Choose the Right Tools for Internal Control Reporting

Pick internal control software for changing business conditions.

CPAs CAN PROVIDE A VALUABLE service to their employers or clients by helping them plan their strategic approach to compliance with section 404 of the Sarbanes-Oxley Act of 2002.

NEW SOFTWARE PRODUCTS CAN IMPROVE corporate governance and external communications about financial performance. They also can enhance the efficiency and effectiveness of compliance programs, thus reducing their cost and helping companies track progress toward establishing adequate internal controls and maintaining their effectiveness as business conditions change.

IT’S IMPORTANT THAT CPAs BECOME FAMILIAR with the four categories of software tools: “generic” applications that enhance controls; document management and workflow; data mining, file retrieval, pattern recognition and business intelligence; and business performance management and real-time compliance.

COMPANIES SHOULD DETERMINE which of the four categories of tools their current internal controls fit into, then identify company resources—such as staff and funding—that are available for an upgrade. Next they should select advanced tools that will enhance controls and improve company monitoring of them and compliance reporting to regulators.

CPAs SHOULD MAKE CERTAIN THAT BEFORE their employers or clients buy compliance software they not only understand its characteristics, limitations and the related vendor support plans but also know what additional tools are necessary to ensure the company has in place a system of mature internal controls.

BRUCE I. WINTERS, CPA, is a certified information systems auditor focusing on Sarbanes-Oxley engagements in PricewaterhouseCoopers’ systems and process assurance practice. He welcomes comments on this article and can be reached by e-mail at .

ime is running out for many businesses to begin the complex process of complying with section 404 of the Sarbanes-Oxley Act of 2002, which tightened internal control and financial reporting requirements. (See “ Impact of Section 404 .”)

This article is intended for readers in both industry and public accounting who seek, or need to offer, advice on selecting software—based on the extent to which a company already has compliance systems in place—for meeting section 404’s requirements. Although it is not a detailed buyer’s guide, it describes the features of specific software categories and thus can serve as a practical guide to what’s available in the market and what to look for when examining software for employers and clients and discussing products with vendors.

CPAs can play a valuable role in helping companies choose software tools whose functions include supporting compliance and also enhancing communication with investors, employees and regulators, making financial statements clear and easier to analyze and increasing efficiency by, for example, eliminating redundant or obsolete controls and improving workflow. Acting as a technical adviser on financial internal controls design, financial processes and transaction flows, the CPA can help a client or employer answer three difficult but important questions:

Is it better to design a compliance program for the short term (one year or less) or a more sustainable one for the long term?

They Aim to Do It for Less

Emphasis on cutting Sarbanes-Oxley compliance costs in 2004 Percentage of responding CFOs
Major 23%
Moderate 50
Limited 13
None 7
Not sure 7

Source: Survey of CFOs of 70 U.S. companies with an average annual revenue greater than $6 billion, PricewaterhouseCoopers, 2003.

Which software tools are most capable of fostering complete, effective and sustainable compliance in a given business situation?

What other investments (new policies and procedures, training and ethics programs, for example) are necessary to achieve section 404 compliance and also to take full advantage of the software chosen?

CPAs can play a valuable role in helping companies choose software tools whose functions include supporting compliance and also enhancing communication with investors, employees and regulators, making financial statements clear and easier to analyze and increasing efficiency.

Companies are eager to contain the already spiraling costs of complying with Sarbanes-Oxley. Some are overhauling their business processes and integrating them into enterprise-wide systems. They also are installing software that produces always-up-to-date business process documentation in terms managers, investors and lenders can understand. This software enables companies to refine their financial controls, improve both their timing and public communication of key company events and provide more detailed evaluations of business results.

CPAs can save clients or employers time and money by strongly recommending the selection of software be based on the criteria listed below in order of importance.

The software tool’s most important functions, not its minor features.

The vendor’s viability as a going concern.

The vendor’s support plans and the software’s position in its product line.

The product’s ongoing compatibility with the company’s operating systems and its scalability.

Whether the tool has a Web-based interface and employees can access it online without installing software on their individual PCs.

Whether customization of the product is available or required.

The availability of suitable vendor-supplied implementation services.

The level of training the vendor provides.

The extent of integration with other tools—for example, how proprietary is the database, and can users easily link it to other programs?


Exhibit 1 : Generic Software Tools
Accounting (products with enhanced internal control capabilities)
ACCPAC International Inc. ( ).
Best Software ( ).
Creative Solutions Inc. ( ).
Hyperion Solutions Corp. ( ).
J.D. Edwards & Co. ( ).
Lawson Software ( ).
Microsoft Corp. ( ).
Peoplesoft Inc. ( ).
Oracle Corp. ( ).
SAP AG ( ).

Communication and collaboration
Akonix ( ).
FaceTime Auditor ( ).
IM-Age ( ).
IM Logic ( ).
Iron Mountain ( ).
KVS ( ).
Legato ( ).
Sector ( ).
WiredRed ( ).
Zantaz ( ).

Regulatory and technical reference
BNA Inc. ( ).
CCH Inc. ( ).
Factiva ( ).
LexisNexis ( ).
PPC ( ).
The Thomson Corp. ( ).
WG&L ( ).

Maintenance, support and upgrade costs (direct and indirect—for example, hardware and staff).

Availability of information on any infrastructure and operating system changes or updates that could become necessary.

The extent to which a company has progressed in building a strong control environment will dictate what tools it needs to buy and when. CPAs can use an internal controls maturity framework to help companies determine whether their existing or proposed controls for a given activity or process are rigorous enough to manage related risks and that they are sufficiently documented for review by auditors who must assess section 404 compliance. A version of such a framework, developed by PricewaterhouseCoopers, appears below.

As companies implement tools capable of providing real-time updates of business-process changes, their systems will begin to resemble the higher-numbered descriptions in the maturity model, reflecting greater efficiency and reduced risk.

Here’s how to use the model. First, the CPA and the company should review the company’s existing controls and identify the level of maturity that best describes them. This comparison will highlight any less than optimal controls, reveal what additional levels of sophistication are possible and enable the company to decide what goals it wants to establish for reinforcing its controls.

The Maturity Framework
Level 1: Unreliable. Unpredictable environment for which controls have not been designed or implemented.

Impact of Section 404

This section of the Sarbanes-Oxley Act of 2002 generally requires public companies with a market value of $75 million or more, following the conclusion of their first fiscal year ending on or after June 15, 2004, to begin certain actions—such as including in their annual reports an assessment of whether their systems and financial reporting procedures are capable of providing accurate and complete financial statements. Other businesses must start their compliance efforts after the close of their first fiscal year ending on or after April 15, 2005.

Section 404 directs the SEC to issue rules mandating that companies’ annual reports contain an internal control report that

States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.

Contains an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of its internal control structure and procedures for financial reporting.

Level 2: Informal. Controls are present but inadequately documented and largely dependent on manual intervention. There are no formal communications or training programs related to the controls.

Level 3: Standardized. Controls are in place and documented, and employees have received formal communications about them. Undetected deviations from controls may occur.

Level 4: Monitored. Standardized controls are in place and undergo periodic testing to evaluate their design and operation; test results are communicated to management. Limited use of automated tools may support controls.

Level 5: Optimized. An integrated internal controls framework with real-time monitoring by management is in place to implement continuous improvement. Automated processes and tools support the controls and enable the organization to quickly change the controls as necessary.

Given the constant evolution of business processes, it makes sense for companies to adopt—if they’re not already using—compliance software that can be fully integrated with company operations and reporting. Yet many companies still use paper-based systems or relatively uncomplicated software—such as spreadsheet, word-processing and flowchart programs—to document their business process controls for compliance purposes. But while these products and paper systems can produce initial documentation easily, they aren’t well-suited to continually making or tracking changes in it.

Companies reluctant to implement more complex systems equipped to track business process changes over time argue that Sarbanes-Oxley guidance and requirements still are not final, making significant software expenditures premature. Postponing the purchase of appropriate tools, however, may require the company to create compliance documentation using spreadsheets and word-processing programs, which can be error-prone. But eventually—perhaps very soon—they will have to recreate that documentation with more robust tools.

Many executives are reaching the same conclusion. In a CFO magazine survey published in March 2003, only 11% of 245 CFOs said spreadsheet-based control reporting—which is very common—was accurate enough to make senior executives confident about certifying their companies’ financial statement data, as the Sarbanes-Oxley Act requires.

To help guide their employers and clients in choosing the right application to facilitate section 404 compliance, CPAs first need to explore the characteristics and relative merits of several types of software tools.

Many of today’s commercial software products can help companies comply with the provisions of the Sarbanes-Oxley Act. These tools range from simple, stand-alone programs that focus on a specific issue (for example, a regulatory checklist) to more complex enterprise-wide, real-time systems.

Except for generic tools—discussed below—many of these products provide a framework for adding modules to be offered in the near future—even by other vendors. The best of them establish and maintain a relationship between the overall business and its core systems and provide an internal control architecture that changes to meet the organization’s evolving compliance needs.

CPAs should encourage their clients and employers to speak with multiple vendors when evaluating tools and request demonstrations of them to ensure understanding of their potential value to the company.

The tools can be classified into four categories.

Generic tools enable users to document internal controls, reduce potential risks and provide some level of comfort that compliance initiatives are in place. Many companies already have such compliance software built into their general accounting systems (see exhibit 1 ). But since such software is not dynamic—that is, it can’t easily adjust to a company’s changing business requirements—it provides only the most basic level of assurance and applies only to a given point in time. Further, since companies often adopt such tools without going through a formal software evaluation process and postpurchase measurement of their use and performance, it’s difficult to ascertain their reliability.

These generic tools help companies comply with section 404. Their capabilities are limited, however, and do not match those of other products that are the best in their respective categories. However, vendors of accounting products are augmenting them with self-documenting audit trails that automatically record and provide access to incremental changes, with analysis tools to help auditors examine transactions within the system, with business intelligence tools that make it possible to delve into or summarize data, with consolidation interfaces linking disparate accounting systems, and with flags and alerts that signal when predetermined cost or other limits have been reached and require review by an analyst.

The CPA should emphasize the importance of his or her client’s or employer’s contacting their accounting software vendors to evaluate their plans for assistance and support in section 404 compliance. This will provide a starting point for their deciding what, if any, additional tools are needed and how best to connect them to the company’s existing systems.

Besides accounting products, other subcategories of generic tools include those for communication and collaboration and regulatory and technical reference purposes (see exhibit 1 ). Security products, of which there are too many to mention, constitute another group of these generic tools.

Communication and collaboration tools also are used to set up audit trails and documentation. E-mail, instant messaging, webcast conferences and virtual team workspaces—locations employees share for common projects—all are repositories of critical business and process information that organizations rely on and must document and analyze.

Security-focused generic tools often provide finely detailed analyses for segregation of duties, intrusion detection, encryption, firewall implementation, antivirus protection, enterprise security and disaster recovery plan updates as important components of a strong internal control system.

Exhibit 2 : Document Management and Workflow Software Tools
Documentum ( ).
eFileCabinet ( ).
EMC Centera ( ).
FileNet ( ).
GoFileRoom ( ).
IBM/Lotus ( ).

As an alternative, the following products do not possess Sarbanes-Oxley-specific compliance features but do have content-management capabilities.
Hummingbird ( ).
iManage Worksite MP ( ).
Onbase by Hyland ( ).

Regulatory and technical reference tools provide a strong environment for obtaining accurate and up-to-date regulatory information for an organization.

CPAs should focus their clients and employers—when they shop for such tools—on the importance of obtaining from vendors a detailed explanation of how their products might integrate with the company’s internal control environment and with other vendors’ tools. While such integration is possible, it tends to be less than optimal because generic tools are not designed to link to other products.

Document management and workflow tools are more capable of interacting with other software than are generic products and can address relatively straightforward functions such as report tracking (see exhibit 2 , above). These products monitor workflows and processes—applying a business unit’s self-defined rules—to make them more event-driven and thus easier to manage. They allow users to perform detailed indexing and searching of multiple document types, including e-mail, flowcharts and narratives, to organize and retrieve text, images and numeric data. They also enable companies to collect and integrate data from their various accounting systems and to create links between separate business units’ discrete business processes. Companies using them can better understand and analyze the frequency of control activities, categorize internal control types, test their effectiveness and reveal relationships between key job responsibilities and their place in the workflow.

These tools also are used to analyze risk and controls, rank them in terms of importance, materiality and impact and organize them by work group in a way that can be continuously updated to correspond with changing business conditions and be summarized for quarterly review and management approval.

Data mining, file retrieval, pattern recognition and business intelligence tools can gather data from separate systems and organize and analyze them. This enables companies to detect patterns in financial statement data and thus improve the effectiveness of internal controls and the accuracy of financial information (see exhibit 3 , at right).

Exhibit 3 : Data Mining, File Retrieval, Pattern Recognition and Business Intelligence Software Tools
Data mining, file retrieval and pattern recognition
ACL ( ).
Caseware’s IDEA ( ).

Business intelligence
Brio/Hyperion ( ).
Business Objects/Crystal ( ).
Cognos Inc. ( ).
SAS Financial Management ( ).

CPAs should impress upon companies the central role that three types of software in this group—data mining, file retrieval and pattern recognition—play in helping organizations fully understand the information they produce about their activities. Tools that perform these functions typically analyze, manipulate, sample and extract data. They also compare actual trends and patterns in financial statement accounts with expected norms to help identify irregularities that could indicate fraud or errors.

A fourth type of software in this group—business intelligence tools—makes it possible to examine the results of business operations, delving deep into data and modifying variables to see how they affect a situation. It also enables users to review data for patterns, and it has strong reporting and graphical capabilities. And, with the advent of tools that are easier to connect to financial systems, this kind of software also has become cost-effective.

Business performance management and real-time compliance tools provide management with real-time, enterprise-wide data (see exhibit 4 ). These tools can smoothly interact with other software and systems and provide one repository for all company information, facilitate the development of consistent and more efficient processes, help optimize information timeliness and accuracy and promptly notify management of compliance problems and supply the means to resolve them, all of which enable the company to respond quickly to changing business conditions.

The Gartner Group ( ), a technology research and consulting company, estimates that 40% of companies will adopt business performance management (BPM) tools by 2005.

BPM tools add continuous auditing capability to real-time enterprise systems in the form of customized computer screens—called dashboards—that present key performance indicators managers use to decide when and how to react to changing business conditions. Managers’ actions might include defining, improving and monitoring business processes on a timely basis, measuring and tracking the workflow of business functions and the changes in resources at each step of a process and—based on these—dynamically adjusting business processes. (An example would be production and inventory adjustments based on sales trends and related changes to approvals and workflow.)

Exhibit 4 : Business Performance Management and Real-Time Compliance Tools
Business performance management (BPM)
Vendors are building software products with the ability to exchange data with other software to meet the functional and performance needs of both large and small companies. These products generally are easy to customize for specific situations and can be implemented without redesigning underlying systems. Examples of such software include
Fuego ( ).
GEAC Enterprise Solutions ( ).
SAS ( ).
Savvion Business Manager 5 ( ).

Real-time compliance
These products, many of which have BPM capabilities, are the optimal solution for companies aiming to implement an enterprise-wide internal control system. Among the vendors in this category are
Approva Bizrights ( ).
Axentis Enterprise ( ).
CARDmap ( ).
Centerprise Corporate Control Center ( ).
Certus ( ).
CommerceQuest Traxion ( ).
Compli Enterprise ( ).
Concur Control ( ).
Handysoft SOXA Accelerator ( ).
KnowRisk ( ).
Magique ( ).
Microsoft’s SharePoint Portal Server ( ).
Movaris Certainty ( ).
OpenText Livelink and IXOS ( ).
Paisley Focus ( ).
Paisley Risk Navigator ( ).
Protiviti ( ).
Providus RiskResolve ( ).
Sarbanes-Oxley Express ( ).
Sempire Enterprise Governance ( ).
S-O Comply ( ).
SOA Director ( ).
Virtual Commitment ( ).

There is a wide range of products in this category. Some link to specific enterprise-resource-planning systems, while others perform specific functions such as setting automatic triggers or real-time alerts to obtain quick responses. Some BPM tools enable you to instruct the system to alert management whenever, for example, company sales goals are missed or surpassed or multiple approvals are needed on large transactions.

Real-time compliance tools store all information in one “data warehouse,” provide consistent and efficient processing, optimize timeliness and accuracy, include rapid warning and response systems and make it easier to monitor and manage risks. These tools also provide performance management and workflow functions.

CPAs should ensure that all products being considered serve the needs of organizations in which employees report to a variety of departments in different locations. The software must link controls to processes, analyze and describe the processes and link them to objectives and risks. The tools also should enable users to categorize, and set priorities for, risk and business objectives comprehensively in all areas of an organization.

Sarbanes-Oxley has begun a new era of reporting for public companies. In order to meet the expectations of employees, shareholders and government, companies will need real-time systems that inform management of changing business conditions, such as changes in revenue, expenses, cash flow, production and employee-related issues as they occur.

Many companies will respond with static, manual “quick fixes” or patchwork solutions—such as spreadsheet-based systems—without lasting value, but others will build the appropriate architecture and tools to monitor processes and ensure their integration into standard operations, thereby providing the mechanisms that ensure the reporting of complete, accurate, valid and reliable information.

Note that this article does not pretend to cover all available products in any of the software categories it discusses. Instead, it presents a starting point from which readers can begin their own exploration of the subject.


The CPA should help the company evaluate its environment to determine the maturity level of its internal controls.

He or she also should assist the entity in assessing its internal control philosophy and control environment.

The CPA should encourage management to develop an understanding—through discussion with vendors—of the compliance software tools and their characteristics.

When evaluating such software, companies should speak with multiple vendors in each category and observe a demonstration of every product to understand the value it can add to the organization.


Up-to-date compliance information for CPAs is available at Sarbanes-Oxley Act/PCAOB Implementation Central,

Consideration of Internal Control in a Financial Statement Audit, an AICPA Audit and Accounting Guide (# 012451JA).

Financial Reporting Alert, Internal Control Reporting—Implementing Sarbanes-Oxley Section 404 (# 029200JA).

Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA).

Internal Control—Integrated Framework, report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (# 990012JA).

Internal Control Reporting for Public Companies, a webcast originally presented July 17, 2003, and now available on CD-ROM (# 737132HSJA).

Internal Control Reporting: Standards for Compliance, a video course.

Internal Controls: Design and Documentation, a self-study course. Available mid-February (# 731850JA).

SEC Reporting, a self-study course (# 736770JA).

National Advanced Accounting and Auditing Technical Symposium: The Right Tools for Internal Control Reporting
La Jolla, California, July 21–23, 2004

For more information about any of these resources or to place an order, go to or call the AICPA at 888-777-7077.


CPEOs provide peace of mind around payroll services

The creation of these new IRS-certified service providers for small businesses clarifies some issues around traditional professional employer organizations.


8 sentences to help you master subject-verb agreement

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.