The Real Source of SOX Woes

Thursday Sep 14th 2006 by George Spafford

Fraud and other malicious activities draw a lot of press and management attention, but there's a far greater risk to the integrity of financial reporting.

Sarbanes-Oxley is about restoring investor confidence in publicly traded companies by attempting to ensure that the financial reports that they present to the investing public are accurate.

As a result, public companies have been forced to review and implement controls to help ensure that risks to the financial reporting process are properly managed. Of course, fraud and malicious activities get a lot of trade press and management attention, but the far greater risk to the integrity of financial reporting is human error.

In today’s high-speed complex enterprises, errors in the programming of an application, interface or spreadsheet, can lead to mistakes in the financial reports that are disclosed to the public. The dollar amount of the mistake can range from immaterial up to very material with significant repercussions.

Lapses in Logic, Errors in Execution

In order to discuss errors, we need to categorize what we are confronting. We can identify two broad categories of errors – logic errors and execution errors.

Errors in logic arise from flawed perceptions, or understandings, that lead to erroneous assumptions and modeling. If an analyst understands that the scrap rate is 25 percent and then creates his/her business model around that, then a developer will create the application with the erroneous logic embedded in it. Later, when someone finds out that the rate is really 53 percent, corrective action will be required and the impacts to the financials reviewed in order to understand the impacts.

Errors in execution arise during the implementation of something – in our case above, during the implementation of an application. In the above model, let’s assume that the analyst correctly identifies the scrap rate to be 53 percent and correctly documents the required logic. When it reaches the developer though, the developer inadvertently transposes the digits and enters 35 percent due to fatigue. In this case, he executed the instructions incorrectly and has an error in execution.

There are many possible scenarios by which human error can enter into the financial reporting process. Organizations need to design their processes with the recognition that not only must they make reasonable efforts to prevent and detect fraud but they must also address the prevention and detection of human error.

It may be that an organization has complete faith in their people to not perform malicious acts. The people may all be long-term happy, highly trained employees who all have a vested interest in the long-term success of the company. What management must bear in mind is that those employees are still human. Errors can and will happen routinely that can impact the financial reports resulting in embarrassment, restatements, brand damage and perhaps even investor lawsuits.

Instead, organizations need to recognize that all processes have some degree of inherent variation and put controls in place to reasonably prevent errors and detect when they occur. In the world of IT, we have many controls to select from that can help, such as:

  • Standards – Through the documentation and implementation of policies and procedures, organizations can communicate what is acceptable. Furthermore, as the variation in types of systems is reduced, the level of deep knowledge can increase as people learn and share knowledge.
  • System Development Life Cycle (SDLC) – Can be used to identify how development projects are to be managed to minimize the introduction of error.
  • Project Management – Can be used to implement a system per the SDLC to ensure that there is proper communication, that the right parties are involved, tasks are completed and so on. For example, it can monitor and report if testing is not being performed.
  • Change Management – Can be leveraged to help identify the level of risk associated with a proposed change such that appropriate action is taken to reduce risks to an acceptable level.
  • Testing – Can be used to identify if the system performs as expected. Business experts and IT personnel must be involved to determine the acceptability of results.
  • Training – Personnel who have the proper formal training will understand their jobs better and are less apt to make mistakes based on erroneous information or assumptions
  • Continuous process improvement – Formal initiatives should be in place to constantly monitor and look for means to improve.
  • Automation – Technology is a tool that IT can leverage to reduce the introduction of error but it is not a silver bullet solution. Safeguards, such as an SDLC, change management and testing, should be used to validate that the automation will perform as expected.

    Fraud and malicious activities gather a lot of attention in the popular media, trade press and board meetings. Statistically speaking, the greater threat is from human error and controls and processes that are put in place to safeguard financial reporting must take that into account.

  • Share:
    Mobile Site | Full Site
    Copyright 2017 © QuinStreet Inc. All Rights Reserved