Printer Friendly

A 360-degree approach to data governance.

What's keeping today's financial executive awake at night? More and more, the answer is the fast-growing demands of regulatory compliance--especially in the U.S., the rigorous financial reporting requirements of the Sarbanes-Oxley Act--and the rising risks of failing to address those demands effectively.

Anyone who reads the business section of a daily newspaper is well aware of the risks of regulatory compliance failure. Consider just a few recent, highly publicized examples:

* A material understatement of the cost of goods sold by an online retailer, caused by a spreadsheet calculation error, resulted in the loss of 25 percent of the company's share value--and the CEO's job.

* A major power transmission provider was forced to take a $24 million charge because of what it described as "clerical errors" in spreadsheets.

* A major European bank lost $691 million because an employee manipulated the spreadsheets used to monitor his unit's activities.

* A mortgage lender took a "write-down" of $3 billion because of a change-control error in a key spreadsheet.

* A spreadsheet "cut-and-paste" error cost a Canadian energy trading company $24 million.

These incidents had very different causes, from deliberate criminal misconduct to simple human error. They also affected very different types of organizations: publicly traded companies operating in the U.S. (subject to Sarbanes-Oxley), foreign-based businesses and even a not-for-profit educational institution. But they all resulted in serious financial and reputational damage, and all for the same reason: Senior management failed to exercise effective governance over the data contained in their information technology (IT) systems.

Financial executives and other stakeholders--including corporate auditors and outside consultants--are understandably accustomed to thinking of the data they need as the data they are aware of. This includes the information that is found in corporate and departmental databases; document management systems; enterprise resource planning (ERP) and customer relationship management (CRM) systems; and accounting applications.

Virtually every major corporation today uses end-user computing (EUC) applications as part of its financial planning, modeling, schedules, consolidations and financial closings. Unlike the larger financial systems and technologies such as the ERP systems and primary database management systems (DBMS), EUC systems are generally less visible, highly distributed and not tested as often (if at all) by corporations. That means that an extraordinary amount of highly sensitive, risk-intensive information is held in databases, applications and systems that lie well beyond the reach of most businesses' financial, regulatory and IT controls.

These data assets are usually not documented at a companywide level, and are often effectively invisible to anyone but their individual "owners." These assets are typically held in reports and forms on individual employees' desktops, desktop databases and spreadsheets.

A 2004 Baseline Consulting survey of 250 senior IT managers showed that an average of 32 percent of their companies' corporate data was stored in spreadsheets or databases on employees' computers. These systems are usually not subject to corporations' standard controls, and are in fact usually not even tracked, either by IT departments or by the departments responsible for regulatory compliance.

This makes them extremely vulnerable to fraud and other types of misconduct, and also to human error. It is almost impossible to overstate the extent or the seriousness of data error in spreadsheets and databases. One study of blue-chip companies' spreadsheet models, conducted by an international accounting firm, found that an astonishing 90 percent contained calculation errors.

Moreover, these problems extend into some of the most sensitive and risk-intensive areas of any company's operations. Another survey, this one by an international management consulting firm, studied 21 major financial institutions' tax records. The consultants found that 92 percent of the companies they surveyed had accounting errors--and that 75 percent had errors that could be considered "significant." Few companies can afford that level of error when dealing with tax authorities.

Compliance clearly is a growth industry. AMR Research estimates that business spending on compliance will exceed $80 billion between 2005 and 2009. According to AMR, the average U.S. company is now spending $4.4 million and 35,000 person-hours--equivalent to 17 employees working full-time--on compliance. One major network equipment manufacturer actually estimates its annual compliance workload at a breathtaking, and breathtakingly expensive, 250,000 hours.

This compliance burden is by no means equally shared among businesses and industries. The most immediate concern, of course, is for publicly traded companies subject to Sarbanes-Oxley, and especially Section 302 (which requires standards and controls for financial tracking and reporting); Section 404 (which defines required internal controls, backup processes and required "alarm" systems); and Section 409 (which requires real-time disclosure--something most companies' IT systems are not adequately equipped for). However, similar risks are shared, to a greater or lesser degree, by virtually every type of business in virtually every industry.

Regulatory compliance is of greatest concern in highly regulated vertical industries, such as financial services, pharmaceutical manufacturing and life sciences. Pharmaceutical and life-sciences companies are especially sensitive to compliance demands, because they are subject to strict U.S. Federal Drug Administration (FDA) rules.

But industry observers have come to recognize that any publicly traded company must invest heavily in compliance-related issues, or risk serious consequences. Businesses that fail to address the demands of data governance can also expect to face angry stockholders, skeptical auditors and--increasingly--damaging publicity.

It should come as no surprise that technological solutions have begun to emerge for this largely technological problem. For many years, regulatory compliance processes have been largely manual, but the complexity and sheer size of the problem makes this approach unsustainable. Data governance and regulatory compliance must become largely automated functions, but businesses must also take a holistic, 360-degree approach that considers not only data, but metadata. This means they must take into account not only specific data points, but also the relationships between those data points, and the changes in data flow and structure over time.


Some technologies that are now available can partially automate a company's complex, labor-intensive and expensive compliance processes. But these technologies assume that the company, its executives and its auditors know everything they need to know to make sound compliance decisions. This assumption could not be more mistaken--or more dangerous for the company.

Technologies for managing data governance and regulatory compliance must:

* Discover: Locate all sources of financially relevant information--including information hidden from conventional controls. This gives the company a complete onetime "snapshot" of the information held by the company, across servers, desktops and--perhaps most importantly, in this increasingly distributed corporate environment--notebook computers.

* Relate: Map the relationships between key data sources, so that it is possible to determine what connects to what, who "owns" the application and its contents, and what data flows between applications.

* Compare: Examine changes to the metadata, comparing multiple "snapshots" taken over time to identify changes in structure, references or properties.

* Audit/report: Present the results in a usable, prepackaged form to financial executives, risk managers, auditors and regulators.

By providing an up-to-the-minute, companywide view of financially relevant metadata, these technologies can dramatically reduce the risk of inadvertent error or deliberate misconduct. And by automating what remains, for most companies, an essentially manual process, they can sharply reduce the prohibitive cost of effective regulatory compliance.

Businesses that fail to address the growing demands of compliance with effective, automated governance technologies will continue to face enormous risks. And financial executives who fail to take a comprehensive, 360-degree approach to information governance and regulatory compliance can expect many more sleepless nights.

Paul Bach, a veteran software-industry executive, is President and CEO of Compassoft Inc. in Scotts Valley, Calif., a provider of regulatory compliance management and auditing software. He can be reached at 831.427.8101.


* The fast-growing demands of regulatory compliance and the rising risks of failing to address those demands effectively are worrying executives.

* Many problems have a common theme: Senior management failed to exercise effective governance over the data contained in the company's IT systems.

* A key risk issue is the volume of risk-intensive information held in databases, applications and systems that lie beyond the reach of most businesses' financial, regulatory and IT controls.

* Automated compliance systems have emerged to help companies handle this risk.
COPYRIGHT 2006 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:compliance
Author:Bach, Paul
Publication:Financial Executive
Geographic Code:1USA
Date:Jul 1, 2006
Previous Article:Bridging the finance--marketing divide: the two disciplines have often worked at cross-purposes or have simply failed to understand each other's...
Next Article:Partnering with your attorneys on major lawsuits: intelligent and realistic litigation budgeting and preparation can be critical to the outcome of a...

Related Articles
Sarbanes-Oxley, section 404: from project to practice ... to best practice; in the governance and compliance arena, transitioning from 'best' to...
IT Governance and regulatory compliance: a silver lining.
Best practices: organizational structure that supports compliance; Traditional organizational structure is crumbling under the weight of...
Certus Software Inc.
Governance and compliance: driving IT priorities; Recent regulatory and marketplace pressures are bringing corporate leaders to a new appreciation of...
Take the reins in corporate governance: with their unique skills, communicators have a chance to improve compliance efforts.
Financial controls.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters