Repository
From “F” to “D”
  • Design the long-term enterprise data architecture beginning with financial data
From “D” to “C”
  • Create an initial, scalable data warehouse that is the single source of "financial truth" to be used for al financial reporting and data marts
  • Establish standardized security on the data warehouse and the financial source system(s)
From “C” to “B”
  • Review, secure, and standardize the sourcesystems and related data extractions
  • Review the hardware and software supporting the warehouse for future scalability
From “B” to “A”
  • Leverage the existing data warehouse to source an external data mart
Reporting
From “F” to “D”
  • Replace any uncontrolled financial spreadsheet reports with a secure data mart sourced by the financial system applying the same business rules
From “D” to “C”
  • Revamp any data mart that uses financial data to pull directly from the new warehouse while incorporating the same business rules used by the financial system(s)
From “C” to “B”
  • Audit any data mart using financial data to ensure it incorporates the same business rules used by the financial systems
  • Replatform any older or custom-built marts into the standard BI environment leveraging the appropriate integrated security
From “B” to “A”
  • Create a new, outwardfacing (or “external”) data mart portal that will enable investors to interact with your financial reports and data
  • Secure the portal behind a proper firewall
  • Provide mechanisms for text messages and stakeholder inquiry and forums
Security
From “F” to “D”
  • Update the user security policies and audit the access rights established
  • Add appropriate audit fields to any tables in any system that store or influence financial data (including, at a minimum, the creation and modification users and dates on all financial-related tables)
From “D” to “C”
  • Apply single sign-on security on all financial-related systems (including the warehouse and affected data marts) validated via the HR system
  • Update the user security policies and audit the access rights established
  • Add appropriate audit fields to any tables in any system that store or influence financial data
From “C” to “B”
  • Apply single sign-on security throughout the infrastructure validated via the HR system
  • Verify user security across each of these systems and ensure authorizations and policies are correctly documented and up to date
From “B” to “A”
  • Create an optional “registry” capability that provides limited demographic information of interest and enable monitoring of individual investor interactions
Customer Privacy
From “F” to “D”
  • Remove customer-sensitive information from any remaining unsecured spreadsheet reports and data extractions
From “D” to “C”
  • Secure and/or encrypt any customer-sensitive data flows as needed to ensure privacy protection (name, address, account number, social security number)
From “C” to “B”
  • Review all data extractions that include sensitive customer information
  • Remove, secure, and/or encrypt the data as needed to ensure privacy protection
From “B” to “A”
  • Leverage the existing customer privacy rules and policies in monitoring the new external registry
Documentation
From “F” to “D”
  • Begin building comprehensive documentation and control procedures, starting with your financial system(s) and any warehouses or marts fed by financial data
  • Communicate to all employees the new expectations and the critical importance of full compliance with security policies
From “D” to “C”
  • Enhance your existing documentation and control procedures, especially surrounding your financial system(s) and any warehouses or marts fed by financial data
  • Use existing change logs to identify access violations and/or security breeches
  • Communicate to all employees the heightened expectation and importance of full policy compliance
From “C” to “B”
  • Conduct an internal audit of existing documentation and controls surrounding your financial systems and any warehouses or marts fed by financial data
  • Enhance the change log review process and content for potential policy violations or security breeches
  • Communicate to all employees expectation of full policy compliance
From “B” to “A”
  • Communicate to the external audience your desire to provide meaningful information they can use to make wise, confident investment decisions in your company
System Controls
From “F” to “D”
  • Create an enterprisewide backup and disaster recovery plan if no standard currently exists
From “D” to “C”
  • Add and prioritize the data warehouse and especially financial-dependent data marts to the enterprise backup and disaster recovery plans
From “C” to “B”
  • Ensure the data warehouse and data marts are incorporated and well-prioritized within the enterprise backup and disaster recovery plans
From “B” to “A”
  • Prioritize backup and recovery of the external mart at the same level as other financial reporting needs
Development
Methodology
From “F” to “D”
  • Establish standard change management procedures and establish a change management committee
  • Identify, track, and assign high priority to fixing any known application bugs that may impact financial data or reporting
From “D” to “C”
  • Implement a standard, detailed development methodology to ensure consistency across the organization
  • Establish standard change management procedures and establish a change management committee none currently exists
  • Identify and assign high priority to any known application bugs that affect financial data
From “C” to “B”
  • Audit your methodology and change management procedures to ensure they are current and consistent across the organization
  • Identify and assign high priority to any known application bugs that affect financial data
From “B” to “A”
  • Leverage your existing methodology in constructing the new external data mart, with emphasis on firewall security and customer information protection
Kevin Graves -

Kevin Graves is a manager with Nexus Consulting Group. He has 10 years of consulting experience in the full lifecycle implementation of business intelligence and custom transaction system solutions.