During the last 5 years, I have been involved with ongoing discussions with organizations regarding the best method to track and monitor the huge amount of Sarbanes Oxley key controls, test results, gap remediation, and overall reporting. Most often organizations in Canada and USA begin their Bill 198 and SOX journey using Word documents to detail their various business processes, including IT and Entity Level controls. This is usually followed by the use of Excel spreadsheets to track key controls, gaps, remediation and so forth.
Generally this approach works well to begin with, and would likely be sufficient if the SOX process ended with initial certification. However, SOX requires ongoing maintenance and monitoring, to support managements’ assertions regarding internal controls, and as a result, it becomes very onerous and downright risky to continue in this manner without an appropriate software tool.
To address this need, there are numerous software packages that have been developed to assist organizations manage their ongoing SOX projects. In fact there are probably dozens of such software packages in existence today (I know of about 40). There is not enough time or space in this article to have a fulsome discussion of all these packages, and the various features available with each of them. However, I would like to highlight some key attributes that you should ensure, at a minimum that your software solution includes. They are as follows:
• Key Controls – details of the key controls within each business process, IT General Controls and Entity Level control.
• Locations – ability to track separate results for different locations, divisions etc.
• Process Owners – the person in the organization who has ongoing responsibility for ensuring that the key control is designed properly and operating effectively.
• Test Designs – these are the test scripts which are used ongoing to determine if the key controls are operating effectively.
• Test Results (PASS or FAIL) – full reporting on status of tests, results and ongoing remediation.
• Reporting – the software should have the ability to list key controls, test results and outstanding issues. Ideally, it should also have the ability to communicate results and follow up effectively throughout the organization – in particular with senior management, process owners and testers.
In addition to the above, ensure the following:
• Performance – ensure that the software performs quickly – your time is precious.
• User friendly – software should be relatively easy to use and understand. If it is not, staff will likely have difficulty using it, leading to frustration and discouraging its use.
Most software has evolved and is being enhanced as time goes on, so it is important to find out whether a particular application has kept abreast with changes in legislation etc.
Please see separate blog on this web-site for a discussion and recommendation of specific software solutions available for small and medium sized organizations.
I hope this helps. Please contact Edelkoort Smethurst Schein CPA’s LLP if you have any questions or comments. Thank you.