|The software an entity needs to
comply with the act must enable it to document its
financial and operations risks as well as the
controls in place to mitigate those risks and to
test the controls to ensure they are operating
effectively. The software also must include various
reporting mechanisms for managing compliance and
assisting with external audit validation. |
beyond those basics, what should CPAs shopping for
the right software find out from a vendor? Here
are 10 questions companies need to ask to make
sure the software they buy will do the job today
and in the future.
What technology does the software use?
This information will help the
company’s IT department not only evaluate the
software’s design but also determine the
infrastructure needed to maintain the software
in-house and its cost.
Is any software downloaded onto
individual users’ PCs? For most
IT departments, software downloads are a red flag
that can signal a compatibility and support
nightmare. Web-based software accessed through a
Web browser helps to minimize this concern.
What are the software provider’s
security procedures? The
product’s design should provide for only
authorized access to both the application and the
database. Software hosted outside the customer’s
network and delivered by an application service
provider should have such features as encrypted
data transmission over the Internet and frequent
How many simultaneous users can the
software support? The more users
that can access the system at any one time, the
better. If it cannot support all the company’s
employees, the software will never be useful
beyond Sarbanes-Oxley compliance
What are the user access controls?
Systems should control what users
can view as well as what functionality they can
Does the software have an efficient
documentation process? For many
companies, control documentation will require the
most resources. Software that allows many users to
document controls and testing, while limiting
review and publishing authority to a smaller group
of project leaders, will make the process more
Does the software address aspects of
Sarbanes-Oxley other than section 404?
Section 302 requires management to
certify its financial results and internal
controls. Software that maintains online
disclosure questionnaires for employees to
complete and summarizes responses and comments can
help the company’s disclosure committee evaluate
the entity’s financial disclosures and help the
CEO and CFO make accurate certifications.
What benefits does the software provide
beyond Sarbanes-Oxley compliance?
Given the significant resources
required to comply with the act, companies are
seeking other ways to leverage their efforts and
improve their business. Applications that let a
company standardize business procedures, share
best practices and document and communicate
policies and procedures will help the company
increase its return on the investment it makes in
How does the software track changes?
For long-term use, CPAs should look
not only for access to prior versions of all
controls but also for the software to have an
audit trail that date- and time-stamps each user’s
actions. Changes should also be communicated
automatically to users who need to see them.
Does the seller provide software
upgrades and how often?
Purchasers should understand a
vendor’s long-term plans for the software before
buying. Some vendors may be reluctant to commit to
future upgrades or have a history of infrequent
product updates. With Sarbanes-Oxley
implementation still evolving, it’s important for
a vendor to have a strong commitment to future