Sarbanes-Oxley is about restoring investor confidence in publicly traded companies by attempting to ensure that the financial reports that they present to the investing public are accurate.
As a result, public companies have been forced to review and implement controls to help ensure that risks to the financial reporting process are properly managed. Of course, fraud and malicious activities get a lot of trade press and management attention, but the far greater risk to the integrity of financial reporting is human error.
In today’s high-speed complex enterprises, errors in the programming of an application, interface or spreadsheet, can lead to mistakes in the financial reports that are disclosed to the public. The dollar amount of the mistake can range from immaterial up to very material with significant repercussions.
Lapses in Logic, Errors in Execution
In order to discuss errors, we need to categorize what we are confronting. We can identify two broad categories of errors – logic errors and execution errors.
Errors in logic arise from flawed perceptions, or understandings, that lead to erroneous assumptions and modeling. If an analyst understands that the scrap rate is 25 percent and then creates his/her business model around that, then a developer will create the application with the erroneous logic embedded in it. Later, when someone finds out that the rate is really 53 percent, corrective action will be required and the impacts to the financials reviewed in order to understand the impacts.
Errors in execution arise during the implementation of something – in our case above, during the implementation of an application. In the above model, let’s assume that the analyst correctly identifies the scrap rate to be 53 percent and correctly documents the required logic. When it reaches the developer though, the developer inadvertently transposes the digits and enters 35 percent due to fatigue. In this case, he executed the instructions incorrectly and has an error in execution.
There are many possible scenarios by which human error can enter into the financial reporting process. Organizations need to design their processes with the recognition that not only must they make reasonable efforts to prevent and detect fraud but they must also address the prevention and detection of human error.
It may be that an organization has complete faith in their people to not perform malicious acts. The people may all be long-term happy, highly trained employees who all have a vested interest in the long-term success of the company. What management must bear in mind is that those employees are still human. Errors can and will happen routinely that can impact the financial reports resulting in embarrassment, restatements, brand damage and perhaps even investor lawsuits.
Instead, organizations need to recognize that all processes have some degree of inherent variation and put controls in place to reasonably prevent errors and detect when they occur. In the world of IT, we have many controls to select from that can help, such as:
Fraud and malicious activities gather a lot of attention in the popular media, trade press and board meetings. Statistically speaking, the greater threat is from human error and controls and processes that are put in place to safeguard financial reporting must take that into account.