The Sarbanes-Oxley Act (SOX) placed new requirements on American companies to ensure the integrity, reliability, and accuracy of financial reporting and corporate disclosures. While you could do this on your own or manually, why reinvent the audit controls wheel? Automated tool sets and repositories to facilitate SOX compliance are available in ample numbers. But like any piece of software, you have to know what to look for to meet your organization's expectations and avoid disappointments. This research note examines critical attributes of SOX tool sets, discussing how you can utilize them effectively to maximize the return on your investment of time and money.
One examined the first three components of the COSO Integrated Framework relative
to selecting a SOX tool set.
Two discusses the information and communication, and monitoring components from
a similar perspective and provides some tips for kicking off the tool set selection
What is COSO?
stands for Committee of Sponsoring Organizations of the Treadway Commission.
It is a voluntary private-sector organization
dedicated to improving the quality of financial reporting through business ethics,
effective internal controls, and corporate governance. The Securities and Exchange
Commission (SEC) ruled that management must base its evaluation on a suitable,
recognized control framework established by a group that has followed due-process
procedures, including the broad distribution of the framework for public comment.
Furthermore, the SEC points out in its final rule that the COSO Internal Control—Integrated
Framework, which is depicted in the three-dimensional diagram to the right,
satisfies this requirement. Accordingly, the majority of organizations have
adopted this framework as the basis for compliance with Section 404 of SOX,
namely Management Assessment of Internal Controls.
When evaluating SOX tool sets, doesn't it make sense to determine how well the proposed software satisfies critical components of the COSO framework? Of course it does. The remainder of this note examines the five components of the COSO framework, outlining the key characteristics and attributes you should consider in selecting a SOX tool set. Specifically, these components include:
Information and communication
A brief description and introduction, as denoted in italics, is provided of how each component will assist in achieving internal control objectives as depicted in the second dimension (top level view) of the framework. These control objectives provide for the following:
Obtaining the efficiency and effectiveness of operations in meeting business
objectives to include performance and profitability goals
Ensuring the accuracy and reliability of financial reporting
Verifying compliance with applicable laws and regulations
The third dimension (front to back view) of the framework includes the units and activities of an organization to which internal controls pertain. Internal controls are relevant to an entire organization and to any of its units, activities, and processes. Accordingly, you must apply internal controls uniformly across an organization's units and activities. This characteristic is common to all components and is mentioned here to ensure that you can integrate the selected SOX tool set into all levels of an organization and equally apply it in a top-down approach. It would make little sense to have a tool set that could only operate at a corporate level without being able to deploy it at a division or apply it to a process. As with any software selection project, the decision makers must be comprised of a diverse cross section of an organization's users to achieve this characteristic.
Information and Communication
information and communication component of the COSO framework consists of processes
and systems that support the identification, capture, and exchange of information
in a form and timeframe that enable an organization to perform their responsibilities.
Simply put, this means providing the right information to the right people,
at the correct level, on a timely basis. Similarly, communication processes
must be in place to permit people to discharge their responsibilities.
First and foremost, the SOX tool set must be able to model the performance of the organization to include the specific processes used to generate or contribute to the financial reporting of the organization. In so doing the tool set can then support real time activity audits. Just as you would map your manufacturing processes when selecting an ERP package, you must identify these critical financial processes sufficiently to verify that a reliable electronic image of your business can be defined in the tool set.
It stands to reason that your accountants need to verify that the tool set is in compliance with GAAP. Failed audits need to be highlighted for immediate follow-up. Reconciliation procedures must reside in the tool set to provide immediate notification regarding audit failures. The ability must exist to lock down the approved tool set to prevent unauthorized alteration to the model.
the tool set should be able to support the audit function in the following ways:
Be "resource-centric" and understand corporate resources and relationships.
Audit the administrative systems underlying business operations.
Audit manual transactional input of transactions and support operations reviews
and individual transaction processing.
Integrate with other systems (such as the inventory management system) and
cross-check the system counts against individual transactional processing
Support internal and external audits by providing detailed logs of each transaction
and the results of the business-model audit. The system will check every transactions,
every resource and will be able to provide statistical sampling when needed
for operations and personnel reviews.
Log each activity that takes place as a record of accounting events and transactions.
Provide alerts or warnings for appropriate internal management of activities
not meeting the business model or new regulations coupled with instantaneous
reporting and documentation of these alerts/warnings.
consists of the process that assesses the quality of internal control performance
over time. A control system needs to be monitored to ensure that it continues
to operate effectively and as intended. Without continual and effective monitoring,
a control process may fall into a state of disrepair or not be executed altogether.
Consequently, a SOX tool set must run in real time on a 24x7 basis and unattended. You must be able to systematically monitor all activities and transactions corporate wide, with exception reporting used to identify control lapses and gaps. These transactions must be audited both operationally and financially against the business model. This implies a SOX tool set must have the flexibility to incorporate the rules of your business. To facilitate the recording and editing of these rules and to avoid hard coding or programming changes, you should consider a knowledge-based methodology, external to the tool set. As a result, approved rules can be entered without major effort from an organization's technical staff.
Business activity monitoring within a corporate information environment is evolving quickly. SOX, in many cases, requires that a tool set provide continuous activity monitoring, thereby allowing instant insight into corporate performance. As previously noted in the Information and Communication section, the sooner red flags are raised, the more time management has to evaluate and correct financial shortcomings.
Let's look at a simple example of operational/financial interaction when dealing with the purchase of an item to illustrate the monitoring component. The first rule is that the item purchase be from a known, legitimate, supply resource with which the corporation has a relationship. The same rule applies to the reason for the purchase. The internal resource to which the item will go may be product inventory, cost center inventory, or equipment or services. Depending on GAAP rules, the nature of the purchase and the business policies of how to allocate the cost of different purchases, the tool set must be able to compute auditable financial entries into the appropriate accounts. It must also update the supplier relationship with an accrued payable to verify the transaction when an invoice is received and posted into accounts payable.
The rules vary for different types of internal resources but all are available in resource-centric control files. On the other hand, when rules are changed by an authorized person, the resource-centric file will contain the new rules. It will also document who authorized the change, when, and the commencement date.
The same facility can be used for sales transactions with similar rules applied consistently from estimation, order entry, shipment and invoicing as to pricing, discounting, cost of sales and the reduction of product inventory, the computation of sales taxes to be collected and paid to the government and where applicable accrual of sales commissions. Manual adjustments and other infrequent transactions must undergo similar verification.
The resource-centric control files give everyone a cohesive picture of all the rules that apply to each type of resource. For example, product/inventory control files will contain the rules for sales, purchases, and all price, cost, and volume adjustments.
The timeliness of information distribution is critical and can take several forms such as alerts and warnings on "dashboards," e-mails, and text pages on a phone or PDA.
E-mailing of control exceptions to the appropriate user and next-level supervisor must receive consideration, so problems can receive prompt attention and resolution. Additionally, a query language capability is a useful and necessary facility to satisfy ad hoc reporting requirements for analysis and on-demand information needs to allow those accountable and responsible to monitor, validate, and use the information collected.
Some words of caution regarding internal controls are warranted. The type of continuous monitoring process needed for SOX will put an additional strain on your control processes. You will need to have consistent, verifiable, and monitored internal processes regarding problem resolution when dealing with business activity defects. After error detection, the reconciliation process begins with understanding who's responsible and accountable for correcting the problem and when must it be corrected. Of course, someone, most likely in an audit function, will need to "mind the store" in this regard. The tool set must also provide the necessary support in this area.
here to enlarge
the chart to the right indicates, over 60 percent of the surveyed companies
are relying on technology to ensure compliance with SOX. A SOX tool set is a
use of technology to meet the legislative requirements. This research note presents
a logical case for using the COSO framework for determining the characteristics
for the tool set. The COSO framework has been accepted as the de facto standard
to permit reasonably consistent qualitative and quantitative measurements of
an organization's internal control. By selecting a tool that best meets the
goals of the five components of the COSO framework, you can place your organization
in the best position to be successful.
Financial reports are the translation of a myriad of physical business activities into well-organized, consistent and integrated performance statements of the business. Companies in control of their corporate performance operationally, with instantaneous financial insights have a leg up on their competition, and regulators. A tool which allows companies to be in control at this level and to respond quickly to business performance issues will inspire confidence that they can comply with any legislative requirement.
Based on the imposed legislated mandates, and more to come, the ultimate SOX tool set is more than SOX-specific. It is a business performance tool. What you can measure, you can assess and what you can assess, you can validate, control, and improve.
should not feel that you are alone in acquiring a SOX tool set. The executive
management of a company, particularly the CFO, has a vested interest in confirming
compliance with SOX. The legal penalties are severe and personal. On the other
hand the SOX tool set that brings the corporation together financially and operationally
will provide the right performance information. Everyone will know what is going
on, in real time. That is being in control! Slip a copy of this research note
to your CEO and CFO and start the selection ball rolling.
J. Strub has extensive experience as a manager and senior consultant
in planning and executing ERP projects for manufacturing and distribution systems
for large to medium-size companies in the retail, food & beverage, chemical,
and CPG process industries. Additionally, Mr. Strub was a consultant
and Information Systems Auditor with PricewaterhouseCoopers and an applications
development and support manager for Fortune 100 companies.
can be reached at JoeStrub@writecompanyplus.com.
Michael J. Lucas has extensive experience in leading and managing
the development and implementation of proprietary on-line systems in various
industries. He has developed a top-down, resource-centric methodology that synchronizes
ERP administrative, financial, and operational functions to guide the projects
from a corporate perspective. As standard practice, Mr. Lucas
includes systematic, financial reporting that complies with generally accepted
accounting principles (GAAP) to ensure financial and operational performance
consistency and accuracy. Mr. Lucas has worked for a major
oil company, has consulted with a wide variety of corporations and has owned
a systems firm. His specialty is top-down corporate-wide approach with adherence
to sound business accounting practices, as currently legislated by SOX.
can be reached at firstname.lastname@example.org