Can We Trust the Numbers — and Who Is Accountable?

Finance produces information. Governance determines whether that information can be trusted — and whether anyone is accountable when it cannot.

Most mid-market organisations do not have a governance problem. They have three of them, each invisible until it fails. Revenue is calculated differently in sales and finance, so the board sees one number and the sales team presents another. A KPI definition changed without notification, so last quarter’s trend is not comparable to this quarter’s. An adjustment appeared in the closing entry, traceable to no one, that shifted margin by two points. These are not data quality issues. They are accountability failures dressed as technical problems.

The question is not whether the organisation has data. It is whether anyone is accountable for what the data means.

What Good Governance Produces

1. Trust: The first reaction to any number is analysis, not verification — because definitions, sources, and computation paths are documented, owned, and controlled.
2. Accountability: Every metric has a named owner responsible for its definition, computation, and accuracy. Problems surface to an owner, not into a gap.
3. Defensibility: When the board, an auditor, or an acquirer asks where a number comes from, the answer is traceable — from report to source, with no undocumented steps.

Key Business Questions

• Can we trust what we see? When a number requires re-verification before it can be used, governance has already failed. The cost is not just time — it is the decisions made on unverified numbers before the re-verification begins.
• Does every metric have one definition? If sales and finance calculate revenue differently, neither is wrong — but neither is right when the discrepancy surfaces at the board meeting.
• Who is accountable when something is wrong? Unclear ownership does not just slow remediation. It removes the incentive to maintain data quality in the first place.
• Can we trace a number from report to source? An unexplained adjustment in the management pack is not a data anomaly — it is a control failure. Lineage makes adjustments visible and attributed.
• Are controls operating, or just documented? A control framework that has never been tested is a policy document, not a control. Governance is operational, not archival.

The Data Trust Infrastructure

Governance is not a set of rules. It is a control system — six components that make financial information reliable enough to act on without first questioning it.

1) Definition governance

Each metric has one definition, one owner, and one approved computation path. Changes go through a documented process with version history. Finance and sales calculating “revenue” differently is not a coordination failure — it is a definition governance failure. Fewer metrics with documented owners beat more metrics with assumed agreement.

Materiality thresholds — the levels above which a variance requires owner response, decomposition, or a reforecast trigger — are governed definitions too: set once, owned by the same process, and applied consistently in Reporting, Performance, and Planning.

2) Data quality controls

Validation rules applied at ingestion, not at reporting. Reconciliation protocols for every sub-ledger. Exception handling that escalates unresolved breaks before they reach the management pack. Not quality review after the fact — controls that prevent quality failures from entering the reporting flow.

3) Ownership model

Data stewards own definitions. Process owners own the flows that produce the data. Escalation paths connect them when breaks occur. Without named ownership, data quality is everyone’s aspiration and no one’s accountability. A responsibility matrix without named individuals is a governance gap, not governance.

4) Access and lineage

Who sees what data, at what level of detail, under what approval. Where each number comes from, through what transformations, to what output. Lineage is not metadata — it is the audit trail that makes an unexplained adjustment findable. When an auditor asks, the answer is traceable without reconstruction.

5) Change control

How metric definitions are updated, how data hierarchies are revised, how computation paths are changed — all with traceability. A KPI redefined mid-year without documentation makes trend analysis meaningless and the prior-period comparison unreliable. Change control makes changes visible, versioned, and approved before they affect reporting.

6) Audit readiness

Controls documented, tested, and operating as designed — not assembled in the two weeks before an audit begins. Audit readiness is a state, not a project. When controls are embedded in the daily process, the audit confirms what the organisation already knows rather than discovering what it missed.

For organisations building governance for the first time, components 1 (definition governance), 3 (ownership model), and 5 (change control) are the minimum viable starting point. With named owners, documented definitions, and a change protocol in place, the remaining three components can be added as the function matures. Attempting all six simultaneously is the most common reason governance programmes stall.

Ownership and Control Map

The practical question in governance is not “do we have controls?” — it is “which control applies here, and who is responsible for it?”

Three control types run across every financial domain:

• Preventive controls stop errors before they enter the data — validation rules, access restrictions, definition locks on governed metrics
• Detective controls surface errors after they occur — reconciliation breaks, exception reports, variance threshold alerts
• Corrective controls resolve errors once detected — escalation protocols, adjustment authorisation, root cause documentation

Detective controls operate against a defined threshold — breaks above materiality escalate to the process owner within one business day; below threshold, logged and deferred to the standard reconciliation cycle.

Each control type applies across four domains, each with a named owner:

Revenue: Preventive — booking rules and approval gates. Detective — revenue reconciliation and cut-off review. Corrective — restatement authority and adjustment log, each attributed to a named owner.

Cost: Preventive — coding rules and budget limits. Detective — accrual review and cost centre reconciliation. Corrective — reclassification process and variance owner named before the break is closed.

Working Capital: Preventive — credit terms and payment authorisation. Detective — debtor ageing and inventory count. Corrective — collections escalation and write-down approval, with named sign-off.

KPIs and Metrics: Preventive — definition lock and computation path approval. Detective — dashboard reconciliation and KPI owner sign-off. Corrective — definition change protocol and restatement log.

Not a committee responsibility — a named person who is accountable when any control fails to operate as designed.

Governance ownership at a glance:

• Definition owner (metric owner): owns the KPI definition, computation path, and approved change history
• Data steward: maintains source data quality, escalates breaks above threshold to the process owner
• Process owner: owns the flow producing the data, resolves systemic quality failures
• Finance (validate / release): reconciles, tests controls, and confirms audit readiness before publication
• Change control owner: approves definition changes, versions them, and notifies downstream users

Governance Health: Quality Metrics

Governance quality is measurable. Six indicators signal whether the Data Trust Infrastructure is operating.

• Definition coverage: Percentage of reported KPIs with a documented definition and named owner. Any metric without both is ungoverned — and will be calculated differently by different users within the next reporting cycle.
• Reconciliation rate: Percentage of monthly closes completed without unresolved breaks. Recurring breaks in the same account indicate a control gap, not a one-period anomaly.
• Lineage completeness: Percentage of key reports with a documented source-to-output path. Gaps in lineage are where unexplained adjustments live.
• Access compliance: Percentage of data access aligned to documented access rules. Undocumented access is where data is changed without accountability.
• Control effectiveness: Percentage of controls tested and confirmed as operating as designed. A control that has never been tested is an assumption, not a safeguard.
• Restatement frequency: Post-publication corrections to management packs per quarter. More than two per quarter is a systemic quality signal, not an exception.

Assessing these requires no new system. Current reconciliation records, definition logs, and access reviews contain the evidence.

Together, they protect meaning and control — the precondition for every downstream capability to deliver what it promises.

Governance Areas

KPI Definition and Metric Governance

The most common governance failure is not a missing control — it is a KPI with no agreed definition. When the board’s revenue number and the sales team’s revenue number differ, the discrepancy is not a calculation error. It is the absence of a governed definition. Metric governance defines what each number means, who owns it, and how it is computed — before it appears in a report.

→ KPI Definition and Ownership · Metric Governance Framework · Single Source of Truth

Data Quality and Reconciliation Controls

Data quality degrades silently. A validation rule missed at ingestion becomes a reconciliation break at month-end. An unresolved break becomes an adjustment. An unexplained adjustment becomes a restatement. Quality controls stop the cascade at the first step — not after it has propagated through the reporting cycle.

→ Data Quality Controls · Reconciliation Controls · Exception Management in Finance

Access, Lineage, and Audit Readiness

Lineage is not documentation for its own sake. It is the mechanism that makes governance testable. When a number cannot be traced from source to report, governance cannot be verified — by an internal reviewer, an external auditor, or an acquirer. Audit readiness is the output of a functioning governance system, not a separate project launched when one is announced.

→ Audit Readiness for Finance · Data Lineage and Traceability · Internal Controls Framework

Governance Under Growth and Change

Governance that works for a single-entity company often breaks when entities are added, systems are consolidated, or M&A introduces new data sources. Growth multiplies the points where definitions diverge and ownership gaps open. Governance must be extended actively as the organisation changes — it does not scale on its own.

→ Governance for Multi-Entity Finance · Change Control for Finance Definitions · Data Governance in M&A

Inputs, Controls, Outputs, Decisions

• Inputs: Strategy targets, metric requirements, source records, and change requests from all downstream disciplines
• Controls: Definition lock and change control protocol, validation rules applied at ingestion, reconciliation sign-off, access and lineage documentation
• Outputs: Governed metric definitions, approved computation paths, versioned change history — the trusted foundation every downstream discipline depends on
• Decisions enabled: Definition approvals, control remediation, access grants — each with a named owner, logged and versioned before any downstream report is published

What Governance Is Not

Governance is overloaded. Boundaries matter.

• What happened, on what cadence? — that is Reporting .
• Why did it happen? — that is Performance Analysis .
• Where are we heading? — that is Planning & Projections .

Governance answers one question: can we trust the numbers — and does anyone own the answer?

Why Governance Is the Foundation

Without governed definitions, reporting cannot be trusted. When three departments calculate the same metric differently, the management pack does not reflect the business — it reflects whichever computation happened to be in the room last.

Without data quality controls, performance analysis identifies noise rather than drivers. A 5% margin shortfall attributed to mix might be a genuine mix shift. Or it might be a coding error in the cost centre allocation that governance would have caught before it reached the driver analysis.

Without lineage and traceability, planning disconnects from actuals. If assumptions cannot be verified against source data, the forward model is built on unverified information — and every scenario inherits that uncertainty.

Strong governance is the foundation of one control system. It does not generate insight on its own. It makes every other finance capability — reporting, performance, planning — capable of delivering what it promises.

Governed definitions, versioned change control, and reconciliation sign-off from Governance are the specific inputs Reporting depends on to hold a stable computation path and close on its agreed cadence.

→ Why Reporting Matters for Mid-Market Companies — the discipline that governance enables

Typical Situations

• Finance and sales present different revenue figures in the same board meeting, so the first 20 minutes are spent reconciling numbers rather than discussing the business
• A KPI definition changed mid-year without documentation, so the trend line crosses a discontinuity that management interprets as a market signal rather than a measurement change
• An audit identifies adjustments in the management pack that cannot be traced to source records, so the close process is reconstructed under time pressure rather than verified against an existing trail
• Growth adds new entities with separate charts of accounts, so consolidation requires manual reconciliation that finance cannot complete without two extra weeks of close
• An acquisition due diligence reveals that reported margin does not reconcile to the underlying cost data — not because the numbers are wrong, but because the computation path was never documented

Next Steps

• Explore governance topics in depth — Knowledge Hub
• See how organisations apply governance capability — Use Cases
• Discuss your situation — Contact