15 Benefits of a Revenue Assurance Solution

Transcription

1 Achieving Sarbanes-Oxley Compliance: 15 Benefits of a Revenue Assurance Solution A WeDo Technologies white paper

2 Contents Contents References Introduction Sarbanes-Oxley Key Sarbanes-Oxley Provisions Section 103: Auditing, Quality Control, And Independence Standards and Rules Section 302: Internal control certifications COSO & the COSO Framework Section 404: Assessment of internal control Section 409: Real Time Issuer Disclosures The 15 Benefits of a Revenue Assurance Solution General Benefit #1: Automated Monitoring: Complete & Constant Coverage Benefit #2: Supplying the key components of a COSO framework Benefit #3: Accurate KPIs & Reports on revenue loss Benefit #4: Near real-time visibility of operations Benefit #5: Proactively addressing revenue leakage Benefit #6: Independence & objectivity of controls Benefit #7: Long-term data retention Benefit #8: Common sense approach to implementing controls Specific Revenue Assurance Areas Benefit #9: Assurance of Usage Streams Benefit #10: Validating Call Charge Correctness Benefit #11: Verifying Post-paid/Non-real-time Billing Correctness Benefit #12: Validating Prepaid/Real-time Billing Correctness Benefit #13: Ensuring Accurate Provisioning Processes... 17

3 5.2.6 Benefit #14: Implementing Cost controls Benefit #15: Analysing Invoice Accuracy Conclusion About WeDo Technologies Technologies... 20

4 1 References Ref. Doc Reference Description [1] executive_summary_integrated_framework.ht m COSO Executive Summary [2] Rules_of_the_Board/Auditing_Standard_5.pdf PCAOBUS Auditing Standard No. 5 [3] Summary of AS5 rules

5 2 Introduction Telecommunications operators today have a growing, varied and complex set of obligations to comply with stringent accounting, regulatory and corporate governance standards. This reality can be highlighted by the requirements laid down in the US corporate legislation entitled Sarbanes-Oxley. These compliance obligations require significant effort on the behalf of the operator to ensure that they have the appropriate controls in place. However, in WeDo Technologies experience, a number of the compliance obligations in Sarbanes-Oxley are very similar to the requirements addressed by enterprise revenue assurance systems. The following whitepaper provides a high level overview of the Sarbanes-Oxley provisions which have a direct bearing on a telecoms operator s Revenue Assurance (RA) responsibilities and then outlines the key features in a revenue assurance software solution that enable an operator to comply with each such provision. 3 Sarbanes-Oxley The Sarbanes-Oxley Act of 2002, also known by the abbreviations SOX or Sarbox, was signed into law in 2002 as a result of a number of high profile corporate accounting scandals in the U.S., including Enron and Worldcom. Sarbanes-Oxley was introduced in order to restore investor confidence in public U.S. companies and in accounting and corporate practices. The legislation establishes new or enhanced standards for boards and management of all companies trading on the U.S. market as well as public accounting firms. The Act has a number of sections focused on establishing standards for corporate governance and control, auditor independence, levels of financial disclosure and rigorous assessment of internal controls.

6 4 Key Sarbanes-Oxley Provisions There are a number of key SOX provisions which have a direct relationship with an operator s revenue assurance systems and organizations established to administer these systems. 4.1 Section 103: Auditing, Quality Control, And Independence Standards and Rules Section 103 states that the company board must require public accounting firms to prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such a report. Also, the section mandates that the board must adopt an audit standard to implement the internal control review required by section 404 (see below). This standard must require the auditor to evaluate whether the internal control structure and procedures include records that accurately and fairly reflect the transactions of the issuer, provide reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with generally accepted accounting principles, and provide a description of any material weakness in the internal controls. Effectively, the board must implement a set of internal controls that not only do they deem sufficient for meeting the SOX requirements in this area of operations, but that must satisfy an auditor s own set of stringent standards. 4.2 Section 302: Internal control certifications Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The section requires the senior officers who sign the company accounts to certify that they have reviewed each periodic report and, to their knowledge, it is materially accurate and complete; to their knowledge, the financial statements and other financial information included in the report fairly present in all material respects the financial condition, results of operations and cash flows of the company; and as to various matters regarding the existence and adequacy of the issuer's financial disclosure controls and procedures. This must be completed as of a date within 90 days prior to the report and have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. To prepare such conclusions, the company board are generally adopting an internal control framework such as that described by Committee of Sponsoring Organizations of the Treadway Commission (COSO).x

7 4.2.1 COSO & the COSO Framework COSO developed a model in 1992 for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. According to the COSO framework, internal control consists of five interrelated components. The following description of the 5 components is quoted directly from the COSO executive summary [1]: Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. [ ] Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and Communication: Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related

8 information, that make it possible to run and control the business. [ ] Effective communication also must occur in a broader sense, flowing down, across and up the organization. [ ] Monitoring: Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. 4.3 Section 404: Assessment of internal control Section 404 requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting. This is the most challenging aspect of the legislation for companies to implement, as it requires extensive documentation and testing of important financial manual and automated controls. This is especially the case for telecoms operators who have very large customer bases, who provide varied and complex services to each subscriber, and who handle millions of transactions every day. Both senior management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. The Auditing Standard No.5 of the Public Company Accounting Oversight Board (PCAOB) [2], approved in May 2007, has outlined the following key requirements for the auditor, as summarized in [3]: Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks; Understand the flow of transactions sufficiently to identify points at which a misstatement could arise;

9 Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework; Perform a fraud risk assessment; Evaluate controls designed to prevent or detect fraud, including management override of controls; Evaluate controls over the period-end financial reporting process; Scale the assessment based on the size and complexity of the company; Rely on management's work based on factors such as competency, objectivity, and risk; Evaluate controls over the safeguarding of assets; and Conclude on the adequacy of internal control over financial reporting. 4.4 Section 409: Real Time Issuer Disclosures Section 409 of the Sarbanes-Oxley Act states that companies are required to disclose, on an almost real-time basis, information concerning material changes in its financial condition or operations. Here is an excerpt from the Sarbanes-Oxley Act of 2002 report for section 409: "(l) Real Time Issuer Disclosures.--Each issuer [ ] shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.".

10 5 The 15 Benefits of a Revenue Assurance Solution A properly deployed revenue assurance system combined with trained organization to utilise the resulting information should provide all of the tools and functionality required to create and maintain a robust set of internal controls throughout an operator s network that will provide the required real time information for regulatory requirements to be efficiently addressed. Revenue assurance systems will focus on, the operator s network OSS and BSS elements; subscriber billing processes (both prepaid and post-paid); the operator s financial reporting system/ procedures all of which are fundamental requirements for regulatory compliance. Below, we have synthesised a number of the key Sarbanes-Oxley requirements that a revenue assurance solution must address in order to provide value to an operator. We have also described how WeDo Technologies own RAID product can address each requirement and ultimately support an operator in achieving SOX specifically, and other regulatory compliance in general. The requirements are broken down into general RA-related requirements and then into specific RA disciplines and activities.

11 5.1 General Benefit #1: Automated Monitoring: Complete & Constant Coverage In order to achieve Sarbanes-Oxley compliance, manual or sample-based audits of usage records, bills and subscriber data at different points in the network are no longer sufficient. They simply do not meet the SOX level of monitoring control required over an operator s usage, billing and subscriber data. The revenue assurance department now needs an enterprise, automated solution to monitor all usage records at as many points in the network as is required, to reconcile all subscriber and provisioning data across all relevant platforms and to validate tariff plans and bills for their subscribers. This is no longer an option: it is a pre-requisite for compliance. WeDo Technologies RAID product is performing all of this monitoring, reconciliation and validation today for telecoms operators world-wide Benefit #2: Supplying the key components of a COSO framework Instilling a Control Environment The presence of an automated enterprise RA solution has a direct effect on the control environment and culture within an operator s organisation. When such a solution is implemented, those responsible for OSS & BSS systems become immediately aware that their systems are routing data to an independent third-party system that is monitoring the output and operational activity of their area of responsibility. This in turn imposes a level of discipline and rigour in the day-to-day operation and overall quality control of these systems. A number of WeDo Technologies customers have implemented RAID in their organisation, not with the primary aim of detecting revenue leakage, but precisely because they want to instil a structure and culture that provides an appropriate level of assurance and business confidence in the integrity of their revenue streams and billing processes. Tools to support control activities Process definition and monitoring are a critical part of accurate quality control. Providing workflow and case management functionality to a revenue assurance department means that they have the tools to shape the process that analysts must follow in order to recover revenues in

12 different revenue leakage or overcharging scenarios, as well as auditing the effectiveness and efficiency of the revenue reporting and assurance efforts. RAID provides case management and workflow features that means analysts can follow a predefined set of steps in order to analyse leaks and initiate revenue recovery actions, all of which are logged, traceable and available for reporting purposes if necessary. Information publication & dissemination Regular reports, communications, alerts, KPI and trend information are all required by management to ensure that the business is operating to expected standards. Validating that revenue streams, cost streams and billing processes are all functioning as within expected parameters also requires regular updates, dynamic dashboards and alerts. Revenue assurance information needs to be available at the click of a button for an operator to confirm acceptable operational performance. In the event that controls do indicate process failures, and the integrity of revenues or costs reported are in doubt, the executive officers of the company need accurate and quantified information on the issues at hand. Additionally, efforts to recoup any revenues lost or reduce any costs that were incurred need to be tracked and the results analysed. RAID is a web-based system, designed to act as a central information hub for a revenue assurance department, but also as a dashboard and reporting resource for other departments or managers in the organisation. Users can elect to receive alerts of particular anomalies or leaks detected by the system, or also to receive automatically generated reports at scheduled times. Users can tailor the RAID web portal to display the key information of interest to them, and to refresh the information on a frequent basis. Monitoring tools Monitoring is the fundamental function of an automated, enterprise-wide revenue assurance solution. The reason such a tool is deployed is to independently monitor usage streams, cost streams, billing processes, provisioning processes, rates applied to calls, invoices received and balances & bundles calculated. RAID performs all of these monitoring functions and more. It has been designed to be an enterprise automated solution that can be integrated with any OSS or BSS element and parse the records output from that system and reconcile the data with other systems, profile the data against historical trends or validate the correctness of particular fields in the data (e.g. validating the call charge).

13 5.1.3 Benefit #3: Accurate KPIs & Reports on revenue loss The most valuable output from an internal controls framework are Key Performance Indicators (KPIs) and reports. A reliable and regularly updated set of KPIs is precisely what an auditor wants to see when validating that a company has put sufficient controls in place for Sarbanes Oxley compliance purposes. These KPIs and reports must be automatically updated over time, and must be readily accessible by all levels of the organisation for information and management purposes, but also for alarming and remedial action if required. The KPIs or reports should be segregated by function and by role; they must go to a level of detail needed by a switch engineer (number of mobile originated calls to network X in the last hour), or be aggregated to a high level for review by the CFO (total overcharging from incorrect billing over the last month). Each RAID module comes with a set of standard KPIs and a set of standard management reports. RAID also supports the creation of custom KPIs and reports on any data that is held in RAID, or indeed held in other external systems in the operator s network. These KPIs and reports are then updated on an automatic basis, reflecting results based on the latest data processed by the system Benefit #4: Near real-time visibility of operations As required by Section 409 of SOX, operators must disclose significant revenue leaks, overcharging/undercharging incidents or financial anomalies almost as soon as they are identified in the network or billing process. This requires an RA system that can monitor usage streams in near real-time and alert RA analysts as soon as a problem is identified, so the analyst can investigate and present their findings within a very short period of time. This not only complies with section 409, but also leads to more effective revenue recovery and remediation actions. RAID profiles and monitors data as soon as it is made available. In the Usage Assurance module, as network elements in each revenue stream forward records downstream to the next system, they also route the records to RAID. The system then processes the data and immediately updates charts and results in the web portal, and generates alarms in the event of

14 discrepancies identified. With RAID, the revenue assurance analyst is one of the first people in the organization to identify problems or issues in particular revenue streams or billing processes Benefit #5: Proactively addressing revenue leakage Revenue assurance can often fall into the trap of reactively remedying the symptoms of a problem, rather than diagnosing and then fixing the root cause of a control failure, for example a process-related issues. A good example would be provisioning problems. Provisioning process problems may result in many subscribers with incorrect services provisioned; the wrong tariff plan; and/or unable to make calls at all. Each subscriber can be corrected one at a time, but it is more important to fix the gaps in the provisioning process so that the problem does not continue. Another key responsibility of revenue assurance departments today is to assure new products, when launched, are consistent with the business plan for the offering that was approved by the operator. New services, in the early stage of roll-out, are prone to revenue leakage due to implementation gaps in business rules or IT systems failures. RAID product modules have been developed to look beyond the identification of discrepancies when reconciling data between control points and platforms. This is accomplished by correlating similar events together in order to help RA analysts determine an underlying cause for a particular discrepancy, drop in traffic or rating anomaly. The RAID Platform Integrity product module specifically monitors subscriber data discrepancies between provisioning platforms. WeDo Technologies has found that such discrepancies represent the root cause of other problems on the network such as loss of service and incorrect billing to subscribers Benefit #6: Independence & objectivity of controls A number of vendors of mediation devices, provisioning systems, billing systems and other BSS elements list revenue assurance as a feature of the systems that they offer to operators. This includes internal reporting mechanisms, internal KPIs and statistics on the data and records flowing through their systems, and logging and automatic alerts if any problems occur in the systems themselves. However, RA departments require complete independence from the underlying systems that they are monitoring and true objectivity in the monitoring process. In order to achieve this level of impartiality, a completely independent system is required that monitors all of the other elements

15 in the network. Fundamental to this approach is that there can be no preconceived assumptions about their operation or the business rules under which they operate. This way, the RA department can ensure that they are not replicating the same leakage scenarios they are trying to detect within their RA solution. WeDo Technologies develops products purely devoted to revenue assurance. The sole purpose of RAID product modules is to validate and assure the output and day-to-day operations of an operator s revenue-impacting systems Benefit #7: Long-term data retention Section 103 of Sarbanes-Oxley requires that operators hold audit-related information for up to 7 years. This does not necessarily mean retaining usage records, subscriber records or billing records for this period of time, but it does entail retaining summary information for extended periods of time, and archiving and retaining all information related to revenue/cost leaks, mismatches and reconciliation discrepancies. RAID Usage Assurance can hold summary information at a daily level on data processed through the system for many years in a highly cost-effective manner if necessary. Other RAID product modules can retain high-level statistics and revenue leak/discrepancy information for years as well. Operators can store case information or generated reports for extended periods also. All of this information Benefit #8: Common sense approach to implementing controls A telecoms operator has many services, each with different revenues streams, different tariff plans, different bundles and different types of subscribers. Trying to implement a control framework for all of these services and all of these permutations in one single step is not viable. The pragmatic approach that operators take is to focus on the significant revenue streams first, as well as problematic areas like provisioning and billing, and then progress to revenue streams and other revenue-related processes that may not generate the same level of revenue. An RA solution must be modular and easily extensible so that the key revenue streams can be quickly added, and then new control points can be added to existing revenue streams or new process areas can be assured step by step. This way an operator can demonstrate an accurate roadmap to SOX compliance to their auditors and understand the resources and costs involved

16 in delivering complete coverage of all revenue streams, provisioning processes, billing processes and other risk areas. RAID is designed so that operators can extend and build on the product modules in phases, adding new revenue streams, new platforms for reconciliation, new tariff plans and new billing systems. Using RAID toolkits, operators can also update their systems: changing business rules, tweaking reconciliation rules, updating tariff data, and many other configurations. 5.2 Specific Revenue Assurance Areas Benefit #9: Assurance of Usage Streams One of the primary set of controls required by SOX is the ability of the operator to monitor the flow of traffic on their network, and ensure that all calls and events on the network are in fact billed to the customer. The RA department must monitor all events from point of origin on the network element right through to the appropriate billing system, ensuring that calls are not being dropped, lost and/or fundamentally modified along the way. The RAID Usage Assurance module provides real time monitoring and assurance of all service usage data as it is processed from the network to the appropriate prepaid or billing system. Alarms are raised immediately if revenue leaks are detected, and analysts are notified as to the source and severity of the leak as well as the services that are impacted Benefit #10: Validating Call Charge Correctness Billing and rating accuracy are critical controls for SOX. The operator must ensure that the value of all calls and events on their network is being correctly calculated, and that no customer is being accidentally undercharged or overcharged for their service. The RAID Rating Validation product module verifies that subscribers and wholesale partners are charged correctly by the relevant billing systems for services delivered by the network Benefit #11: Verifying Post-paid/Non-real-time Billing Correctness The accuracy of a bill submitted to a customer is determined by more than correct rates being applied to each event on the bill. Ensuring that the recurring subscription charge billed to the subscriber, any once-off charges, bill totals and bundles are correct are also key controls in the billing process.

17 RAID provides a range of billing validation solutions to assure these areas. Examples include: Once-off and Recurring Charge Validation This RAID solution validates that each subscriber is being billed the correct subscription fee for the billing period, and that any once-off charges that they are paying for the period are correct and accounted for. Bundle Validation This RAID solution validates that subscriber s post-paid bundles are being decremented correctly with the subscriber s usage, and that the subscriber is billed appropriately for any calls or events outside of their bundle, and that remaining bundle amounts are correctly rolled over to the next billing period Benefit #12: Validating Prepaid/Real-time Billing Correctness Prepaid subscribers are billed in real-time by operators Intelligent Networks. In the event that an operator undercharges subscribers or does not completely decrement their prepaid balances, it is likely that it may take some time to detect the problem, by which time the bulk of the loss is unrecoverable. Any overcharging by the operator will become immediately apparent to prepaid subscribers, particularly those who are cost-sensitive, and the billing error made public within a short period of time. Regular detection and rapid time to resolution are critical in a prepaid environment; validating those subscribers balances is being correctly decremented during their usage; and that all topups and adjustments are valid; and all of these aspects are being correctly processed by the network. The RAID Prepaid Balance Validation module ensures that prepaid balances are maintained correctly by network platforms. Usage totals, top-ups and adjustments extracted from the network are used to calculate correct account balances independently, and to report on inconsistencies detected Benefit #13: Ensuring Accurate Provisioning Processes A subscriber will not generate revenues if that subscriber cannot make calls on the network. Additionally if the subscriber has not been provisioned with the correct services, or is making calls for free because of incorrect subscriber data in billing, the result is the same in that revenue is not being generated to optimal potential or is being lost.

18 The revenue assurance solution must ensure that a subscriber is correctly provisioned with the services that they expect. The network has a requirement that it must offer a consistent and accurate view of each subscriber across the network. In this way the RA solution can prevent any discrepancies in subscriber data resulting in revenue leakage or opportunity cost to the operator, and improve customer service in a proactive way. The RAID Platform Integrity module identifies potential revenue leakage caused by provisioning problems and/or accidental or deliberate inconsistencies in the subscription and service related data stored on network and billing support systems. It provides a centralized repository of normalized data extracted from the network that can be used to check what is actually provisioned on any given platform Benefit #14: Implementing Cost controls SOX does not discriminate between controls on revenues or controls on costs. Revenue streams are not the only usage streams that need to be monitored by revenue assurance. The consequences of cost leakage or cost creep in an operator s network, will have a dramatic impact on the contribution margin from an operator s services, and will ultimately impact on the operator s overall profitability. A revenue assurance solution must monitor the cost streams from source through to the partner management/billing system. The RAID Cost & Margin Assurance module assures costs related to usage on the network verifying that the cost streams out to Interconnect, Roaming and Content partners are consistent and can be reconciled with billed events that are generating revenue and sufficient contribution. It also assures the commissions paid to agents and dealers for handling the retail interface to subscribers. With such cost controls in place, operators can move beyond SOX compliance to focus on revenue maximization efforts, analyzing contribution margins from usage on the network and seeking ways to improve margins through cost reduction & cost leakage detection Benefit #15: Analysing Invoice Accuracy For the types of cost streams outlined above, one area that requires controls and monitoring is the content of the bills or invoices received from partners or suppliers for costs incurred on the network.

19 As the invoices are fed into account payable in the operator s financial reporting system, it is critical that the volume of transactions and the charge per transaction are validated as accurate in each invoice The RAID Cost & Margin Assurance module reconciles invoices received from partners and suppliers with actual usage on the network, ensuring that the invoice content from interconnect, roaming and content partners is correct, with the correct volume of transactions and the correct rates applied.

20 6 Conclusion A number of the sections of the Sarbanes-Oxley Act are very similar to the responsibilities and obligations set out for the revenue assurance department of a telecoms operator. There are a number of benefits that an enterprise revenue assurance system can bring to an operator in the long, difficult process of achieving Sarbanes-Oxley compliance. With such a revenue assurance system in place, an operator is in the position of fully complying with a number of SOX criteria, and therefore able to focus management attention on the other difficult challenges of instilling a risk management and reporting culture within the organization and defining and enforcing processes of internal control. 7 About WeDo Technologies WeDo Technologies is the number one preferred supplier for revenue and business assurance software and services. Present in 15 countries on 5 continents, with more than 100 innovative bluechip customers in more than 70 countries, the company has a solid and envious project management track record of being on-time and within budget while achieving superior customer satisfaction. Business Assurance RAID, WeDo Technologies flagship software suite covering Revenue Assurance, Fraud Management and Business Processes Control has been implemented in a number of different industries where it has delivered significant business results and powerful return on investment. WeDo Technologies pioneered the telecom revenue assurance space in 2002 and is now breaking new ground in the enlarged business assurance arena in Telecom, while also servicing the Retail, Energy and Finance industries. Please visit us at Technologiestechnologies.com for more information.