Overwhelmed by the documentation
and testing requirements of the Sarbanes-Oxley
Act? Consider these tips to automate your efforts.
Use a database. Many
companies document internal controls with
spreadsheets. This process isn’t very secure and
can quickly become cumbersome. Put the information
underlying the documentation into a database
instead to enhance consistency, security and
Make sure you can get the data out.
Institute internal reporting
requirements early to ensure the database is
configured properly. It’s pointless to keep risk
and control data in a central repository if you
can’t report on them effectively.
Think workflow. Before you
begin to automate control documentation and
testing, you’ll need to carefully define the
process. Then the digitized workflows can help
uncover problems, such as control gaps, that
require corrective action.
Hit a softball first.
Don’t try to automate the entire
control process in one pass. Instead, find a small
project that will produce immediate cash savings,
such as testing controls over duplicate payments.
Select a vendor with a chance of
surviving. Roughly half the
software products available in the key-control
market have been launched since the Sarbanes-Oxley
Act passed in 2002. In the next few years, expect
to see a shakeout among vendors as mergers,
acquisitions and business failures continue to
consolidate the market. To protect yourself, ask
vendors for their list of paying customers,
excluding free charter clients.
Get a champion and a backup.
Find and support at least two
employees in the organization who will act as
champions for the automation project by
implementing, maintaining and—most important—
Learn to analyze data.
Develop techniques such as
regression analysis to analyze financial
transactions. Regression analysis can be used in a
wide range of tests, such as estimating account
balances for reasonableness. As a starting point,
improve your understanding of Microsoft Excel’s
analysis features. You might need to install
Excel’s data analysis add-in if it doesn’t appear
under the Tools menu (see Technology
Q&A, JofA, July 05, page 75).
Also, with Excel’s Pivot Table feature, you can
quickly categorize data by department or product
code. (For more on pivot tables, see “Make
Excel an Instant Know-It-All,”
JofA, Mar.04, page 40.)
Identify the top manual control tests to
be automated. Look at previous
years’ efforts or estimate the most time-consuming
tests for the current year and automate those
first. Often, the best candidates are tests that
ensure a control is active. For example, rather
than manually reviewing credit limit forms for a
sample of customers, generate a computer report
that lists customers whose sales exceed their
Make it routine.
Successful companies continuously
automate testing, analyze data and manage control
information in a database. Establish budgets,
project plans, training and—most important—staff
time throughout the year to ensure success.
Source: Richard B. Lanza, CPA/CITP, is
president of Audit Software Professionals and
coauthor of The Buyer’s Guide to Audit
Software. He can be reached at www.auditsoftware.net