The task seems simple enough on the surface, but the requirements are extensive. Controls must be monitored and tested on a regular basis to ensure that they are performing adequately. The documentation must be updated and maintained. Management must be able to support their assertions that the financial data in their reports is accurate. Material weaknesses must be identified and reported in a timely manner. Resolution of issues must be tracked and reported. The control environment must be evaluated. A cultural change may be needed to encourage managers to identify problems without the fear of retribution. By understanding that this is an enterprise wide task and not â as many are reported as believing â an IT issue then fear becomes redundant. The best IT head in the world is highly unlikely to be a compliance professional or, for that matter, an internal auditor of finance professional. To see this new era as a mostly IT issue is to assume that IT can be tasked with fully understanding all the additional needs of these other departments in a real time and changing environment. It is much better to allow compliance, audit and finance teamsâ direct access to the existing data using their accumulated knowledge and data mining skills to monitor and control these vital processes.
Organisations that find a technology solution which allows them to efficiently meet these requirements, with a minimum of manual effort, will reap rewards. But what they do not need is more expensive technology just timely solutions. These solutions will ultimately provide more than just compliance with Sarbanes-Oxley. The same solutions can be applied across the enterprise, to document, evaluate and monitor processes and controls in all areas. It does not need to be limited to financial reporting. The methods and procedures that are applied to achieve compliance for Sarbanes-Oxley can also provide the foundation for an enterprise risk management program. Better corporate governance is the certain prize awaiting those enterprises which adopt a can do and positive approach to twenty first century compliance.
The objective of Sarbanes-Oxley is to provide shareholders, markets and regulators with greater transparency into the financial reporting process. The goal of enterprise risk management is to provide executive management with greater understanding and transparency into their enterprise, enabling them to make better management decisions. IT auditing can apply a system of measurement to the organisations internal processes, providing management with an understanding of their organisations systemâs strengths and weaknesses. It allows resources to be assigned to the appropriate areas to address weaknesses or to exploit areas with competitive advantages. Better business process is a long term goal for many organisations . The first and most pressing need is to find that solution which can efficiently and effectively help them maintain compliance with the many requirements of the Sarbanes-Oxley act. Technology can and will help in that imperative but enterprises should be wary of technology at any cost pitches, concentrate on the solution and import no more new technology than is necessary to enhance the existing process. Business as usual wins over technology at any price.