Oracle Hyperion financial management as a main way to run internal audit sox
Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012
Gortsova Natalya, Urazov Timur, Kazakhstan
Urazov Timur, Urazov Timur, Kazakhstan
"Unexpected guest worse than a Tatar (Russian proverb)" is an old
proverb that is true for business. Company can benefit from arrival from the
This article pays particular attention on SOX internal audit and
solution Hyperion Financial Management of the Oracle Company, which provides
the basic framework for the achieving compliance and regulatory rules, and
reduces the cost of compliance with Sarbanes-Oxley.
So Sarbanes-Oxley Act (SOX) 2002 was adopted after a series of
corporate scandals (primarily deal Enron, WorldCom) and aims at protecting the
rights of investors. The law Sarbanes-Oxley (SOX) is applied to all (including
non-US) companies whose shares are quoted on the U.S. stock market since July
2005. Today, compliance Sarbanes-Oxley Act (SOX) is worldwide practice and many
companies, including Russian, take SOX requirements to increase the investment
attractiveness and business opportunities in the international market.
SOX - a new way to prevent risks. It makes a number of important
requirements for internal control procedures, business processes, including to
management accounting and budgeting. Sarbanes-Oxley Act refers to legislation
aimed at regulating the functioning of the financial services, banking
transparency and independence of the inspectors.Consider a few sections that
deserve special attention:
Section 302 of the Sarbanes-Oxley Act requires the executive and
chief financial officers to include their statements in the minutes of the
audit in order to verify the correctness of the information contained therein.
This is done in order to hold the heads of responsibility for information.
Section 404 of the Sarbanes-Oxley Act requires all JSC (Joint Stock
Company) to include "internal" reports in its annual reports. Such
system establishes a management responsibility for the implementation of
internal control procedures, management accounting and budgeting. The rules
also include an assessment of the effectiveness of internal controls by the
management company. At the same time, the units within the internal control
should include own assessment of management performance in the annual report of
the company in accordance with accepted standards.
This section of the Sarbanes-Oxley Act is the most difficult to use,
as most of JSC managed their cash flow without the use of detailed reporting.
Companies should introduce a system of internal control, assess their
vulnerabilities, to identify ways to test their effectiveness.
Section 409 of the Sarbanes-Oxley Actlimits the time of the report
preparation, but also requires informing about changes in the business of a
specific list of items. A list of these items probably will grow with time, but
almost all of them reflect the events and information that cannot be reflected
by most systems (eg, ERP).
International Institute of Internal Auditors (Institute of Internal Auditors, IIA) is the largest international organization of internal auditors. It
gives the following definition: internal audit is an independent and objective
activity to provide assurance and consulting designed to achieve specific
results and improvement in organizations, helps organizations achieve goals
through the implementation of a systematic, disciplined approach to evaluate
and improve the effectiveness of governance, control and risk management.
Despite the rapid development of internal audit at the end of the XX
century, its role and place in the U.S. and international companies are
determined by the following scheme.
With a sufficient level of risk management training management works
to the introduction of some key components of internal control, particularly in
areas of high risk (eg, cash management, procurement, storage, sale).Herewith
the company does not have full internal control or risk management at all
levels of the organization, and despite the fact that some levels of control
are developed and effectively implemented, they are not formally documented.
Another characteristic of this stage is dependent on the control of people,
less - from the processes. In turn, the internal audit is seen as the only
service in the organization, able to assess the risks, and it is opposed by
management of the activity.
It should be noted that with the passage of the Sarbanes-Oxley Act,
many companies both domestic and foreign experienced huge difficulties in
conducting internal audit according these standards. Discussions about the
benefits of detailed control, defined by SOX, and the associated additional
costs of its implementation, began immediately after the issuance of a draft
law for discussion. Supporters of the bill argued that the necessary tightening
of regulation would play a role in restoring confidence in the markets.
Opponents objected that concomitant increase in costs of this process will
reduce the competitiveness of the U.S. as a platform to raise capital compared
with other countries. Now, five years later, we can say that both were right
first and second.
After that, the company began to develop their own accompanying
programs that facilitate internal audit SOX.
For example, Oracle, the world's largest developer of software for
organizations and a major supplier of server equipment, has developed a basic
framework for the achievement of compliance and regulatory rules, and reduces
the cost of compliance with Sarbanes-Oxley.
Orientation of internal audit to verify compliance with the
requirements of the Sarbanes-Oxley Act is gradually reduced. According to the
latest study by the auditing firm PricewaterhouseCoopers (PwC), only 27% of
respondents confirmed that emit more than half of the resources of the internal
audit to verify compliance with the section 404 of the SOX. According to a
similar study in 2007 the share of such companies in the response rate was 41%.
Let’s consider how the Sarbanes-Oxley Act affects the financial
system of the company.
The Sarbanes-Oxley Act came into force in August 2002. It requires
CEOs and CFOs to confirm financial results that in the event of non-compliance
are subjected to the most severe civil and criminal penalties. Law implies a
much greater degree of control over public companies than any previously
created document. The Board Securities and Exchange Commission's Public Company
Accounting Oversight Board (PCAOB) are mentioned in the law. PCAOB requires
enterprises of all sizes to pay close attention to the integrity and
consistency of financial reporting in the standard of audit No. 5 of the May
24, 2007.Internal control bodies should be fully involved in the process of
financial reports, including the annual financial statements and quarterly
reports, monitoring records of single and repeated adjustments of financial
instruments (for example, to merge the changes, the combination of reports and
repartition by groups).
The standard of audit states: "While the completeness of
control is an important measure in assessing the control system, the focus of
internal control should be paid to reports that may affect the material losses
due to errors in the financial documents". What does it mean? Only auditor
can answer to this question. Obviously, the SEC Commission, which formed after
the introduction of SOX, requires prioritizing the financial statements, and
using them to assess risk. The question arises - how the developed system of
Oracle may affect these standards? According to foreign analysts, the answer is
quite simple. Solution of the Oracle Hyperion Financial Management helps to
manage financial information and gives managers the confidence to confirm the
annual and quarterly results, including reporting procedures. Company Oracle
and partners of consultants are able to help in the implementation of Oracle
Hyperion Financial Management solutions, which will help easily improve
internal controls and the flow of documents to the introduction of electronic
signatures with comments, and to use data protection. Strictly documented
process will be available after the completion of the implementation, which
will be transparent and will provide documentation of the process of the annual
and quarterly reports for the audit general ledger.
In addition, employees of financial departments can deploy the
solution of Oracle Hyperion Financial Management in a minimum time, thus
accelerating the process of closing the financial period and the formation of
the required reports. Also, it contributes to the rate of positive return on
investment, but the most important thing that Oracle Hyperion Financial
Management decision enables public companies to ensure compliance the critical
aspects of SOX.
At the beginning of our article, we have identified the most
important sections of the Sarbanes-Oxley Act, however, it is often difficult to
determine what level of control actually required. SOX compliance may become
unsupportable without due consideration of the following questions:
Which elements of control will we strengthen? How to achieve this
Consider another system which facilitates compliance with these
standards and help to answer these questions.
Active Modeler Avantage SOX Inspector. Control system should be designed
with the corporate business model to have everything in one place. Just imagine,
you could define your business processes in accordance with international BPMN
standard, and then add items of control to COSO standard to complement its
Key advantages of Advantage SOX decisions
Avantage implies efficient and cost-effective solution:
- There were many cases where companies exceeded the budget for compliance
SOX404. Now they are looking for less expensive ways to achieve optimal
- Inspector SOX Avantage, based on corporate process model, helps
both to reduce compliance costs, and gain instant access to more accurate
information for the control.
The following operations were conducted during the work on
compliance of SOX:
• Expensive outside consultants were hired in a particular field
that is not in the company.
• Internal consultants were added to the SOX team in order to avoid
overwork of the internal resources.
• Accounting firms were used to work for compliance.
• Internal management was intensively involved, often due to the
overall performance of the business.
• Standardized tools were not used often.
While this approach may have worked during the "honeymoon"
of SOX compliance, now companies need a more stable long-term solution.
Despite the fact that we still need to raise the level of in-house
expertise on SOX and, internal/external audit, Avantage approach allows you to
turn the set of issues, which are dealt by a separate specialized team, into
part of the daily total work. Thus, the owners of the process take
responsibility most of the documentation for verification and compliance of monitoring.
Internal audit and SOX specialist will monitor the compliance of SOX and be
responsible for quality control of the process, conducting high-level tests to
demonstrate the effectiveness of controls and procedures. Another advantage of
this approach is that the owners of the process begin to better understand the
business processes, and we introduce the concept of re-engineering and
transformation of business processes.
It can be concluded after analyzing these approaches, that Avantage
can be recommended as a standardized tool. To start, you must have a
standardized tool to determine the process that would be convenient to install
and use across the organization. This standardization ensures that the
definition and control of the processes are understood similarly by different
teams in the organization as well as responsibility for documentation/tests
pass to process owners. Active Modeler Avantage is different in that it is a
useful tool, 100% meets international standards BPMN, so all the documentation
are developed by the company according to the accepted standard.
Managers should educate employees, so that process owners can
document their processes, and do it at the appropriate level of detail. It is
simple with Avantage. You will be sure that all employees document processes
equally. After a one-day training course your employees will be able to
maintain documentation due to international standards. All graphic elements are
clearly defined and controlled. Documents and specifications may also be recorded.
The company should carry out a comprehensive document control with a
well-defined process of checks to ensure that only those who have been granted
permission, update and edit documents. It is important that the documentation
of processes and checks always are framed correctly. If necessary, the
documentation of the processes can be stored in the CVS archive to verify
versions. Single set of electronic data is particularly needed in large
organizations. Update of documentation strictly controlled and registered under
close supervision. Avantage has a convenient interface to the archive of CVS
with simple commands of input/output.
After the process of documentation is installed, it should be added
function of instruments control. The internal SOX experts help with it, which
will have to provide a step by step guide and training process owners for the
choice of the type of control and testing of internal controls. It must be
remembered that SOX provides work with control points, and not just procedure
documentation. Avantage allows you to emphasize these points, and document
control procedures. All control points can be labeled, for example, in red in
the diagrams of the process.
In the past, many companies implemented too much control and
evaluation of SOX. That is why it is needed a step-down approach to determine
exactly what type of control is needed. Avantage allows running controls on the
task level of the process or at a higher level objects.
After the training, the process owner can recognize good and weak
internal controls or good/unsatisfactory documentation. They should have a
clear understanding of all the requirements for documentation of processes and
understanding of the internal control system of the process for which they are
responsible. There should be a procedure for improving the process of
compliance, typically checks involving internal auditor and expert on SOX. Education
of process owners and team members should be automatically initiated while
finding disadvantages in internal control of the process or after a period of
time since the last study.
Avantage provides standard reports to monitor the process and the
results of audits to ensure that the internal control checks are carried out
regularly and equally in all the operations of the company. This is an
important condition for a successful installation of process compliance in the
company. Only authorized employees such as supervisors or managers of internal
processes have the right to edit quizzes. If the test is changed, only the
latest version can be used to check the internal control systems of any
Avantage visually displays the results of internal controls in Excel
that are below the permissible value. They can be automatically marked as a
lack of control, and thus monitored by the company. Owners of key processes and
internal controllers can clearly see where deficiencies were found.
The organization must keep track of all the action on correcting the
values below the reference level to ensure correction of deficiencies in a
The main functions of Inspector SOX
||Risks, Milestones, Assertions, Properties
COSO, Ratings, Audits and Assessments can be fixed for the process of BPMN.
|Risks at different levels of facilities
||Risks can be defined on the chart, group,
track or task.
||Rows of standards - Risks, Milestones,
Assertions, Properties COSO, Assessments and Audits - can be edited and set
exactly the way you want in your organization.
|Color selection and additional marking
||Problems, containing the level of risk,
can be allocated your chosen color. You can use the additional marker (for
the organization's departments and black and white printing).
||Updates, as well as internal and external
audits are recorded, stamped date / time, and these versions can be archived
|Excel Risk Control Matrix
||RCM is displayed in Excel. The analysis
can be performed for one or more processes, depending on the point of the
analysis, the selected on the tree of process.
||You can create a list RCM formatting of
decreased attention to SOX is defined by the fact that major U.S. and international
companies have achieved good results in the implementation of a risk-based
variety of vertical approach to the assessment of internal control over financial
reporting in accordance with the mandatory implementation of auditing standards
¹ 5 (AS5 PCAOB). For the same reason, PwC believes that in the next five years,
the focus of internal audit for compliance with SOX company will remain the
same or, more likely, to weaken. In addition, as noted above, regulators also gradually
weaken requirements for SOX.
Thus, it is expected that in the medium-term objective of internal
audit is increasingly moving away from check of SOX compliance and move on to
new issues. Internal Audit has incredible advantage over any other services of
the company in its independence, providing a framework for submission and the
specific relationship with management, including with senior management, as
well as a unique base of knowledge and experience gained from years of auditing
completely different business units. These advantages allow internal auditors
as employees, acting solely in its interests and at the same time remains
formal and de facto independent and in the assessments and recommendations, to
look at the company as a single entity and perform routine work on risk
assessment, vulnerability, identifying weaknesses and preparation of independent
and objective recommendations to address them.
3. Sarbanes-Oxley Act: Section 404. Practical
Guidance for Management. Price Waterhouse Coopers, 2004.
4. Changing the DNA of IT: Sarbanes-Oxley and
Service Management. Mar-vin Waschke, Computerworld, 2005.
5. Sarbanes-Oxley IT Compliance Using COBIT and Open
Source Tools. Christian Lahti, Steve Lanza, Roderick Peterson. Syngress, 2004.
6. IT Control Objectives for Sarbanes-Oxley. IT
Governance Institute, 2006.
7. Aligning COBIT, ITIL and ISO 17799 for Business
Benefit. The IT Governance Institute, 2005.
Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012