Gauging Your BI Maturity for SOA Compliance
A Nexus Consulting Whitepaper submitted by Gaurav Issar, President, Nexus Consulting
While the ramifications from the Sarbanes-Oxley Act of 2002, or “SOA”, are still being assimilated into corporate mindsets, the following is clear: SOA is intent on rebuilding the confidence of the investing public, not just for your company, but also for American markets in general. And the companies that embrace this challenge, and do it well, will be best positioned to reap the rewards of increased investor trust and peace of mind.
The PCAOB and the auditing firms it regulates have all offered guidance on SOAcompliance, yet no one has produced the magic checklist that companies can follow to ensure they avoid the dreaded “qualified opinion”. Companies are therefore embarking upon costly and time-consuming control review and documentation efforts, often based upon comprehensive frameworks such as COSO, COBIT, ISO 17799 and ITIL. These efforts are aimed at complying with Section 404 of the Act (SOA 404), which requires management to report on its assessment of internal control over financial reporting.
At the end of the day, however, you don’t get any points for volume. The challenge is to narrow the focus of your compliance efforts on the areas which matter the most. Business Intelligence (BI) is one such area, as it touches upon several of the keys for SOA compliance: data integrity, reporting, controls, and security/access. This paper explores the integration between BI and SOA. You will have the opportunity to see where your company stands on the BI maturity continuum, grade your organization in seven SOA-related areas, and learn some practical action steps that will ultimately improve your compliance, satisfy key stakeholders, and competitively reposition your company.
Placing Your Company on the BI Continuum
Much like the college professor who wouldn’t give full credit for an undocumented answer, even when correct, nor will the SEC or potential investors be impressed with financial results lacking the appropriate audit trails and controls that prove company officers fully comprehend and trust their own data. Fortunately most companies already have the necessary tools in place (or at a minimum, know they are available in the marketplace) to move deliberately forward in reaching necessary SOA 404 compliance by the June 2004 deadline.
To assist in determining the BI health of your organization, the following 5-stage continuum will help you diagnose the current level of Business Intelligence maturity that your organization has achieved. Descriptions of the five stages are followed by seven key areas you can improve to enhance your BI infrastructure and move your company further along the continuum.
Stages of Business Intelligence Maturity
1 2 3 4 5
Stage 1 --Anemic
Stage 2 --Adopting
Stage 3-- Approaching
Stage 1 Companies – Anemic
Stage 1 companies are clearly deficient when it comes to their investment in a Business Intelligence infrastructure. One of the key characteristics of Stage 1 is the continued dominance of uncontrolled spreadsheet reporting. Whether for current reports, forecasts, or trending, these manually intensive – and manually vulnerable – tools must become part of pre-SOA reporting history. Fortunately while these companies may have a difficult starting position, they can still achieve SOA 404 compliance in the interim while simultaneously moving smartly toward a more robust BI architecture.
Some of the keys will be to initiate a central data repository and to lock down the
financial data used for financial reporting and decision-making. Additionally, those spreadsheets mentioned earlier will be discarded in favor of implementing a standard and scalable BI platform from which robust and flexible reports can be generated securely.
The good news is that SOA 404 provides an excellent opportunity to immediately justify a systematic process of controlling the financial data and how it is used and reported. While a full-scale data warehouse investment is certainly beyond the realm of most Stage 1 companies in the short term, taking the above steps will put them well on their way to building the critical foundation, infrastructure, and standards that will be needed longer term. In addition, a solid roadmap will be created to bring additional reporting areas under a common organizational umbrella at a later time with sufficient controls, standard procedures, and complete documentation.
A Stage 1 company will have a majority of “D” and “F” ratings in seven key categories identified in the upcoming Grading Your Position section. cont'd on page 2