Printer Friendly

Sarbanes-Oxley software; ten questions to ask: section 404 of the Sarbanes-Oxley Act of 2002 requires a company to document and periodically test its internal controls and the company's external auditors to offer an opinion on those controls. While public companies are developing their project plans and evaluating software applications to help them manage this process, the area is a new one for most.

The software an entity needs to comply with the act must enable it to document its financial and operations risks as well as the controls in place to mitigate those risks and to test the controls to ensure they are operating effectively. The software also must include various reporting mechanisms for managing compliance and assisting with external audit validation.

But beyond those basics, what should CPAs shopping for the right software find out from a vendor? Here are 10 questions companies need to ask to make sure the software they buy will do the job today and in the future.

[] What technology does the software use? This information will help the company's IT department nor only evaluate the software's design but also determine the infrastructure needed to maintain the software in-house and its cost.

[] Is any software downloaded onto individual users' PCs? For most IT departments, software downloads are a red flag that can signal a compatibility and support nightmare. Web-based software accessed through a Web browser helps to minimize this concern.

[] What are the software provider's security procedures? The product's design should provide for only authorized access to both the application and the database. Software hosted outside the customer's network and delivered by an application service provider should have such features as encrypted data transmission over the Internet and frequent backups.

[] How many simultaneous users can the software support? The more users that can access the system at any one time, the better. If it cannot support all the company's employees, the software will never be useful beyond Sarbanes-Oxley compliance.

[] What are the user access controls? Systems should control what users can view as well as what functionality they can access.

[] Does the software have an efficient documentation process? For many companies, control documentation will require the most resources. Software that allows many users to document controls and testing, while limiting review and publishing authority to a smaller group of project leaders, will make the process more efficient.

[] Does the software address aspects of Sarbanes-Oxley other than section 404? Section 302 requires management to certify its financial results and internal controls. Software that maintains online disclosure questionnaires for employees to complete and summarizes responses and comments can help the company's disclosure committee evaluate the entity's financial disclosures and help the CEO and CFO make accurate certifications.

[] What benefits does the software provide beyond Sarbanes-Oxley compliance? Given the significant resources required to comply with the act, companies are seeking other ways to leverage their efforts and improve their business. Applications that let a company standardize business procedures, share best practices and document and communicate policies and procedures will help the company increase its return on the investment it makes in the software.

[] How does the software track changes? For long-term use. CPAs should look not only for access to prior versions of all controls hut also for the software to have an audit trail that date- and time-stamps each user's actions. Changes should also be communicated automatically to users who need to see them,

[] Does the seller provide software upgrades and how of. ten. Purchasers should understand a vendors long-term plans for the software before buying. Some vendors may be reluctant to commit to future upgrades or have a history of infrequent product updates. With Sarbanes-Oxley implementation still evolving, it's important for a vendor to have a strong commitment to future upgrades.

Source: Rocco Tarasi, national director, Resources Audit Solutions, Pittsburgh,
COPYRIGHT 2003 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Tarasi, Rocco
Publication:Journal of Accountancy
Date:Sep 1, 2003
Previous Article:Smart stops on the web.
Next Article:CPAs as Audit Committee members: be part of the new vanguard in corporate governance.

Related Articles
How Sarbanes-Oxley will change the audit process: CPAs will have to develop new procedures and scrap some old ones.
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.
Choose the right tools for internal control reporting: pick internal control software for changing business conditions.
AS2: when the pedal hits the metal; Although the costs and opportunity cost of the PCAOB's new audit standard are substantial, Financial Executives...
Section 404 opens a door: the requirement to evaluate a company's internal controls has created a service niche.
Is software the solution for Sarbanes-Oxyley.
Taking control of internal controls: the 411 on Sec. 404.
Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404.
Ask FERF about ... process improvements in Sarbanes-Oxley Section 404 for year-two compliance.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |