not all corporate artifacts and actions need to be
documented. IT managers and CITPs can use these
tips to keep Sarbanes-Oxley documentation simple.
Technically the CEO and CFO have ultimate
responsibility for financial reports, but they
will want to know who provided the information.
Create a list of major functional areas related to
Sarbanes-Oxley and identify who is accountable.
Be clear and concise. If
the CEO has a question, he or she should be able
to pick up your accountability list and call the
responsible person directly. Break the list down
by business unit, division or whatever
segmentation makes sense in your organization.
Keep it electronic and easy to update.
Define the business processes
for managing financial information clearly.
Only business processes that are critical and
material to the production of financial statements
and disclosures need to be documented.
Have documentation for each step showing
The person who performs or oversees
The systems involved in the activity.
The information required to complete
The information resulting from the
The business rules that govern the
When and how often the activity is
Define all the computer systems
that handle the data. It’s not sufficient
to say you use an enterprise resource planning
application to perform your financial analysis.
Document the underlying database and the reporting
tools, including the software version and patch
levels. Also include detailed information about
the operating environment, such as the version of
Windows used and any add-ins.
Write a code of conduct.
All employees should sign a code of conduct
that encourages people to be honest, diligent and
willing to follow the rules.
Conduct a risk assessment and
develop mitigation measures. Risks vary
from company to company. It’s essential to show
that a good-faith effort was made to identify and
evaluate areas of financial reporting where errors
might occur. An IT team’s efforts combined with
the development of internal controls to mitigate
those risks will provide reassurance to auditors.
Here are a few examples of the risks
companies might face with IT:
Major upgrades or replacements of
financial reporting systems.
Major changes to manufacturing or
inventory tracking systems.
Substantial increases or reductions
Security breakdowns and system
Significant amounts of human
intervention in processing results.
System failures, particularly those
requiring restoration of data.
the IT department documents these risks and others
that are unique to your organization. Then
document steps taken to mitigate each one and why
you believe the final reported results won’t be
Test your risk mitigation
measures. Create a test plan that specifies
what is being tested, how and by whom. Define the
test cases by describing adverse scenarios
followed by the steps to be taken in correcting
them. Run through the scenarios and document the
results to provide evidence of this testing to
Source: Vin D’Amico,
Writing Assistance Inc., Plymouth, Minn.,
www.writingassist.com , 2006.