By Russ Banham
By now, most companies have taken long strides toward automating theirbusiness processes with the goals of making their operations more efficient, saving money and generating the analytical insights that can inform decision making. But what if the underlying data is incorrect? Or if the processes it’s being put through, the way it’s being manipulated or the algorithms that are being applied to it are faulty?
Those are questions attracting a lot of attention in C-suites, since so much of business today relies on the integrity of both financial and nonfinancial data.
There are numerous ways in which inaccurate data can be produced, from sloppy data entry and inconsistencies in data formats to careless data migration or processing.
More than half of the respondents (55%) to the 2021 Global data management research survey of business leaders on data quality say they lack trust in their data assets. They believe that a third of their customer and prospect data alone is inaccurate.
Company internal control systems are intended to identify and mitigate data integrity and security risks—but what if an error slips through the cracks? Regulators expect complete reporting figures, consumers expect sensitive personal information to be safeguarded, investors expect accurate ESG (environmental, social, governance) metrics and boards expect all the above.
Obviously, the consequences of a misstep can be severe.
When Data Errors Get Compounded
“A lot is at stake,” said Heather Paquette, national technology assurance leader, Audit, at KPMG U.S. “Nearly every interaction in business begins with data, whether it’s a sales or services transaction or the data provided by functions and partnering organizations.”
Data, of course, doesn’t exist in a vacuum. Information connects and integrates with other data in an expanding array of devices, applications, databases and systems in both on-premise and cloud systems. It gets shared with auditors, regulators, rating agencies, suppliers and other third-party organizations.
If even one set of figures or the calculations within an algorithm are imperfect, the mistake can compound to the point where it affects business performance, decision making, social and cultural bias and brand reputation, not to mention that it may attract the attention of regulators.
Similar problems may arise if the processes that govern the collection and manipulation of data are broken—and if the controls in place for the inspection and validation of data accuracy and processes are substandard, data imperfections can go unseen. Lastly, if data isn’t sufficiently secured, a cybersecurity incident can lead to reputational problems, market losses, lack of investor confidence and regulatory disclosure issues.
While the potential for such problems is sobering, no one disputes the extraordinary business value of automating end-to-end processes across functions, digitizing structured and unstructured data and using technologies like AI and bots to generate insights from massive data volumes.
That’s why, as Paquette put it, “companies need to make every possible effort to ensure the completeness, accuracy, [accessibility] and security of data.”
Avoiding Legal And Regulatory Problems
And that’s where tech assurance—an intelligent risk-based approach to managing data across the enterprise—can help. Just as internal auditing identifies ways to improve business operations, tech assurance identifies how to improve automated business processes.
“Tech assurance systematically looks at the risks and controls related to all aspects of technology, increasing confidence in the accuracy of financial data among investors and other stakeholders,” said Paquette.
“Without this assurance,” she said, “a significant technology issue may result in material weakness in the internal controls over financial reporting, drawing into question whether or not the organization’s information is reliable.”
The likely result? “Legal and regulatory repercussions.”
With Change Comes Risk
There’s an old maxim in business that companies that fail to anticipate the business risks associated with organizational change suffer the consequences. Digital transformation—arguably the most disruptive organizational change in business history—is a case in point.
The integration of digital technologies into all functions across a company has fundamentally altered how businesses operate and deliver value. However, implementing these technologies without a clearly defined strategy or continuous attention to data accuracy, resilience and security can backfire and either stall the business or wreck it.
“Our studies on the future of finance indicate that 60% to 70% of manual controls will be automated within the next five years,” said Paquette. “This wide-scale automation presents a huge and growing need to test the controls to ensure the information is complete and accurate.”
Without this data assurance, business leaders are at risk of making capital decisions and business forecasts based on misleading information. A survey performed in late 2020 indicates that 6 in 10 C-level executives are concerned that their companies’ forecasts do not furnish an accurate picture of future performance. Only 1 in 3 of the 1,300 respondents are confident of the accuracy of their financial data.
ESG Reporting Adds A New Wrinkle
Errors in a financial statement can compel shareholders and other investors to file litigation against a company for misleading them in making investment decisions. Such mistakes also affect the integrity of a company’s ESG metrics, a key investor concern.
In February, the U.S. Securities and Exchange Commission directed public companies to “enhance [their] focus on climate-related disclosure” in filing their financial statements. More recently, SEC chair Gary Gensler said he plans to propose new rules about climate risk and other ESG disclosures in the second half of 2021.
“Many companies already post supplemental notes concerning ESG in their financial statements and annual reports to explain how the metrics were prepared,” Paquette said. “If the underlying data is inaccurate or misleading, it can adversely affect the company’s brand and reputation and may soon result in a regulatory infraction.”
Managing The Hazards
Certainly, as companies transform operationally and organizationally around data, the onus is on CFOs and CIOs to ensure its integrity. This is no task for the fainthearted, given the great number of technology systems, applications and automation solutions used in every function across the enterprise, from front-office sales, marketing and customer-facing interactions to back-office finance and accounting.
Data travels from customers, suppliers, regulators and diverse partners across these functions; it’s automatically processed and stored in on-premise and cloud-based systems and applications that plug into a backbone enterprise resource planning system. The data is accessible to users leveraging AI tools and bots for analytical purposes. But, Paquette points out, since some of this data “remains unstructured and not yet digitized, an incomplete picture of the organization’s financial health may be presented.”
Adding to these challenges is the need to secure data against the growing risk of a cyber incident. Since third-party cloud services firms get access to company systems, their cybersecurity is crucial. Nearly a third of third-party vendors are considered a material risk in the event of a breach, according to a 2020 survey.
Companies generally rely on an independent auditor’s SOC 1 or SOC 2 reports on the effectiveness of the internal controls that third-party cloud services providers use. “These reports cover controls related to business processes and general IT controls such as [those related to the] security, availability, privacy and processing integrity of the systems used by the providers to process client information,” Paquette explained.
Large professional services firms like KPMG LLP provide SOC attestation reports and may also deliver tech assurance assessment services that involve identifying potential data integrity issues and assessing the efficacy of related controls. To do this work, KPMG has deployed bots that assess client financial data and controls, searching for particular financial figures that are out of balance or in some way unaligned.
“Our goal is to audit technology with technology, making financial audits more efficient and enhancing our client experience,” Paquette said.
With so much at stake when it comes to the accuracy, completeness and reliability of financial data and ESG metrics, trust in sources of truth is sorely needed. Today’s companies need to not only strategize about their digital journeys, but also assess the technology controls that facilitate them.
Russ Banham is a Pulitzer-nominated financial journalist and bestselling author.