After the Enron scandal shook the corporate world in 2001, the US government has made deliberate efforts to enforce stringent data compliance and financial disclosure policies. The Sarbanes-Oxley Act (SOX) in the US and GDPR in Europe are among the critical, internationally accepted compliance norms.
The release, on April 30, of an updated version of the “Evaluation of Corporate Compliance Programmes” by the US Department of Justice has affirmed the US government’s stance on working towards continuously improving the compliance standards by bringing more clarity into legal proceedings initiated for non-compliance.
The Sarbanes-Oxley Act is a corporate compliance Act passed in 2002 in the US Senate to protect shareholders, investors, and the general public from accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosure.
SOX is applicable to:
1. All publicly held American companies,
2. All international companies that are registered under US Securities and Exchange Commission (SEC),
3. All companies that provide financial services to any of the above companies
There are several sections to this Act that cover various details about financial accounting disclosure and practices. However, two sections are worth special mention: Sections 302 and 404.
Section 302 mandates that the CEO and the CFO must personally certify in writing that the company’s financial statements comply with the SEC’s disclosure and accuracy requirements.
Section 404 stipulates that organisations must have an annual audit of internal controls performed by an external auditor. The audit assesses the effectiveness of all internal controls and reports its findings directly to the SEC.
SOX is a strict measure to assess internal control, financial data accuracy and financial disclosure. Non-compliance with the Act can have grave consequences, resulting in criminal and civil penalties.
Companies capture important data related to suppliers, customers, materials, employees and finance in their Enterprise Resource Planning (ERP) software such as SAP, ORACLE or INFOR. ERP data governance is a process of making sure that the company’s ERP data meet the business standards set by the company, in terms of accuracy, consistency and redundancy. The proper use of data governance tools substantially increases a company’s ERP data quality, helping it draw the right insights for better management decisions.
What is the need for data governance tools when operations are running smoothly and the company is making profits?
The answer is basic and one that deserves due attention. In this age of information abundance, data is the lifeblood of an organisation. Just like impurities in the bloodstream and problems with circulation can cause disease in the body, bad data quality can create business process obstructions and can hamper the company’s growth and profitability.
Such data quality issues generally surface when the situation is already worsening. Recovery from such situations becomes difficult and requires considerable investment of finances and efforts. Hence, the age-old wisdom “Prevention is better than cure” still holds true.
Let’s understand the two types of ERP data governance and the different tools available in the market.
• Active governance is the process of validating data for its quality and accuracy through various business validations, workflows, quality checks and reviews using active governance tools before the data is entered in the ERP system. Once the data is validated, it is then entered in the ERP system. Active data governance should be in place right after the new ERP implementation or ERP migration takes place.
• Passive governance is the process of checking/verifying data on various parameters after it is entered in the ERP system. This is usually done by running different data quality error reports on the already present ERP data.
A company should have both active and passive data governance platforms to ensure superior data quality. A good analogy would be of a computer system. One needs to have both a firewall and anti-virus in place to keep it safe; one without another is only half the protection. Active data governance is like a firewall, and passive is like an anti-virus.
There are many tools available in the market for active and passive data governance. SAP’s Master Data Governance platform and Syniti’s Data Stewardship Platform are some of the data governance tools available in the market.
How compliance and data governance go hand in hand
There are many compliance acts such as GDPR and SOX, which the company has to adhere to. Smart companies do not just aim to pass the annual compliance audits; instead, they use their ERP data governance capabilities to smoothen the process of compliance. Maintaining a high level of data accuracy and transparency helps in preparing for the annual audit.
Smart companies stay ahead in the business through greater financial data accuracy and transparency; and better data governance policies and implementation practices. ERP data governance assures uniformity and data benchmarking through various validation checks as the company’s business data policy. This ensures tight internal control and facilitates transparency, bringing discipline into the organisation and creating a culture of transparency.
The underlying data workflows and well-defined SLAs for workflow approvals ensure data quality checks and timely completion of tasks to achieve superior operational performance. The various governance tools can be used to define the roles and responsibilities of teams and individuals, improving accountability. This directly translates to the company’s profitability by avoiding any business process obstructions.
The new wave of data analytics, digital boardrooms and real-time data-driven decision-making is sweeping the industry. However, the most significant assumption made here is that the underlying data is of superior quality and of the utmost accuracy. All the beautiful dashboards and charts will not show correct results if the data quality is not superior. One row of bad data can cost millions because incorrect management decisions will be based on it.
No one thought Enron would end up in bankruptcy. Poor financial disclosures and lack of transparency defined the organisation’s culture, resulting in its downfall. Setting up strict business data policies and internal controls through proper data governance is a vital first step in nurturing the right culture of transparency and fairplay in organisations.
Relevance in Indian context
SOX is not only applicable to companies in the US but also for MNCs that are registered under the SEC in the US and the companies providing financial services to these entities. Similar is the case with General Data Protection Regulation (GDPR) that applies to firms in the European Union. Indian companies that handle EU data are expected to adhere to these compliance policies. Moreover, Indian reporting and compliance Acts, such as The Companies Act, 2013 and The Personal Data Protection Bill, 2018, stress the need for data compliance.
Smart utilisation of data governance tools can not only help Indian companies smoothen their annual compliance processes but also help them stay ahead in the business with the help of business decisions driven by clean and accurate data.
(The writer is a student of EPGP 2019-20 at IIM Bangalore. He has nearly seven years of Tech Consulting experience in ERP data migration, governance, compliance and analysis.)