Sarbanes-Oxley Software: Ten Questions to Ask


Section 404 of the Sarbanes-Oxley Act of 2002 requires a company to document and periodically test its internal controls and the company’s external auditors to offer an opinion on those controls. While public companies are developing their project plans and evaluating software applications to help them manage this process, the area is a new one for most. .
The software an entity needs to comply with the act must enable it to document its financial and operations risks as well as the controls in place to mitigate those risks and to test the controls to ensure they are operating effectively. The software also must include various reporting mechanisms for managing compliance and assisting with external audit validation.

But beyond those basics, what should CPAs shopping for the right software find out from a vendor? Here are 10 questions companies need to ask to make sure the software they buy will do the job today and in the future.

What technology does the software use? This information will help the company’s IT department not only evaluate the software’s design but also determine the infrastructure needed to maintain the software in-house and its cost.

Is any software downloaded onto individual users’ PCs? For most IT departments, software downloads are a red flag that can signal a compatibility and support nightmare. Web-based software accessed through a Web browser helps to minimize this concern.

What are the software provider’s security procedures? The product’s design should provide for only authorized access to both the application and the database. Software hosted outside the customer’s network and delivered by an application service provider should have such features as encrypted data transmission over the Internet and frequent backups.

How many simultaneous users can the software support? The more users that can access the system at any one time, the better. If it cannot support all the company’s employees, the software will never be useful beyond Sarbanes-Oxley compliance

What are the user access controls? Systems should control what users can view as well as what functionality they can access.

Does the software have an efficient documentation process? For many companies, control documentation will require the most resources. Software that allows many users to document controls and testing, while limiting review and publishing authority to a smaller group of project leaders, will make the process more efficient.

Does the software address aspects of Sarbanes-Oxley other than section 404? Section 302 requires management to certify its financial results and internal controls. Software that maintains online disclosure questionnaires for employees to complete and summarizes responses and comments can help the company’s disclosure committee evaluate the entity’s financial disclosures and help the CEO and CFO make accurate certifications.

What benefits does the software provide beyond Sarbanes-Oxley compliance? Given the significant resources required to comply with the act, companies are seeking other ways to leverage their efforts and improve their business. Applications that let a company standardize business procedures, share best practices and document and communicate policies and procedures will help the company increase its return on the investment it makes in the software.

How does the software track changes? For long-term use, CPAs should look not only for access to prior versions of all controls but also for the software to have an audit trail that date- and time-stamps each user’s actions. Changes should also be communicated automatically to users who need to see them.

Does the seller provide software upgrades and how often? Purchasers should understand a vendor’s long-term plans for the software before buying. Some vendors may be reluctant to commit to future upgrades or have a history of infrequent product updates. With Sarbanes-Oxley implementation still evolving, it’s important for a vendor to have a strong commitment to future upgrades.

Source: Rocco Tarasi, national director, Resources Audit Solutions, Pittsburgh, rocco.tarasi@resources-us.com .

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.