The Sarbanes-Oxley Act (SOX) placed new requirements on American companies to ensure the integrity, reliability, and accuracy of financial reporting and corporate disclosures. While you could do this on your own or manually, why reinvent the audit controls wheel? Automated tool sets and repositories to facilitate SOX compliance are available in ample numbers. But like any piece of software, you have to know what to look for to meet your organization's expectations and avoid disappointments. This research note examines critical attributes of SOX tool sets, discussing how you can utilize them effectively to maximize the return on your investment of time and money.
Part One examined the first three components of the COSO Integrated Framework relative to selecting a SOX tool set.
Part Two discusses the information and communication, and monitoring components from a similar perspective and provides some tips for kicking off the tool set selection process.
What is COSO?
COSO stands for Committee of Sponsoring Organizations of the Treadway Commission. It is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. The Securities and Exchange Commission (SEC) ruled that management must base its evaluation on a suitable, recognized control framework established by a group that has followed due-process procedures, including the broad distribution of the framework for public comment. Furthermore, the SEC points out in its final rule that the COSO Internal Control—Integrated Framework, which is depicted in the three-dimensional diagram to the right, satisfies this requirement. Accordingly, the majority of organizations have adopted this framework as the basis for compliance with Section 404 of SOX, namely Management Assessment of Internal Controls.
When evaluating SOX tool sets, doesn't it make sense to determine how well the proposed software satisfies critical components of the COSO framework? Of course it does. The remainder of this note examines the five components of the COSO framework, outlining the key characteristics and attributes you should consider in selecting a SOX tool set. Specifically, these components include:
* Control environment
* Risk assessment
* Control activities
* Information and communication
* Monitoring
A brief description and introduction, as denoted in italics, is provided of how each component will assist in achieving internal control objectives as depicted in the second dimension (top level view) of the framework. These control objectives provide for the following:
* Obtaining the efficiency and effectiveness of operations in meeting business objectives to include performance and profitability goals
* Ensuring the accuracy and reliability of financial reporting
* Verifying compliance with applicable laws and regulations
The third dimension (front to back view) of the framework includes the units and activities of an organization to which internal controls pertain. Internal controls are relevant to an entire organization and to any of its units, activities, and processes. Accordingly, you must apply internal controls uniformly across an organization's units and activities. This characteristic is common to all components and is mentioned here to ensure that you can integrate the selected SOX tool set into all levels of an organization and equally apply it in a top-down approach. It would make little sense to have a tool set that could only operate at a corporate level without being able to deploy it at a division or apply it to a process. As with any software selection project, the decision makers must be comprised of a diverse cross section of an organization's users to achieve this characteristic.
Information and Communication
The information and communication component of the COSO framework consists of processes and systems that support the identification, capture, and exchange of information in a form and timeframe that enable an organization to perform their responsibilities. Simply put, this means providing the right information to the right people, at the correct level, on a timely basis. Similarly, communication processes must be in place to permit people to discharge their responsibilities.
First and foremost, the SOX tool set must be able to model the performance of the organization to include the specific processes used to generate or contribute to the financial reporting of the organization. In so doing the tool set can then support real time activity audits. Just as you would map your manufacturing processes when selecting an ERP package, you must identify these critical financial processes sufficiently to verify that a reliable electronic image of your business can be defined in the tool set.
It stands to reason that your accountants need to verify that the tool set is in compliance with GAAP. Failed audits need to be highlighted for immediate follow-up. Reconciliation procedures must reside in the tool set to provide immediate notification regarding audit failures. The ability must exist to lock down the approved tool set to prevent unauthorized alteration to the model.
Finally, the tool set should be able to support the audit function in the following ways:
* Be "resource-centric" and understand corporate resources and relationships.
* Audit the administrative systems underlying business operations.
* Audit manual transactional input of transactions and support operations reviews and individual transaction processing.
* Integrate with other systems (such as the inventory management system) and cross-check the system counts against individual transactional processing product accumulations.
* Support internal and external audits by providing detailed logs of each transaction and the results of the business-model audit. The system will check every transactions, every resource and will be able to provide statistical sampling when needed for operations and personnel reviews.
* Log each activity that takes place as a record of accounting events and transactions.
* Provide alerts or warnings for appropriate internal management of activities not meeting the business model or new regulations coupled with instantaneous reporting and documentation of these alerts/warnings.
Monitoring
Monitoring consists of the process that assesses the quality of internal control performance over time. A control system needs to be monitored to ensure that it continues to operate effectively and as intended. Without continual and effective monitoring, a control process may fall into a state of disrepair or not be executed altogether.
Consequently, a SOX tool set must run in real time on a 24x7 basis and unattended. You must be able to systematically monitor all activities and transactions corporate wide, with exception reporting used to identify control lapses and gaps. These transactions must be audited both operationally and financially against the business model. This implies a SOX tool set must have the flexibility to incorporate the rules of your business. To facilitate the recording and editing of these rules and to avoid hard coding or programming changes, you should consider a knowledge-based methodology, external to the tool set. As a result, approved rules can be entered without major effort from an organization's technical staff.
Business activity monitoring within a corporate information environment is evolving quickly. SOX, in many cases, requires that a tool set provide continuous activity monitoring, thereby allowing instant insight into corporate performance. As previously noted in the Information and Communication section, the sooner red flags are raised, the more time management has to evaluate and correct financial shortcomings.
Let's look at a simple example of operational/financial interaction when dealing with the purchase of an item to illustrate the monitoring component. The first rule is that the item purchase be from a known, legitimate, supply resource with which the corporation has a relationship. The same rule applies to the reason for the purchase. The internal resource to which the item will go may be product inventory, cost center inventory, or equipment or services. Depending on GAAP rules, the nature of the purchase and the business policies of how to allocate the cost of different purchases, the tool set must be able to compute auditable financial entries into the appropriate accounts. It must also update the supplier relationship with an accrued payable to verify the transaction when an invoice is received and posted into accounts payable.
The rules vary for different types of internal resources but all are available in resource-centric control files. On the other hand, when rules are changed by an authorized person, the resource-centric file will contain the new rules. It will also document who authorized the change, when, and the commencement date.
The same facility can be used for sales transactions with similar rules applied consistently from estimation, order entry, shipment and invoicing as to pricing, discounting, cost of sales and the reduction of product inventory, the computation of sales taxes to be collected and paid to the government and where applicable accrual of sales commissions. Manual adjustments and other infrequent transactions must undergo similar verification.
The resource-centric control files give everyone a cohesive picture of all the rules that apply to each type of resource. For example, product/inventory control files will contain the rules for sales, purchases, and all price, cost, and volume adjustments.
The timeliness of information distribution is critical and can take several forms such as alerts and warnings on "dashboards," e-mails, and text pages on a phone or PDA. E-mailing of control exceptions to the appropriate user and next-level supervisor must receive consideration, so problems can receive prompt attention and resolution. Additionally, a query language capability is a useful and necessary facility to satisfy ad hoc reporting requirements for analysis and on-demand information needs to allow those accountable and responsible to monitor, validate, and use the information collected.
Some words of caution regarding internal controls are warranted. The type of continuous monitoring process needed for SOX will put an additional strain on your control processes. You will need to have consistent, verifiable, and monitored internal processes regarding problem resolution when dealing with business activity defects. After error detection, the reconciliation process begins with understanding who's responsible and accountable for correcting the problem and when must it be corrected. Of course, someone, most likely in an audit function, will need to "mind the store" in this regard. The tool set must also provide the necessary support in this area.
SOURCE:
http://www.technologyevaluation.com/research/articles/attributes-of-sarbanes-oxley-tool-sets-part-two-information-and-communication-monitoring-and-startup-tips-17127/
Part One examined the first three components of the COSO Integrated Framework relative to selecting a SOX tool set.
Part Two discusses the information and communication, and monitoring components from a similar perspective and provides some tips for kicking off the tool set selection process.
What is COSO?
COSO stands for Committee of Sponsoring Organizations of the Treadway Commission. It is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. The Securities and Exchange Commission (SEC) ruled that management must base its evaluation on a suitable, recognized control framework established by a group that has followed due-process procedures, including the broad distribution of the framework for public comment. Furthermore, the SEC points out in its final rule that the COSO Internal Control—Integrated Framework, which is depicted in the three-dimensional diagram to the right, satisfies this requirement. Accordingly, the majority of organizations have adopted this framework as the basis for compliance with Section 404 of SOX, namely Management Assessment of Internal Controls.
When evaluating SOX tool sets, doesn't it make sense to determine how well the proposed software satisfies critical components of the COSO framework? Of course it does. The remainder of this note examines the five components of the COSO framework, outlining the key characteristics and attributes you should consider in selecting a SOX tool set. Specifically, these components include:
* Control environment
* Risk assessment
* Control activities
* Information and communication
* Monitoring
A brief description and introduction, as denoted in italics, is provided of how each component will assist in achieving internal control objectives as depicted in the second dimension (top level view) of the framework. These control objectives provide for the following:
* Obtaining the efficiency and effectiveness of operations in meeting business objectives to include performance and profitability goals
* Ensuring the accuracy and reliability of financial reporting
* Verifying compliance with applicable laws and regulations
The third dimension (front to back view) of the framework includes the units and activities of an organization to which internal controls pertain. Internal controls are relevant to an entire organization and to any of its units, activities, and processes. Accordingly, you must apply internal controls uniformly across an organization's units and activities. This characteristic is common to all components and is mentioned here to ensure that you can integrate the selected SOX tool set into all levels of an organization and equally apply it in a top-down approach. It would make little sense to have a tool set that could only operate at a corporate level without being able to deploy it at a division or apply it to a process. As with any software selection project, the decision makers must be comprised of a diverse cross section of an organization's users to achieve this characteristic.
Information and Communication
The information and communication component of the COSO framework consists of processes and systems that support the identification, capture, and exchange of information in a form and timeframe that enable an organization to perform their responsibilities. Simply put, this means providing the right information to the right people, at the correct level, on a timely basis. Similarly, communication processes must be in place to permit people to discharge their responsibilities.
First and foremost, the SOX tool set must be able to model the performance of the organization to include the specific processes used to generate or contribute to the financial reporting of the organization. In so doing the tool set can then support real time activity audits. Just as you would map your manufacturing processes when selecting an ERP package, you must identify these critical financial processes sufficiently to verify that a reliable electronic image of your business can be defined in the tool set.
It stands to reason that your accountants need to verify that the tool set is in compliance with GAAP. Failed audits need to be highlighted for immediate follow-up. Reconciliation procedures must reside in the tool set to provide immediate notification regarding audit failures. The ability must exist to lock down the approved tool set to prevent unauthorized alteration to the model.
Finally, the tool set should be able to support the audit function in the following ways:
* Be "resource-centric" and understand corporate resources and relationships.
* Audit the administrative systems underlying business operations.
* Audit manual transactional input of transactions and support operations reviews and individual transaction processing.
* Integrate with other systems (such as the inventory management system) and cross-check the system counts against individual transactional processing product accumulations.
* Support internal and external audits by providing detailed logs of each transaction and the results of the business-model audit. The system will check every transactions, every resource and will be able to provide statistical sampling when needed for operations and personnel reviews.
* Log each activity that takes place as a record of accounting events and transactions.
* Provide alerts or warnings for appropriate internal management of activities not meeting the business model or new regulations coupled with instantaneous reporting and documentation of these alerts/warnings.
Monitoring
Monitoring consists of the process that assesses the quality of internal control performance over time. A control system needs to be monitored to ensure that it continues to operate effectively and as intended. Without continual and effective monitoring, a control process may fall into a state of disrepair or not be executed altogether.
Consequently, a SOX tool set must run in real time on a 24x7 basis and unattended. You must be able to systematically monitor all activities and transactions corporate wide, with exception reporting used to identify control lapses and gaps. These transactions must be audited both operationally and financially against the business model. This implies a SOX tool set must have the flexibility to incorporate the rules of your business. To facilitate the recording and editing of these rules and to avoid hard coding or programming changes, you should consider a knowledge-based methodology, external to the tool set. As a result, approved rules can be entered without major effort from an organization's technical staff.
Business activity monitoring within a corporate information environment is evolving quickly. SOX, in many cases, requires that a tool set provide continuous activity monitoring, thereby allowing instant insight into corporate performance. As previously noted in the Information and Communication section, the sooner red flags are raised, the more time management has to evaluate and correct financial shortcomings.
Let's look at a simple example of operational/financial interaction when dealing with the purchase of an item to illustrate the monitoring component. The first rule is that the item purchase be from a known, legitimate, supply resource with which the corporation has a relationship. The same rule applies to the reason for the purchase. The internal resource to which the item will go may be product inventory, cost center inventory, or equipment or services. Depending on GAAP rules, the nature of the purchase and the business policies of how to allocate the cost of different purchases, the tool set must be able to compute auditable financial entries into the appropriate accounts. It must also update the supplier relationship with an accrued payable to verify the transaction when an invoice is received and posted into accounts payable.
The rules vary for different types of internal resources but all are available in resource-centric control files. On the other hand, when rules are changed by an authorized person, the resource-centric file will contain the new rules. It will also document who authorized the change, when, and the commencement date.
The same facility can be used for sales transactions with similar rules applied consistently from estimation, order entry, shipment and invoicing as to pricing, discounting, cost of sales and the reduction of product inventory, the computation of sales taxes to be collected and paid to the government and where applicable accrual of sales commissions. Manual adjustments and other infrequent transactions must undergo similar verification.
The resource-centric control files give everyone a cohesive picture of all the rules that apply to each type of resource. For example, product/inventory control files will contain the rules for sales, purchases, and all price, cost, and volume adjustments.
The timeliness of information distribution is critical and can take several forms such as alerts and warnings on "dashboards," e-mails, and text pages on a phone or PDA. E-mailing of control exceptions to the appropriate user and next-level supervisor must receive consideration, so problems can receive prompt attention and resolution. Additionally, a query language capability is a useful and necessary facility to satisfy ad hoc reporting requirements for analysis and on-demand information needs to allow those accountable and responsible to monitor, validate, and use the information collected.
Some words of caution regarding internal controls are warranted. The type of continuous monitoring process needed for SOX will put an additional strain on your control processes. You will need to have consistent, verifiable, and monitored internal processes regarding problem resolution when dealing with business activity defects. After error detection, the reconciliation process begins with understanding who's responsible and accountable for correcting the problem and when must it be corrected. Of course, someone, most likely in an audit function, will need to "mind the store" in this regard. The tool set must also provide the necessary support in this area.
SOURCE:
http://www.technologyevaluation.com/research/articles/attributes-of-sarbanes-oxley-tool-sets-part-two-information-and-communication-monitoring-and-startup-tips-17127/
No comments:
Post a Comment