Sarbanes-Oxley and Control Automation
|
Control procedures defined can be automated. This is not a Sarbanes-Oxley specific activity. Automation is the third leg of the holy trinity of : good people, good things, automate the good things. Before we set out to automate a control, we have need 2 aspects confirmed. Firstly that the control is a) effective and b) is open to automation. Automating a control that is not effectiveness is pointless. Why automate failure? If a control is not open to automation, for whatever reason, then it should not be attempted. The average public company has hundreds or thousands of controls. So why try and automate the difficult stuff first? Given the above caveats, why would we want automation? Initially the size of the task facing a company preparing a Sarbanes-Oxley audit seems awesome and overwhelming. The prospect of reducing the load by automation is enticing. Once the company has started automating, it might notice other enhanced benefits. A successful automation process involves documentation of controls and policies. Use of a tool will require management decisions on configuration, deployment and how the automation process and environment will be supported. The automation of control procedures has two objectives. As long as one is achieved, then automation has been succesful. Effectiveness of internal controls is the most important aspect of Sarbanes-Oxley and section 404 in particular. The COSO framework on internal controls places more emphasis on the operational effectiveness than on ensuring they are written down by management. Measurement of the effectiveness of a control ultimately resides with the prevention of fraud through improved financial reporting. Thus, if we automate a control, does that mean more fraud or opportunities for fraud be prevented. Any increase in effectiveness can only improve the internal controls for the company. The control may not increase the effectiveness. The cost of implementing the control may come down. This might please those who bemoan the cost of implementing Sarbanes-Oxley for their company. Automation of control processes will usually involve a tool such as OpenPages. However the toolbox available to the automater could be as simple as Outlook and Excel. No matter what the tools used, a number of features should be present in the system. Given the number of controls even a small company has hundreds or thousands of controls. A tool has to be configurable and flexible to handle thousands of them. A reference library has to be available for employees and management to access information on policy and procedures. This way issues can be resolved at source. The tool and surrounding system has to interface with the existing control systems. This would be especially important at the start of the automation process. The number of internal controls automated is likely to be heavily outnumbered. Tools should be easy to use for those operating them. Exceptions and special circumstances will have to be handled effectively. Identification of out of the ordinary transactions or events. Guidance or an escalation process should be available to staff who have responsibility for the control. An example of a control for automation could be ensuring the financial reporting of sales. The sales process includes the sale, invoicing, dispatch of goods. Elements of the control suitable for automating :- On a timely basis the person responsible for the process receives required information. Routing the work products to the correct person at the correct time. Tracking the progress and results of the procedure to enable monitoring of control performance Initiating follow-up action.
|
Related Articles
Similar Areas Selected Books Keywords Internal controls and automation
|