SOX considerations for Tableau visualizations
Across many organizations, the adoption of data analytics empowers users at every level to discover insights and improve the information they use for their day-to-day functions. For companies deploying Tableau, one of the immediate benefits is the ability for people to quickly develop—as well as access—insightful reporting to answer business questions. Self-service analytics provides immense value operationally, but as more organizations use Tableau to perform financial reporting, the use of Tableau needs to be reviewed from the lens of Sarbanes-Oxley (SOX) audit requirements.
As an audit professional, this shift from legacy reporting methods to using powerful data analytics platforms creates a unique challenge. You're tasked with ensuring financial reporting developed with Tableau adheres to your company's SOX control environment and there are important considerations for your organization's use of Tableau. Read on for recommendations on how to successfully incorporate Tableau reporting into SOX scope, specifically around compliant source data for Tableau visualizations, and how to begin the challenge of incorporating Tableau reporting into a formalized change management process.
SOX compliance considerations regarding financial source data
The most important consideration to establish when assessing a Tableau viz is to determine where the source data is being pulled from and how that process is controlled. Here are questions to ask of your source data:
- Is it sourced from an in-scope SOX system?
- Is the data from an out-of-scope system?
- Or is the source data from a combination?
Tableau provides the ability to easily aggregate, join, and blend data from many different sources into one output, so it's necessary to ensure that the key attributes for SOX reporting have been clearly identified for each report. You'll also need to determine from where all of the data related to those key attributes is sourced.
If a data source is only providing operational information that is not relied on for the operation for the key control or substantive procedure, it may be appropriate to disregard that source for the purposes of SOX. If the source system is providing key information, but has not been identified as in-scope, the audit and compliance professional should investigate why this is the case and what, if any, manual procedures are in place to get comfort over the source data.
Additionally, think about how that source data is generated or presented for ingestion into Tableau for key reporting. Even if the source system is already in-scope for SOX, additional steps may be necessary to get comfort around the complete and accurate transfer of information between the source system and Tableau. To know if this is required, ask yourself if a canned or custom report is being generated and then sourced for the viz? Is there a complex interface between the system and Tableau? Does the data move from a third party system to a local or cloud data warehouse before being connected to Tableau?
The data needs to be evaluated not only at the original source, but continually throughout the integration and staging area phase as well.
Three steps to establish change management controls for SOX Tableau reporting
When a viz is used in the process of financial reporting, to validate that a key report is complete and accurate, the concept of change management needs to be established at your organization. Here are the steps we've observed to be effective for change management regarding Tableau use:
- Assess the change management environment. When it comes to ensuring that financial reporting built with Tableau remains reliable over time, the first step is to determine if key SOX reports are subject to a change management process and controls. If one is not yet established, work with business partners and IT to design and stand up a process that verifies when changes to a key Tableau Viz are made, that these changes are tested, approved, and handled in a controlled manner. If there is already a change management process in place, confirm that the teams that own Tableau financial reporting know of the requirements of this process and can onboard the key financial vizzes to this process. This will be a significant step to ensuring reporting compliance for SOX.
- Tailor the process to Tableau. From a change management perspective, it is important to avoid applying a blanket approach across all reporting. Using Tableau to generate financial reporting presents different challenges than using canned or customized system reporting, so begin by identifying the key SOX components of a visualization.
Be aware that the way reports are tested and approved before being shared and used varies, depending on the Tableau environment you have at your company as well as on the complexity of the data visualization.
Since it is easy for users to update or edit a viz, this can often lead to a higher frequency of changes being made. If the key SOX components of the viz are identified, there is potential to limit formalized change management procedures to those key components, reducing the overall burden.
- Ensure ongoing controls are supported. Once key Tableau vizzes are subjected to a tailored, effective change management process, it is important that these controls continue to operate and that communication between teams exists as new Tableau visualizations come into scope and existing reports may no longer be relevant for SOX.
If you apply these considerations around financial source data for Tableau visualizations and take the above steps for change management, you'll be better prepared to incorporate Tableau reporting into SOX scope—and transition more smoothly from legacy tools to a robust data analytics platform that provides greater value to your organization as a whole.
To discover how you can deliver powerful analytics on a flexible and governed platform, while still adhering to SOX audit requirements, visit the Tableau Finance Analytics solutions page.