Making sense of Sarbanes-Oxley tools: auditors looking to automate Sarbanes-Oxley compliance tasks face an abundance of software options. Understanding how the tools break down by category may help shed light on this rapidly growing product niche

Internal Auditor, Feb, 2004 by Richard B. Lanza

NEW TOOLS DESIGNED TO FACILITATE COMPLIANCE with the U.S. Sarbanes-Oxley Act of 2002 are arriving on the market with increasing regularity. Software vendors have been flooding potential buyers, including internal auditors, with a flurry of advertisements, many of which claim to have the definitive solution for meeting the act's requirements. In fact, many vendors are likely ramping up their marketing efforts in light of the upcoming June 15 deadline for compliance with Section 404 of the act.

To many auditors, the onslaught of new product offerings is no doubt a source of stone confusion. The sheer number of options can be overwhelming, making it difficult to sort through this relatively new category of tools. The products become easier to discern, however, when examined along commonalities and grouped accordingly.

Essentially, Sarbanes-Oxley tools can be divided into five distinct categories: risk and control management, audit management, data analysis, employee training, and Sarbanes-Oxley section compliance. The following descriptions of these categories, as well as the matrix of product offerings on pages 46-47, may help auditors better understand the current playing field and make sense of the growing array of products.

RISK AND CONTROL MANAGEMENT

Risk and control management software assists in the documentation of risks, potential risk-related losses, controls, issues, recommendations, and action plans for risk mitigation, and facilitates and documents controls testing as well. This category of tools consists of three main components: flowcharting tools, risk databases, and employee survey software.

FLOWCHARTING SOFTWARE Given the complexity of Sarbanes-Oxley compliance efforts, effective workflow management is critical to project success. Organizations need to ensure that process owners receive appropriate business information, control owners are notified of risks that require mitigation, exceptions are identified, and management understands key compliance priorities.

Flowcharting software can be used to draw business processes so that risks and controls affecting the compliance process can be identified more easily. The software can also be used to map financial statement accounts, risk probabilities, loss impacts, testing procedures, control gaps, and action plans.

Users of flowcharting tools may be able to identify risks that would not be apparent when preparing a walk-through memo of the process. By looking at a visual representation of processes--versus long text descriptions--inefficiencies and segregation of duties issues may be easier to spot, especially when working with higher management levels that are accustomed to seeing data "boiled down" to its essence.

RISK DATABASES Preloaded knowledge-bases of common risks and controls enable users to plug in the appropriate information for their given process quickly. These resource tools are often organized by both process and alphabetical sequence and aligned with established control models such as The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control-Integrated Framework, the Canadian Institute of Chartered Accountants' Guidance on Control, or the Basel Committee on Banking Supervision's New Basel Capital Accord (Basel II).

The database tools facilitate identification of potential risks and help provide solutions for risk management. For example, a database containing common risks associated with improper reporting of period-end balances would likely include information on fixed asset accounts. Under this heading, the database might list the potential risk that fixed asset additions are not completely processed in the financial statements. For this risk, the software would then present a set of mitigating controls such as fixed asset sub-ledger to general ledger reconciliations or an integrated accounts payable system that automatically updates the subledger with any purchases of assets.

Although preloaded databases can serve as a useful guide for risk assessment, they do not necessarily represent a comprehensive solution. When documenting risks and controls, process owners using the software will still need to take their organization's unique characteristics into account, rather than simply checking off listed items on screen.

EMPLOYEE SURVEYS Several types of survey tools are available for Sarbanes-Oxley projects. One form of survey enables participants of group sessions to answer questions through the use of electronic voting devices. This method ensures an anonymous, democratic, and quantified assessment of controls through facilitated sessions and helps save time by enabling users to assess process owners' collective understanding of the control environment quickly. Another survey type allows users to complete manual tasks more efficiently by gathering data--such as code-of-conduct signatures and business process control sign-offs--online rather than in written form.

A third form of survey tool facilitates assessment of the organizational control environment by asking anonymous questions using Web forms. These tools use a Web-based platform to launch the survey and disseminate results and can be managed internally or through an outside party. Some products can automatically generate reports as data is collected. The software capitalizes on the fact that people, not financial statements and computers, commit fraud and that many employees want to share what they know about organizational control issues. For example, according to the Association of Certified Fraud Examiners' 2002 Report to the Nation, roughly 45 percent of fraud is detected through employee and business-partner tips. Therefore, the tools help tap into the valuable information on fraud detection that often comes from workers, not databases, extending data analysis beyond lifeless financial and transactional data and into the vibrant data stores in employees' and business partners' minds. Not only does this form of analysis broaden the organization's risk and control awareness, but gathering information from a large number of people can also increase the predictability and confidence levels of the assessment.