How to address five lingering pain points of OMB Circular A-123 compliance
Enron and WorldCom may be old news, but public sector organizations continue to struggle with the ongoing costs of adhering to OMB Circular A-123, the public sector directive of Sarbanes-Oxley 404 (SOX) legislation.
Adopting much of what is contained in the SOX Section 404, the federal government had to begin to re-evaluate its policies relating to internal control over financing reporting and management’s related responsibilities. The dust has settled and processes have been implemented, but there is a continued push for organizations to optimize their compliance and business activities.
A risk and control data testing strategy can ease the burden and make managing A-123 compliance more manageable. Here are five pain points that must be addressed, and how a data-driven approach to compliance by way of a risk and controls monitoring program can help facilitate the process:
1. The Buck Stops Here – Costs Matter
A-123 requires senior management of the 24 federal departments and agencies mandated under the Chief Financial Officer and Federal Financial Reform Act (CFO Act) to annually assess and report on the effectiveness of internal controls and provide assurance over financial reporting. Ever-increasing use of technology to manage businesses processes makes this task more and more complex and costly.
The adoption of enterprise-class finance, accounting, warehousing, and manufacturing systems has vastly improved efficiency and productivity over the past decade. Yet, the sheer number of data elements that these computing systems define has made it more difficult for financial professionals to expose potential governance problems or internal control breaches in a comprehensive and timely manner. Diminished budgets and tightened reporting timeframes place greater pressure than ever before on public sector professionals to perform more for less.
Rx: Management requires integrity, accuracy, and completeness of data to confidently certify financial statements are supported by strong governance and a healthy internal control environment.
In order to fulfill this tall order, management needs to cultivate expertise in information technologies, internal controls, and financial audit to help them streamline their testing activities, identify opportunities to rationalize their control environment, and design a monitoring program in compliance with the COSO framework referenced by A-123. Enter: Automated risk and controls testing.
2. So Many Systems, So Many Spreadsheets
To get a complete view of enterprise performance, CFOs face major challenges in extracting data and intelligence out of multiple core systems (ERP, CRM, legacy systems). Data warehousing solutions originally devised for business intelligence (BI) purposes often aggregate slices of data, but do not provide complete transactional information. So, whereas they solve the problem of data integration, they lack information required to complete in-depth testing and provide assurance over the financial reporting requirement for completeness.
Further, spreadsheet risks run rampant. The reason that financial professionals still rely on spreadsheets to support testing stems directly from the difficulty of accessing and aggregating transactional data from across information systems in an organization. Relying on spreadsheets is inherently dangerous because they lose the audit trail and even tiny transposition errors can expose them to risk.
Rx: A controls monitoring program ensures the effectiveness of your internal controls and supporting compliance activities by reducing the risk of spreadsheet transposition errors.
The technology behind enterprise continuous monitoring combines secure data extraction, integration, and analysis. A complete audit trail demonstrates your testing activities address integrity and completeness requirements.
3. So Little Time
With a variety of regulatory requirements to support, management will often integrate the merged requirements of the CFO Act with financial improvement efforts and those required under the Department of Defense’s Financial Improvement and Audit Readiness (FIAR) mission. However, as a result of these combined efforts, management must comply with accelerated reporting timelines which also adds an extended range of reports and filings.
In order to support such a large amount of reports, sample testing is often used as an attempt to monitor various business processes and internal controls. However, sampling efforts just aren’t enough to provide sufficient information to deliver assurance on regulation and compliance.
Rx: Automated testing of internal controls allows management to cover a number of key process areas and provide timely insight into potential internal control breakdowns. Automated data analysis—the engine of a continuous monitoring program—allows auditors to efficiently review 100% of data populations to detect potential violations early, reducing their impact and overall exposure. Business process owners, working with management, can assess, design and rapidly implement internal control systems that are low cost and low maintenance, yet robust and comprehensive.
4. Untrustworthy Data
Data quality plays a pivotal role in financial reporting and regulatory management disclosures. Ensuring accurate and complete data is paramount when creating financial reports. A shift in accountability has occurred, placing much of the responsibility for day-to-day data quality management on operational executives who understand the data and its purpose, and therefore, are in a better position to engineer processes that improve its quality.
As a result, overall responsibility for data quality has shifted to the CFO, whose role as champion for corporate compliance and control standards has always relied on the integrity of data in underlying systems.
Rx: Business process owners can help by providing data quality services as a component of an overall business assurance assessment and remediation project. By continuously assessing transactions, a risk and controls monitoring program reduces the time to remedy data quality issues when compared with programs undertaken with custom or proprietary data quality software. In addition, it can perform powerful transactional analyses techniques, such as classifications that are specific to financial reporting.
5. Wanted: Ongoing Validation That Controls Are Working
In order to ensure the ongoing operating effectiveness of the internal control environment, management must ensure that analysis is conducted on a timely basis. Relying on periodic reviews of performance presents the risk of not identifying critical issues as they happen.
Rx: The ability to have ‘always on’ monitoring ensures that issues are identified quickly and brought to the forefront for immediate action. In order to impartially assess transaction patterns that match known suspicious behaviors as they happen, controls monitoring must rely on technology that works independently of organizations’ transaction processing systems.
The crux of risk and controls testing technology is the ability to independently access production data without impacting either host system performance or data stored therein, and run alongside mission-critical operational systems to streamline the process of checking for compliance with internal controls and business rules.