News Stay informed about the latest enterprise technology news and product updates.

Sarbanes-Oxley Compliance -- What Were the Legislators Thinking?

Surviving the impact of compliance on your data warehouse.

This article originally appeared on the BeyeNETWORK.

So your CEO thinks Sarbanes-Oxley is just about his or her own corporation’s compliance with some obscure accounting processes—maybe a little extra expense for some technology, a few extra audits here and there, a bit more time spent reconciling reports? Boy, is he or she wrong! Sarbanes-Oxley is having ramifications in areas the legislators that passed it never imagined. It turns out that the obvious and rather mundane requirements of Sarbanes-Oxley are just the beginning of a long and expensive road. And the impact on business intelligence and data warehousing environments is huge.

CEOMagazine recently published an article on how Sarbanes-Oxley has “run amok”[1] throughout corporate America. Their findings along with our own are that Sarbanes-Oxley had caused a chain reaction that is affecting everyone from the board of directors on down, from the corporation’s relationship with its auditing professionals to the daily efficiencies of all public companies, from how a company hires its employees to how it chooses major software packages. Here are a few examples from that article as well as examples from our experiences with clients.

Surprise Segregations of Duties—The previous rule was that the person creating the accounts payable did not handle the money sent in to relieve the payable. That is still in place but now companies must look deeper and closer at their organizations to determine where other conflicts might occur. For example, employees whose responsibilities might affect financial reporting may be candidates for segregation of their duties—like IT staff or order fulfillment resources—to avoid unanticipated and questionable “integration of duties.” The ability to analyze where these problems may occur requires new and different data and new and different forms of analyses—not incorporated into our business intelligence environments before.

Very Costly and Time-Consuming Reconciliations—This is a result of the “self-preservation” attitude that is now prevalent in most public corporations’ executive offices. Since we are still feeling our way through the legal interpretations of Sarbanes-Oxley, it is easy to see why executives are cautious and are demanding excruciating reconciliations. Call it the orange jumpsuit syndrome but what this means to lower-level employees is that they become immersed in the nonproductive black hole of unrelenting data discrepancy settlements. As one lawyer put it in the CEO article, “Even a completely harmless error that nobody cares about takes up hundreds and hundreds of hours of the auditors, the CEO, the CFO and the audit committee.” No wonder audit expenses are up 40 percent.

Reconciliations require massive amounts of quality detailed data. Once again most business intelligence environments were never intended to store this level of detail or to perform these types of analyses. However, to reduce the costly and time-consuming nature of these reconciliations, we must rethink the very nature and design of the data warehouse repository.

A Flurry of Mergers and Acquisitions—You may wonder how recent M&A activities are tied into Sarbanes-Oxley compliance. The answer is simple—Section 409 of the act redefined what was considered a “material event.” Before Sarbanes-Oxley, there were nine well-defined situations that called for disclosure as a material event.  A material event is defined as something that could influence or affect a person’s decision whether or not to purchase a company’s stock. Post- Sarbanes-Oxley, there are now 11 additional occurrences that require reporting. Unfortunately these are not well-defined or well understood. Sarbanes-Oxley experts contend that even something like a failed R&D project may have to be reported as a material event to your customers, competitors, shareholders and the world at large, as a material event. You can imagine that this would put a pall on a CEO’s desire to approve innovative projects that might fail. Hence this theory on the M&A frenzy by large public companies buying companies with already developed technologies having proven value and track record. Table 1 lists just a few of the recent technology purchases by major public companies.

Table 1: Recent Mergers and Acquisitions

Purchasing Company Purchased Company Amount Paid
IBM Ascential Software $1.1 billion
IBM AlphaBlox  
Microsoft ActiveViews NA
Microsoft Sybari Software NA
EMC SMARTS (System Management Arts) $280 million
Cisco Airespace $450 million
Business Objects Crystal Reports  

Think of the amount of new analysis that must occur with each M&A activity! The soon-to-be acquired company must prove to the acquiring one that it is in full compliance and that the merger will not cause noncompliance in the newly combined company. Then consider the fact that the acquiring company must integrate the acquired company’s data into its own compliance environment for ongoing analysis.

It’s Not Just the Accountants Who are Responsible for Compliance Anymore—Those at the top of the organization can verify only so much. Therefore, to hold people accountable and responsible, management is requiring all employees to sign off on results. And it is very unlikely that these lower level employees will have the benefit of being covered by compliance insurance!

What used to be the job of the accountants or financial analysts has now been pushed out into the organization as a whole. Line managers, order entry clerks, even HR personnel—basically everyone—may need training and education to recognize what constitutes a “material event” and what they need to do when one is recognized. They will all need access to high volumes of quality data to ensure appropriate decisions are made. Your data warehouse environment may have to undergo a massive change just due to this one unforeseen consequence of Sarbanes-Oxley.

Who Wants to Sit on the Board of Directors These Days—Given the likelihood of lawsuits, possible jail sentences for non-compliance and uncertainty of Sarbanes-Oxley requirements, it is no wonder that public companies are finding it increasingly difficult to recruit board members, CEOs and CFOs. Certainly, no one wants to be on the board’s Audit Committee. I doubt Alan Greenspan would meet all the requirements the SEC has proposed to be a financial expert. Those brave enough to sign up for this post must be able to determine compliance issues and resolutions quickly and efficiently. They must have access to complete corporate data presented in an easily understood and efficient manner. You can expect these people to launch unusual and certainly unplanned queries while requiring that the responses come back quickly and in understandable format.

To be fair, some of these changes were badly needed and should have been implemented long before Sarbanes-Oxley was legislated—they are just good business practices. However, if your company is one of those that delayed implementing these practices until now, you have some serious thinking and planning to do.

What Should You Do? Let’s look at the obvious: most organizations must greatly increase the amount and variety of information needed and expand the number of people who must have access to that information. In a nutshell, the technology supporting the data warehouse and data marts in the Corporate Information Factory (CIF) will be stressed far more than it has been in the past in terms of volumes of data required and number and complexity of queries issued. The underlying technology for the CIF must provide for high scalability and extremely good query performance while accommodating this new depth of data and users. Just consider the fact that your compliance queries may have to sift through millions or billions of rows of data without a lot of advanced notice!

The very nature of these unplanned, unpredictable queries causes traditional technological approaches to struggle and often stumble. To get the type of performance you need for these unforeseen, complex scenarios, you may need to literally think “outside of the box” to satisfy your compliance needs. Fortunately, there are new technology vendors who are making great strides in managing this “sea change” of information needs. Data warehouse appliance vendors (e.g., DATAllegro and Netezza) offer technologies that should be considered as viable alternatives to traditional technologies. DATAllegro’s hardware and software appliance, in particular, is proving to deliver consistently good performance using massive amounts of data—all without breaking the bank. Their appliance is perfectly suited to handle the unexpected query from questioning employees, confused board members and concerned corporate executives.

Obviously if you have an existing data warehouse, you may not want to throw everything out and start over. The good news is that you don’t have to. The data warehouse appliance can assist your existing data warehouse by relieving a lot of the stress on that technology. The appliance can be used to supply seamless accessibility to compliance data without impacting the existing (traditional) data warehouse’s physical design. In short, your existing warehouse can continue to perform the more traditional analyses while the data warehouse compliance appliance handles the more complex and varied compliance audits and examinations.

Today’s board directors have a personal interest in ensuring that Sarbanes-Oxley compliance is a high priority. To this end, they should be asking the management team what the strategy is for compliance and how much it will cost—both in terms of the physical purchase price of hardware, software and compliance applications and these unexpected and possibly hidden costs of implementation and management. The use of a data warehouse appliance may not have been considered since many companies are still not aware of these newer technologies and approach. However, they are rapidly gaining traction.

More important than the technology though is the willingness and readiness of the board to support the corporation’s overhaul. It should be obvious that compliance is more than your corporation hiring a few more accountants. From the board on down to the lowest level employee, Sarbanes-Oxley is causing a shake up few imagined or have prepared for. Through the use of clever technology and the encouragement of the top executives, compliance may turn out to be the best thing to happen to your company.

[1]CEO Magazine, April 2005. “Sarbox Runs Amok” by Erik Sherman

Dig Deeper on Financial reporting and compliance data management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.