Sarbanes-Oxley: What IT Can DoSarbanes-Oxley: What IT Can Do

A key goal of initial Section 404 compliance should be to eliminate as many manual processes as possible. Very likely, most companies did not go as far as they could have in this direction because they were facing time pressures or believed it was not worth the trouble. However, manual processes (particularly those using spreadsheets) are a potential source of errors and fraud. In the pre-SOX era, processes now targeted by Section 404 may have appeared trivial. Today, standards are higher and auditors will dig deeper to confirm that everything is in order. All companies (public and private) will find it worthwhile to review financial processes and find ways to improve them.

Consolidation and reporting. The accounting cycle depends on these two key activities. For this reason, companies must be certain that their systems promote audit efficiency and do not create points of friction in the monthly and quarterly closing process. Systems must deliver verifiable and timely information. Moreover, beyond simply assessing adequacy, finance organizations should look for new ways to leverage the existing IT infrastructure to automate or support more internal audit processes with existing data and systems. If they are putting new IT systems in place for compliance, and these systems collect new data, the finance organization should examine how they might use this information for internal audit and verification.

Document and content management. Finance groups must examine how to integrate document and content management into their audit and control processes. Before email and IT systems became truly pervasive in most business processes, document management was barely a nice-to-have capability. Now, with SOX and other regulations as part of the landscape, document and content management have become essential to the smooth function of finance organizations. Audit firms are advising clients to address two goals as important to lowering audit costs. The first is to have high-quality documentation of transactions, process execution, and the like. The second is to attain the ability to demonstrate, through systems and documentation, that management is testing and monitoring continuously. Document and content management systems are integral to both goals.

Some companies will conclude that they must have rigorous process execution documentation, extensive compliance manuals to accompany periodic training, and deeper integration of business documents with financial systems to address regulatory challenges. Others will simply want to automate the management of audit and control documentation, from creation to archival. Traditionally, document and content management systems have not been part of the finance group's toolkit. Before SOX, informal systems were adequate: today they are not.

Just the Beginning

Companies must follow up SOX compliance initiatives with projects that identify factors driving up audit costs and lengthening the closing cycle. Their ultimate purpose will be to identify ways to address inefficiencies with management, process design, and information technology assets.

Our advice is to use SOX compliance to revisit how you can leverage IT to improve audit and control processes. Currently, your company may be cobbling together solutions, unaware of how technology might address issues more effectively and completely. You may be missing out on what good IT investments can do to improve range of audit and control process — and what IT can do to reduce audit fees, shorten the monthly close, and respond faster to the more active audit committees that are now a business reality.

Robert D. Kugel [[email protected]] is VP & research director of Financial Performance Management at Ventana Research, focusing on the intersection of information technology and the finance organization.