Avoid the Documentation Nightmare

BY VIN D�AMICO

CHECKLIST

Under Sarbanes-Oxley not all corporate artifacts and actions need to be documented. IT managers and CITPs can use these tips to keep Sarbanes-Oxley documentation simple.

Specify accountability. Technically the CEO and CFO have ultimate responsibility for financial reports, but they will want to know who provided the information. Create a list of major functional areas related to Sarbanes-Oxley and identify who is accountable.

Be clear and concise. If the CEO has a question, he or she should be able to pick up your accountability list and call the responsible person directly. Break the list down by business unit, division or whatever segmentation makes sense in your organization. Keep it electronic and easy to update.

Define the business processes for managing financial information clearly. Only business processes that are critical and material to the production of financial statements and disclosures need to be documented.

Have documentation for each step showing

The person who performs or oversees the activity.
The systems involved in the activity.
The information required to complete the activity.
The information resulting from the activity.
The business rules that govern the activity.
When and how often the activity is performed.

Define all the computer systems that handle the data. It’s not sufficient to say you use an enterprise resource planning application to perform your financial analysis. Document the underlying database and the reporting tools, including the software version and patch levels. Also include detailed information about the operating environment, such as the version of Windows used and any add-ins.

Write a code of conduct. All employees should sign a code of conduct that encourages people to be honest, diligent and willing to follow the rules.

Conduct a risk assessment and develop mitigation measures. Risks vary from company to company. It’s essential to show that a good-faith effort was made to identify and evaluate areas of financial reporting where errors might occur. An IT team’s efforts combined with the development of internal controls to mitigate those risks will provide reassurance to auditors.

Here are a few examples of the risks companies might face with IT:

Major upgrades or replacements of financial reporting systems.
Major changes to manufacturing or inventory tracking systems.
Substantial increases or reductions in workforce.
Security breakdowns and system intrusions.
Significant amounts of human intervention in processing results.
System failures, particularly those requiring restoration of data.

Make sure the IT department documents these risks and others that are unique to your organization. Then document steps taken to mitigate each one and why you believe the final reported results won’t be affected.

Test your risk mitigation measures. Create a test plan that specifies what is being tested, how and by whom. Define the test cases by describing adverse scenarios followed by the steps to be taken in correcting them. Run through the scenarios and document the results to provide evidence of this testing to external auditors.

Source: Vin D’Amico, Writing Assistance Inc., Plymouth, Minn., www.writingassist.com , 2006.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.