Sarbanes-Oxley Automated Tools
|
Selecting a tool to assist in any Sarbanes-Oxley compliance effort, is no different from any other automation effort. The temptation is to just jump and select one that is constantly in the news. Hyperion or SOX Express from OpenPages spring to mind. Before we do that, maybe we should step back and look at other automation efforts in testing. Firstly, they are expensive. Secondly, after purchasing an expensive tool and hiring expensive consultants, companies only succeed in automating chaos. How do we avoid this in our SOX automation effort? In my humble opinion, there are three stages to good automation. These apply if we are automating load testing, data cleansing or reviewing internal controls.
Another temptation is to start looking at vendor catalogues. The danger is that we draw the requirements from what they are offering rather than our real requirements. We should start from first principles. What we want our automated Sarbanes-Oxley tool to do? Although there are hundreds of sections in the SOX legislation, compliance efforts focus on 404 and to a lesser extent 302. Section 404 requires companies and their auditors to attest to the effectiveness of internal controls relating to financial reporting. Virtually all of the expense displayed so vividly in all those headlines is 404-related. It makes sense therefore that requirements will be driven by it. There are three main areas of requirements in terms of reviewing internal controls. Warehouse internal control documentation Even a small organisation will have a myriad of internal controls relating to financial reporting. Indeed until the arrival of SOX, many would have seemed intuitive, let alone have been defined and documented. The review team will need a repository for all of the entity's documentation relating to the design of internal control. Automate testing/evaluation of internal controls To attest to the effectiveness of internal controls, the SOX review team must test those internal controls. In the case of many first year reporting companies this would have been manually done. Typical uses of tools in this area are in test management. This would cover planning and tracking of testing process. Also, recording of results and where necessary deficiencies. Automation of internal control policies and procedures Many business processes are manually implemented and are ripe for automation. Included are internal controls.For example, an employee has an outstanding car loan, from the company. He leaves the firm. The HR department sends an email to payroll department to recover the outstanding amount from the last payslip. This could be automated so that the HR officer does not have to remember to notify payroll. As soon as the employee is registered as leaving an automated e-mail is triggered. These three requirements may seem closely aligned, (particularly 1 &2) however they are quite distinct. Remember no tool is a one-size-fits-all solution. Most importantly automation or any other promised panacea does not guarantee compliance
|
Related Articles
Similar Areas Selected Books Keywords internal control documentation
|