Sarbanes-Oxley software; ten questions to ask: section 404 of the Sarbanes-Oxley Act of 2002 requires a company to document and periodically test its internal controls and the company's external auditors to offer an opinion on those controls. While public companies are developing their project plans and evaluating software applications to help them manage this process, the area is a new one for most.
But beyond those basics, what should CPAs shopping for the right software find out from a vendor? Here are 10 questions companies need to ask to make sure the software they buy will do the job today and in the future.
 What technology does the software use? This information will help the company's IT department nor only evaluate the software's design but also determine the infrastructure needed to maintain the software in-house and its cost.
 Is any software downloaded onto individual users' PCs? For most IT departments, software downloads are a red flag that can signal a compatibility and support nightmare. Web-based software accessed through a Web browser helps to minimize this concern.
 What are the software provider's security procedures? The product's design should provide for only authorized access to both the application and the database. Software hosted outside the customer's network and delivered by an application service provider should have such features as encrypted data transmission over the Internet and frequent backups.
 How many simultaneous users can the software support? The more users that can access the system at any one time, the better. If it cannot support all the company's employees, the software will never be useful beyond Sarbanes-Oxley compliance.
 What are the user access controls? Systems should control what users can view as well as what functionality they can access.
 Does the software have an efficient documentation process? For many companies, control documentation will require the most resources. Software that allows many users to document controls and testing, while limiting review and publishing authority to a smaller group of project leaders, will make the process more efficient.
 Does the software address aspects of Sarbanes-Oxley other than section 404? Section 302 requires management to certify its financial results and internal controls. Software that maintains online disclosure questionnaires for employees to complete and summarizes responses and comments can help the company's disclosure committee evaluate the entity's financial disclosures and help the CEO and CFO make accurate certifications.
 What benefits does the software provide beyond Sarbanes-Oxley compliance? Given the significant resources required to comply with the act, companies are seeking other ways to leverage their efforts and improve their business. Applications that let a company standardize business procedures, share best practices and document and communicate policies and procedures will help the company increase its return on the investment it makes in the software.
 How does the software track changes? For long-term use. CPAs should look not only for access to prior versions of all controls hut also for the software to have an audit trail that date- and time-stamps each user's actions. Changes should also be communicated automatically to users who need to see them,
 Does the seller provide software upgrades and how of. ten. Purchasers should understand a vendors long-term plans for the software before buying. Some vendors may be reluctant to commit to future upgrades or have a history of infrequent product updates. With Sarbanes-Oxley implementation still evolving, it's important for a vendor to have a strong commitment to future upgrades.
Source: Rocco Tarasi, national director, Resources Audit Solutions, Pittsburgh, email@example.com.
|Printer friendly Cite/link Email Feedback|
|Publication:||Journal of Accountancy|
|Date:||Sep 1, 2003|
|Previous Article:||Smart stops on the web.|
|Next Article:||CPAs as Audit Committee members: be part of the new vanguard in corporate governance.|