Avoid the Documentation Nightmare



Under Sarbanes-Oxley not all corporate artifacts and actions need to be documented. IT managers and CITPs can use these tips to keep Sarbanes-Oxley documentation simple.

Specify accountability. Technically the CEO and CFO have ultimate responsibility for financial reports, but they will want to know who provided the information. Create a list of major functional areas related to Sarbanes-Oxley and identify who is accountable.

Be clear and concise. If the CEO has a question, he or she should be able to pick up your accountability list and call the responsible person directly. Break the list down by business unit, division or whatever segmentation makes sense in your organization. Keep it electronic and easy to update.

Define the business processes for managing financial information clearly. Only business processes that are critical and material to the production of financial statements and disclosures need to be documented.

Have documentation for each step showing

The person who performs or oversees the activity.
The systems involved in the activity.
The information required to complete the activity.
The information resulting from the activity.
The business rules that govern the activity.
When and how often the activity is performed.

Define all the computer systems that handle the data. It’s not sufficient to say you use an enterprise resource planning application to perform your financial analysis. Document the underlying database and the reporting tools, including the software version and patch levels. Also include detailed information about the operating environment, such as the version of Windows used and any add-ins.

Write a code of conduct. All employees should sign a code of conduct that encourages people to be honest, diligent and willing to follow the rules.

Conduct a risk assessment and develop mitigation measures. Risks vary from company to company. It’s essential to show that a good-faith effort was made to identify and evaluate areas of financial reporting where errors might occur. An IT team’s efforts combined with the development of internal controls to mitigate those risks will provide reassurance to auditors.

Here are a few examples of the risks companies might face with IT:

Major upgrades or replacements of financial reporting systems.
Major changes to manufacturing or inventory tracking systems.
Substantial increases or reductions in workforce.
Security breakdowns and system intrusions.
Significant amounts of human intervention in processing results.
System failures, particularly those requiring restoration of data.

Make sure the IT department documents these risks and others that are unique to your organization. Then document steps taken to mitigate each one and why you believe the final reported results won’t be affected.

Test your risk mitigation measures. Create a test plan that specifies what is being tested, how and by whom. Define the test cases by describing adverse scenarios followed by the steps to be taken in correcting them. Run through the scenarios and document the results to provide evidence of this testing to external auditors.

Source: Vin D’Amico, Writing Assistance Inc., Plymouth, Minn., www.writingassist.com , 2006.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.