Oracle Hyperion financial management as a main way to run internal audit sox

Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012

Gortsova Natalya, Urazov Timur, Kazakhstan
Urazov Timur, Urazov Timur, Kazakhstan

"Unexpected guest worse than a Tatar (Russian proverb)" is an old proverb that is true for business. Company can benefit from arrival from the unexpected guest.

This article pays particular attention on SOX internal audit and solution Hyperion Financial Management of the Oracle Company, which provides the basic framework for the achieving compliance and regulatory rules, and reduces the cost of compliance with Sarbanes-Oxley.

So Sarbanes-Oxley Act (SOX) 2002 was adopted after a series of corporate scandals (primarily deal Enron, WorldCom) and aims at protecting the rights of investors. The law Sarbanes-Oxley (SOX) is applied to all (including non-US) companies whose shares are quoted on the U.S. stock market since July 2005. Today, compliance Sarbanes-Oxley Act (SOX) is worldwide practice and many companies, including Russian, take SOX requirements to increase the investment attractiveness and business opportunities in the international market.

SOX - a new way to prevent risks. It makes a number of important requirements for internal control procedures, business processes, including to management accounting and budgeting. Sarbanes-Oxley Act refers to legislation aimed at regulating the functioning of the financial services, banking transparency and independence of the inspectors.Consider a few sections that deserve special attention:

Section 302 of the Sarbanes-Oxley Act requires the executive and chief financial officers to include their statements in the minutes of the audit in order to verify the correctness of the information contained therein. This is done in order to hold the heads of responsibility for information.

Section 404 of the Sarbanes-Oxley Act requires all JSC (Joint Stock Company) to include "internal" reports in its annual reports. Such system establishes a management responsibility for the implementation of internal control procedures, management accounting and budgeting. The rules also include an assessment of the effectiveness of internal controls by the management company. At the same time, the units within the internal control should include own assessment of management performance in the annual report of the company in accordance with accepted standards.

This section of the Sarbanes-Oxley Act is the most difficult to use, as most of JSC managed their cash flow without the use of detailed reporting. Companies should introduce a system of internal control, assess their vulnerabilities, to identify ways to test their effectiveness.

Section 409 of the Sarbanes-Oxley Actlimits the time of the report preparation, but also requires informing about changes in the business of a specific list of items. A list of these items probably will grow with time, but almost all of them reflect the events and information that cannot be reflected by most systems (eg, ERP).

International Institute of Internal Auditors (Institute of Internal Auditors, IIA) is the largest international organization of internal auditors. It gives the following definition: internal audit is an independent and objective activity to provide assurance and consulting designed to achieve specific results and improvement in organizations, helps organizations achieve goals through the implementation of a systematic, disciplined approach to evaluate and improve the effectiveness of governance, control and risk management.

Despite the rapid development of internal audit at the end of the XX century, its role and place in the U.S. and international companies are determined by the following scheme.

With a sufficient level of risk management training management works to the introduction of some key components of internal control, particularly in areas of high risk (eg, cash management, procurement, storage, sale).Herewith the company does not have full internal control or risk management at all levels of the organization, and despite the fact that some levels of control are developed and effectively implemented, they are not formally documented. Another characteristic of this stage is dependent on the control of people, less - from the processes. In turn, the internal audit is seen as the only service in the organization, able to assess the risks, and it is opposed by management of the activity.

It should be noted that with the passage of the Sarbanes-Oxley Act, many companies both domestic and foreign experienced huge difficulties in conducting internal audit according these standards. Discussions about the benefits of detailed control, defined by SOX, and the associated additional costs of its implementation, began immediately after the issuance of a draft law for discussion. Supporters of the bill argued that the necessary tightening of regulation would play a role in restoring confidence in the markets. Opponents objected that concomitant increase in costs of this process will reduce the competitiveness of the U.S. as a platform to raise capital compared with other countries. Now, five years later, we can say that both were right first and second.

After that, the company began to develop their own accompanying programs that facilitate internal audit SOX.

For example, Oracle, the world's largest developer of software for organizations and a major supplier of server equipment, has developed a basic framework for the achievement of compliance and regulatory rules, and reduces the cost of compliance with Sarbanes-Oxley.

Orientation of internal audit to verify compliance with the requirements of the Sarbanes-Oxley Act is gradually reduced. According to the latest study by the auditing firm PricewaterhouseCoopers (PwC), only 27% of respondents confirmed that emit more than half of the resources of the internal audit to verify compliance with the section 404 of the SOX. According to a similar study in 2007 the share of such companies in the response rate was 41%.

Let’s consider how the Sarbanes-Oxley Act affects the financial system of the company.

The Sarbanes-Oxley Act came into force in August 2002. It requires CEOs and CFOs to confirm financial results that in the event of non-compliance are subjected to the most severe civil and criminal penalties. Law implies a much greater degree of control over public companies than any previously created document. The Board Securities and Exchange Commission's Public Company Accounting Oversight Board (PCAOB) are mentioned in the law. PCAOB requires enterprises of all sizes to pay close attention to the integrity and consistency of financial reporting in the standard of audit No. 5 of the May 24, 2007.Internal control bodies should be fully involved in the process of financial reports, including the annual financial statements and quarterly reports, monitoring records of single and repeated adjustments of financial instruments (for example, to merge the changes, the combination of reports and repartition by groups).

The standard of audit states: "While the completeness of control is an important measure in assessing the control system, the focus of internal control should be paid to reports that may affect the material losses due to errors in the financial documents". What does it mean? Only auditor can answer to this question. Obviously, the SEC Commission, which formed after the introduction of SOX, requires prioritizing the financial statements, and using them to assess risk. The question arises - how the developed system of Oracle may affect these standards? According to foreign analysts, the answer is quite simple. Solution of the Oracle Hyperion Financial Management helps to manage financial information and gives managers the confidence to confirm the annual and quarterly results, including reporting procedures. Company Oracle and partners of consultants are able to help in the implementation of Oracle Hyperion Financial Management solutions, which will help easily improve internal controls and the flow of documents to the introduction of electronic signatures with comments, and to use data protection. Strictly documented process will be available after the completion of the implementation, which will be transparent and will provide documentation of the process of the annual and quarterly reports for the audit general ledger.

In addition, employees of financial departments can deploy the solution of Oracle Hyperion Financial Management in a minimum time, thus accelerating the process of closing the financial period and the formation of the required reports. Also, it contributes to the rate of positive return on investment, but the most important thing that Oracle Hyperion Financial Management decision enables public companies to ensure compliance the critical aspects of SOX.

At the beginning of our article, we have identified the most important sections of the Sarbanes-Oxley Act, however, it is often difficult to determine what level of control actually required. SOX compliance may become unsupportable without due consideration of the following questions:

Which elements of control will we strengthen? How to achieve this control?

Consider another system which facilitates compliance with these standards and help to answer these questions.

Active Modeler Avantage SOX Inspector. Control system should be designed with the corporate business model to have everything in one place. Just imagine, you could define your business processes in accordance with international BPMN standard, and then add items of control to COSO standard to complement its business model.

Key advantages of Advantage SOX decisions

Avantage implies efficient and cost-effective solution:

- There were many cases where companies exceeded the budget for compliance SOX404. Now they are looking for less expensive ways to achieve optimal compliance SOX.

- Inspector SOX Avantage, based on corporate process model, helps both to reduce compliance costs, and gain instant access to more accurate information for the control.

The following operations were conducted during the work on compliance of SOX:

• Expensive outside consultants were hired in a particular field that is not in the company.

• Internal consultants were added to the SOX team in order to avoid overwork of the internal resources.

• Accounting firms were used to work for compliance.

• Internal management was intensively involved, often due to the overall performance of the business.

• Standardized tools were not used often.

While this approach may have worked during the "honeymoon" of SOX compliance, now companies need a more stable long-term solution.

Despite the fact that we still need to raise the level of in-house expertise on SOX and, internal/external audit, Avantage approach allows you to turn the set of issues, which are dealt by a separate specialized team, into part of the daily total work. Thus, the owners of the process take responsibility most of the documentation for verification and compliance of monitoring. Internal audit and SOX specialist will monitor the compliance of SOX and be responsible for quality control of the process, conducting high-level tests to demonstrate the effectiveness of controls and procedures. Another advantage of this approach is that the owners of the process begin to better understand the business processes, and we introduce the concept of re-engineering and transformation of business processes.

It can be concluded after analyzing these approaches, that Avantage can be recommended as a standardized tool. To start, you must have a standardized tool to determine the process that would be convenient to install and use across the organization. This standardization ensures that the definition and control of the processes are understood similarly by different teams in the organization as well as responsibility for documentation/tests pass to process owners. Active Modeler Avantage is different in that it is a useful tool, 100% meets international standards BPMN, so all the documentation are developed by the company according to the accepted standard.

Managers should educate employees, so that process owners can document their processes, and do it at the appropriate level of detail. It is simple with Avantage. You will be sure that all employees document processes equally. After a one-day training course your employees will be able to maintain documentation due to international standards. All graphic elements are clearly defined and controlled. Documents and specifications may also be recorded.

The company should carry out a comprehensive document control with a well-defined process of checks to ensure that only those who have been granted permission, update and edit documents. It is important that the documentation of processes and checks always are framed correctly. If necessary, the documentation of the processes can be stored in the CVS archive to verify versions. Single set of electronic data is particularly needed in large organizations. Update of documentation strictly controlled and registered under close supervision. Avantage has a convenient interface to the archive of CVS with simple commands of input/output.

After the process of documentation is installed, it should be added function of instruments control. The internal SOX experts help with it, which will have to provide a step by step guide and training process owners for the choice of the type of control and testing of internal controls. It must be remembered that SOX provides work with control points, and not just procedure documentation. Avantage allows you to emphasize these points, and document control procedures. All control points can be labeled, for example, in red in the diagrams of the process.

In the past, many companies implemented too much control and evaluation of SOX. That is why it is needed a step-down approach to determine exactly what type of control is needed. Avantage allows running controls on the task level of the process or at a higher level objects.

After the training, the process owner can recognize good and weak internal controls or good/unsatisfactory documentation. They should have a clear understanding of all the requirements for documentation of processes and understanding of the internal control system of the process for which they are responsible. There should be a procedure for improving the process of compliance, typically checks involving internal auditor and expert on SOX. Education of process owners and team members should be automatically initiated while finding disadvantages in internal control of the process or after a period of time since the last study.

Avantage provides standard reports to monitor the process and the results of audits to ensure that the internal control checks are carried out regularly and equally in all the operations of the company. This is an important condition for a successful installation of process compliance in the company. Only authorized employees such as supervisors or managers of internal processes have the right to edit quizzes. If the test is changed, only the latest version can be used to check the internal control systems of any company's operations.

Avantage visually displays the results of internal controls in Excel that are below the permissible value. They can be automatically marked as a lack of control, and thus monitored by the company. Owners of key processes and internal controllers can clearly see where deficiencies were found.

The organization must keep track of all the action on correcting the values below the reference level to ensure correction of deficiencies in a timely manner.

The main functions of Inspector SOX Avantage module

High Functionality Risks, Milestones, Assertions, Properties COSO, Ratings, Audits and Assessments can be fixed for the process of BPMN.
Risks at different levels of facilities Risks can be defined on the chart, group, track or task.
Table editor Rows of standards - Risks, Milestones, Assertions, Properties COSO, Assessments and Audits - can be edited and set exactly the way you want in your organization.
Color selection and additional marking Problems, containing the level of risk, can be allocated your chosen color. You can use the additional marker (for the organization's departments and black and white printing).
Audit trail Updates, as well as internal and external audits are recorded, stamped date / time, and these versions can be archived CVS.
Excel Risk Control Matrix RCM is displayed in Excel. The analysis can be performed for one or more processes, depending on the point of the analysis, the selected on the tree of process.
Formatting Excel You can create a list RCM formatting of your choice.

Largely decreased attention to SOX is defined by the fact that major U.S. and international companies have achieved good results in the implementation of a risk-based variety of vertical approach to the assessment of internal control over financial reporting in accordance with the mandatory implementation of auditing standards ¹ 5 (AS5 PCAOB). For the same reason, PwC believes that in the next five years, the focus of internal audit for compliance with SOX company will remain the same or, more likely, to weaken. In addition, as noted above, regulators also gradually weaken requirements for SOX.

Thus, it is expected that in the medium-term objective of internal audit is increasingly moving away from check of SOX compliance and move on to new issues. Internal Audit has incredible advantage over any other services of the company in its independence, providing a framework for submission and the specific relationship with management, including with senior management, as well as a unique base of knowledge and experience gained from years of auditing completely different business units. These advantages allow internal auditors as employees, acting solely in its interests and at the same time remains formal and de facto independent and in the assessments and recommendations, to look at the company as a single entity and perform routine work on risk assessment, vulnerability, identifying weaknesses and preparation of independent and objective recommendations to address them.




3. Sarbanes-Oxley Act: Section 404. Practical Guidance for Management. Price Waterhouse Coopers, 2004.

4. Changing the DNA of IT: Sarbanes-Oxley and Service Management. Mar-vin Waschke, Computerworld, 2005.

5. Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools. Christian Lahti, Steve Lanza, Roderick Peterson. Syngress, 2004.

6. IT Control Objectives for Sarbanes-Oxley. IT Governance Institute, 2006.

7. Aligning COBIT, ITIL and ISO 17799 for Business Benefit. The IT Governance Institute, 2005.

Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012

About journal
About KAFU

   © 2022 - KAFU Academic Journal