Sarbanes-Oxley and Data Controller for SAS©

The Sarbanes-Oxley Act of 2002 has applied to all publicly-traded companies doing business in the US since 2006.  The penalties can be severe – if Uncle Sam considers a corporate officer to have deliberately submitted an inaccurate certification, the corporate fine is $5 million with up to twenty years in prison for the individual(s).  Accidental mis-certification (or non-submission) is just $1 million and 10 years in prison.

There are many aspects to full Sarbanes-Oxley (SOX) compliance, the legislation is over 60 pages long.  As with other regulatory obligations, the goal is to regularly provide enough evidence to satisfy the auditor that the requirements have been met.  As anyone running a compliance team knows, this is no small endeavour.  The ability to automate the generation of such evidence, or make it available automatically to auditors, can result in significant cost savings.

This article breaks down the areas where Data Controller can contribute to satisfying the requirements of the Sarbanes-Oxley Act.

Sarbanes-Oxley Act Section 404 – MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

Data Controller facilitates internal controls through a 4 eyes review & approve mechanism for data changes. This, combined with data validation and an integrated workflow feature, provides a mechanism to easily track and report on the number of internal controls (quality rules, signoffs, rejections), as well as the frequency they are applied, who is applying them, which data items the controls relate to, and who is performing them.  Such metrics can be compared and contrasted with pre-existing and current quality measures to help determine control effectiveness.  Variations in the number of submit / approve cycles between reporting teams, also provide objective and repeatable measurements to support the assessment of the effectiveness of internal controls.

Sarbanes Oxley

Sec 404. (Sarbanes-Oxley)

 

Section 404 is widely considered the most onerous part of Sarbanes-Oxley, as the documentation and testing of all the controls requires significant time and effort.  To address this, the Public Company Accounting Oversight Board (PCAOB – a US non-profit created by the Sarbanes-Oxley act itself) released additional guidance to assist management and auditors in producing their reports.  This is officially labeled “Auditing Standard No. 5 – An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements”

A few points are highlighted by the guidance in this standard that are pertinent to users of Data Controller.

PCAOB AS5 Sec24 – Controls Over Management Override

Management Overrides (the freedom to simply “replace” reporting figures based on, presumably, sound judgement) are entity level controls that can be easily captured (in a centralised manner) by Data Controller.   This in fact, is the “core functionality” of the tool.  Data Stewards / Data Processors (Editors) make the change, then one or more Data Owners / Data Controllers (Approvers) sign it off before it is applied to the target table.  A copy of the original excel file (if used) and a record of who made the change, when, what the change was, and why (if a reason is provided) is recorded.  Data Validation rules can also be defined to ensure that inputs fit the desired pattern(s).

Sarbanes Oxley sas management overrides

For fun, we made a short video for this part:

 

PCAOB AS5 Sec27 – Identifying Entity-Level Controls

Sarbanes Oxley SAS Section 24

In the area of documenting the inputs, transformations and outputs of data flows within an organisation, SAS particularly shines, especially in the version 9 world.  The table and column level lineage generated by SAS Data Integration provides a highly detailed view of the data lineage.  Below is an example of Table level lineage, which colour codes each table according to it’s library and captures the detail of each SAS job along the way.  Clicking on a job will open the job in the metadata viewer.  Clicking the table will open the table in VIEW mode.  The lineage is shown all the way from source to target(s), or target to source(s) and can be exported in PNG, SVG, or CSV format.

SAS Table Level Lineage Sarbanes Oxley

SAS Table Level Lineage

Below is an example of column level lineage.  Like Table Level lineage, this can be performed forwards or backwards and exported in multiple formats.  Each arrow represents a SAS transform.  Where business logic is applied, this is additionally extracted and showed in red.

SAS Column Level Lineage Sarbanes Oxley

SAS Column Level Lineage

 

The ability to define additional data lineages, outside of SAS (eg between spreadsheets or other reporting systems) is in the product roadmap, along with lineage from SAS Viya.

PCAOB AS5 App B – Benchmarking of Automated Controls

The use of IT secured financial controls can significantly reduce the cost of Sarbanes-Oxley compliance testing following the first year assessment, particularly where the source code is secured and cannot be modified by users.  The core programs (services) within the Data Controller application that perform data signoffs are mature, distinct and change tracked – so it is possible for Data Controller to be upgraded in-place without affecting the benchmarking strategy.  This contrasts with spreadsheet based control mechanisms, which must be revalidated in each reporting period.

Sarbanes Oxley SAS

PCAOB Release 2007-005A, Appendix B

Sarbanes-Oxley Act Section 1102 – Tampering

Coming back to the original 2002 SOx paper, there is an additional stick being waved against those who destroy records.  This is, unfortunately, a common occurrence in DWh landscapes – poorly designed data models often result in frequent rebuilds of monthly datamarts when issues are found.

If your BI / ETL teams are routinely destroying / modifying database records as part of regular work efforts, you might wish to:  a) ensure there is a well documented ticketing system to make sure those individuals are protected from any accusations, or  b) implement a Bitemporal data model to ensure a full and transparent version history of data is always kept regardless of rebuilds.

IT-secured tools such as Data Controller enable auditors to see easily for themselves who has changed a record, when, why, and who signed it off – thereby vastly reducing the potential for unintentionally impeding an investigation.

sarbanes oxley SAS

SEC. 1102. (Sarbanes Oxley)

Sarbanes Oxley and SAS

We chose SAS as the platform on which to build Data Controller as it is very reliable, provides excellent support for data drivers (enables our code to run inside almost any database), long term customer support, and is very easy to deploy against.  The demo version of Data Controller can be deployed in under 30 seconds (on a SAS 9 platform).  With SAS there are no additional servers to provision, firewalls to configure, scaling issues to address – everything works “out of the box”.  SAS also integrates nicely with existing enterprise authentication mechanisms such as LDAP, and the platform is typically fully secured under your existing IT policies at the backend.

Data Controller is built on SASjs and hence we have versions for both SAS 9 and Viya.  Do get in touch to learn more.

Data Quality and the NBB_2017_27 Circular

When applying financial regulations in the EU (such as Solvency II, Basel III or GDPR) it is common for Member States to maintain or introduce national provisions to further specify how such rules might be applied.  The National Bank of Belgium (NBB) is no stranger to this, and releases a steady stream of circulars via their website.

The circular of 12th October 2017 (NBB_2017_27, Jan Smets) is particularly interesting as it lays out a number of concrete recommendations for Belgian financial institutions with regard to Data Quality – and stated that these should be applied to internal reporting processes as well as the prudential data submitted.

This fact is well known by affected industry participants, who have already performed a self assessment for YE2017 and reviewed documentation expectations as part of the HY2018 submission.

Quality of External Data

The DQ requirements for reporting are described by the 6 dimensions (Accuracy, Reliability, Completeness, Consistency, Plausibility, Timeliness), as well as the Data Quality Framework described by Patrick Hogan here and here.  There are a number of ‘hard checks’ implemented in OneGate as part of the XBRL submissions, which are kept up to date here.   However, OneGate cannot be used as a validation tool – the regulators will be monitoring the reliability of submissions by comparing the magnitude of change between resubmissions!  Not to mention the data plausibility (changes in submitted values over time).

Data Quality Culture

When it comes to internal processes, CRO’s across Belgium must now demonstrate to accredited statutory auditors that they satisfy the 3 Principles of the circular (Governance, Technical Capacities, Process).  A long list of action points are detailed – it’s clear that a lot of documentation will be required to fulfil these obligations!  And not only that – the documentation will need to be continually updated and maintained.  It’s fair to say that automated solutions have the potential to provide significant time & cost savings in this regard.

Data Controller for SAS®

The Data Controller is a web based solution for capturing data from users.  Data Quality is applied at source, changes are routed through an approval process before being applied, and all updates are captured for subsequent audit.  The tool provides evidence of compliance with NBB_2017_27 in the following ways:

Separation of Roles for Data Preparation and Validation (principle 1.2)

Data Controller differentiates between Editors (who provide the data) and Approvers (who sign it off).  Editors stage data via the web interface, or by direct file upload.  Approvers are then shown the new, changed, or deleted records – and can accept or reject the update.

Capacities established should ensure compliance in times of stress (principle 2.1)

As an Enterprise tool, the Data Controller is as scalable and resilient as your existing SAS platform.  If you are looking for a best-in-class tool for performance testing and tuning of your analytic environment (and view the performance history) we recommend Zabbix.

Capture of Errors and Inconsistencies (principle 2.2)

Data Controller has a number of features to ensure timely detection of Data Quality issues at source (such as cell validation, post edit hook scripts, duplicate removals, rejection of data with missing columns, etc etc).  Where errors do make it into the system, a full history is kept (logs, copies of files etc) for all uploads and approvals.  Emails of such errors can be configured for follow up.

Tools and Techniques for Information Management Should be Automated (principle 2.3)

The Data Controller can be configured to execute specific .sas programs after data validation.  This enables the development of a secure and integrated workflow, and helps companies to avoid the additional documentation penalties associated with “miscellaneous unconnected computer applications” and manual information processing.

 

Periodic Review & Improvements (principles 2.4 and 3.4)

The Data Controller is actively maintained with the specific aim to reduce the cost of compliance with regulations such as  NBB_2017_27.   Our roadmap includes new features such as pre-canned reports, version ‘signoff’, and the ability to reinstate previous versions of data.

A process for correction and final validation of reporting before submission (3.1)

As a primary and dedicated tool for data corrections, Data Controller can be described once and used everywhere.

List of Divisions Involved in Preparing Tables (principle 3.2)

By using the Data Controller in combination with knowledge of data lineage (eg from SAS metadata or manual lookup table) it becomes possible to produce an automated report to identify exactly who – and hence which division – was involved in both the preparation and the validation of the all source data per reporting table for each reporting cycle.

Processes should integrate and document key controls (principle 3.3)

Data Controller can be used as a staging point for verifying the quality of data, eg when data from one department must be passed to another department for processing.  The user access policy will be as per the existing policy for your SAS environment.

Summary

Whilst the circular provides valuable clarity on the expectations of the NBB, there are significant costs involved to prepare for, and maintain, compliance with the guidance.  This is especially the case where reporting processes are disparate, and make use of disconnected EUCs and manual processes.

The Data Controller for SAS® addresses and automates a number of pain points as specifically described in the circular.  It is a robust and easy-to-use tool, actively maintained and documented, and provides an integrated solution on a tried and trusted platform for data management.