Automated Tool For Sarbanes-Oxley Testing
|
Complying with section 404 of the Sarbanes-Oxley Act can be an expensive experience. An automated solution can help with the task of confirming the effectiveness of internal controls. Before we delve into the things to look for in a tool, I assume that the first two elements of automation have ocurred. Firstly good people were hired. Secondly, those good people are doing good things. It those good things that we shall be automating. In terms of functionality a Sarbanes-Oxley related tool is more used for test management rather than execution. The tool does not perform testwork. Neither does it draw conclusions about the effectiveness of internal controls. The following features will be present in most tools, in a variety of permutations. In my perfect world the tool would enable the team answer two questions. 1) How do we know if enough testing has been done? 2) How do we make sure everyone knows? Project administration All the information needed to manage the testing and project overall should be available to the team. This means it has to be stored and viewable from a range of perspectives. Information might include, project plans, test plans, due dates and a project status summary. Work programmes The test plan should be based around linking the testing to controls as documented. (Possibly using a warehouse function.) Test plans or work programs can be updated automatically if the controls change. Test monitoring of status and results As testing progresses and conclusions are made, on the effectiveness of internal controls, these have to be recorded and made available to everyone involved. Communication and Collaboration Essentially this how we answer question #2. A lot of people within the organisation need to know the progress being made, the Board, lawyers, senior management, auditors and possibly the SEC and/or Nasdaq. Timely and effective communication is essential. Reporting functionality could be classed under this area. Distribution based on email might be applicable. Some tools offer a chat room or blog-type functionality. Resource library Although team members should be expected to have a reasonable amount of knowledge about financial statements, SOX, control objectives and testing in general, not everyone has all the answers. The resource library would hold this information for the users. Ideally it will be dynamic, allowing it to be updated by staff or the vendor. An automated tool is only as good as the real people who are going to use it. Automating chaos, just creates more work and more chaos.
|
Selected Books Keywords Sarbanes-Oxley and internal controls effectiveness of internal controls
|