Using a tool to document the internal controls of an organisation is an increasingly popular option for company management.

Choosing a tool for Sarbanes-Oxley is no different from any other automation effort.

The functionality looked for in the tool should be based on the requirements of the company, test or audit organisation. Not the blurb from a tool vendors catalogue.

The ultimate goal is the accurately description of the company's control policies and procedures.

Maintaining information about internal controls or "warehousing" is one three main functions of a automated tool in terms of SOX. The other two are the automation of testing internal controls and automation of the controls themselves.

This article focuses on using the tool for Sarbanes-Oxley (SOX) review purposes. However it the information can quite easily be extrapolated out to any other regime which mandates effectiveness of internal control, such as Basel II, HIPAA and IT audits.

As has been noted elsewhere on this site, the more an organisation can prepare and, in particular the IT department, any review becomes easier. Indeed if done properly costs of complying with SOX can come down dramatically. (But then that is the holy grail with all automation projects. How many fail?)

There are three main methods for collating internal control documentation. Most tools will offer one or a combination of these.

Links to Existing Documentation Documentation on internal controls will already exist for many organisations. The tool merely provides a reference to this material, to allow the material to be reviewed.

One particular problem with this method, is if the document linked to changes. Is this change recorded and the overall control framework updated. The cheapest upfront cost, but could be expensive in the long term.

Menu Driven

Again this reduces the upfront cost, as users are prompted with stock phrases. The temptation might be to less qualified people on the task.

The downside, is that the control objective descriptions will only ever be as good as the person who sets the menu items.

A number of IT management tools have inbuilt classifications from the COBIT framework. In the future, it is likely the COSO framework will be built into tools.

Free Responses The users is given free rein to enter her own descritpions. This requires a large amount of support or knowledge from the user, as the information and knowledge of controls has to come from them.

No matter how good the tool, the features it has or its cost, it is only ever as good as the person using it. To make sure we optimize the effect of automation, users need the following attributes.

Knowledge of company controlsIn organisations with existing clear descriptions and a knowledgeable workforce this will not pose too much of a problem.

internal control concepts These relate to a framework like COSO, which is mandated by the SOX legislation. The area of IT related controls is covered by Control Objectives for Information and related Techologies (COBIT). This subject can be quite theoretical. A number of tools have the COBIT framework built into them as parameters, and can therefore be turned into a menu-dropdown.

Financial reporting process The whole point of Sarbanes-Oxley is to ensure the accuracy of financial reporting. All users of the tool must have idea of what financial reporting involves. After all, how will they know it has gone wrong?

Assertions in the Financial Statements These are the representations of management built into the entity's financial statement. Examples of assertions from the auditing are the exisitence of assets or liabilities, valuation or measurement of amounts or completeness of the financial statements.

The design of a control and only associated documentation is only part of the story. The control has to go on and be effective.

Indeed the operational effectiveness is more important. Documentation, however makes this is easier to prove.

As noted above the testing the effectiveness of internal controsls is of paramount importance. The descriptions of the controls therefore have to be readily available to a wide range of people, through their respectives.

By Control Objective The user should be able review for each control objective, the control policies and procedures meant to achieve it. All significant control objectives should be covered.

business process The User can start evaluating activity-level controls from here.

General Ledger Account This perspective provides a link between financial statements and internal control. Particularly good for activity-level controls.

Maintaining information integrity ensures that the documentation held by the tool is an accurate representation of the real-world within the entity and it's internal controls. The ease with which controls can be updated is an important element. However the documentation is an important element in a process with potential implications for controls over billions of dollars.

Logical access controls Tool administrators should be able to restrict access by users to the portion of documentation pertaining to their level and area of responsibility.

Sstandardized Updating Procedures Changes to the documentation have to leave behind a paper trail. Also everything else which is impacted by internal control has to be updated. These include the general ledger, business processes and the affected control objectives.

Management have to monitor the internal controls of their company. Any material changes to internal control have to be reported. In some cases where significant deficiencies or material weaknesses have been reported and subsequently remediated, this also has to be reported. Once the tool is being used effectively and efficiently this can be accomplished with relative ease.

Monitoring is one of five elements of the internal control framework as laid down by COSO.

In support of the element, changes to documentation should mirror changes to the actual controls. The tools should be able to identify any changes to the controls over a given time period.

The goal is for the management to have assurance that the documentation and the internal controls are indeed in alignment.

In the software testing area, automated tools have a high propensity to become "shelfware". The reasons for this occuring are many. The primary reason, though is that they become irrelevant to most people or the amount of updating generates prohibitive costs.

A similar fate may await the newly purchased SOX tool. A combination of the above features and the user attributes are essential if the automation process is to be successful.

Related Articles
COBIT Update Released
Internal Control Documentation Tools
SAP Expands SME Financial Offering
Sarbanex-Oxley and Automation
IT Readiness for Section 404
Sarbanes-Oxley Section 404