Sarbanes-Oxley Software: Ten Questions to Ask

Section 404 of the Sarbanes-Oxley Act of 2002 requires a company to document and periodically test its internal controls and the company’s external auditors to offer an opinion on those controls. While public companies are developing their project plans and evaluating software applications to help them manage this process, the area is a new one for most. .
The software an entity needs to comply with the act must enable it to document its financial and operations risks as well as the controls in place to mitigate those risks and to test the controls to ensure they are operating effectively. The software also must include various reporting mechanisms for managing compliance and assisting with external audit validation.

But beyond those basics, what should CPAs shopping for the right software find out from a vendor? Here are 10 questions companies need to ask to make sure the software they buy will do the job today and in the future.

What technology does the software use? This information will help the company’s IT department not only evaluate the software’s design but also determine the infrastructure needed to maintain the software in-house and its cost.

Is any software downloaded onto individual users’ PCs? For most IT departments, software downloads are a red flag that can signal a compatibility and support nightmare. Web-based software accessed through a Web browser helps to minimize this concern.

What are the software provider’s security procedures? The product’s design should provide for only authorized access to both the application and the database. Software hosted outside the customer’s network and delivered by an application service provider should have such features as encrypted data transmission over the Internet and frequent backups.

How many simultaneous users can the software support? The more users that can access the system at any one time, the better. If it cannot support all the company’s employees, the software will never be useful beyond Sarbanes-Oxley compliance

What are the user access controls? Systems should control what users can view as well as what functionality they can access.

Does the software have an efficient documentation process? For many companies, control documentation will require the most resources. Software that allows many users to document controls and testing, while limiting review and publishing authority to a smaller group of project leaders, will make the process more efficient.

Does the software address aspects of Sarbanes-Oxley other than section 404? Section 302 requires management to certify its financial results and internal controls. Software that maintains online disclosure questionnaires for employees to complete and summarizes responses and comments can help the company’s disclosure committee evaluate the entity’s financial disclosures and help the CEO and CFO make accurate certifications.

What benefits does the software provide beyond Sarbanes-Oxley compliance? Given the significant resources required to comply with the act, companies are seeking other ways to leverage their efforts and improve their business. Applications that let a company standardize business procedures, share best practices and document and communicate policies and procedures will help the company increase its return on the investment it makes in the software.

How does the software track changes? For long-term use, CPAs should look not only for access to prior versions of all controls but also for the software to have an audit trail that date- and time-stamps each user’s actions. Changes should also be communicated automatically to users who need to see them.

Does the seller provide software upgrades and how often? Purchasers should understand a vendor’s long-term plans for the software before buying. Some vendors may be reluctant to commit to future upgrades or have a history of infrequent product updates. With Sarbanes-Oxley implementation still evolving, it’s important for a vendor to have a strong commitment to future upgrades.

Source: Rocco Tarasi, national director, Resources Audit Solutions, Pittsburgh, .


Supercharge your audit process with AI

Auditors today can employ AI to automate tedious tasks and gain far greater insights from their clients’ information. This free report lays out a five-step process for implementing AI and shows ways AI can add value to the auditing process.


Keeping you informed and prepared amid the coronavirus crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.