do accountants have the right technology for a solid financial accounting system?
by rick telberg
[from hewlett packard]
two of the top ten most important issues facing public accountants this year seem closely related. “assurance and compliance applications” and “it governance” are now two of the top ten issues facing accountants, according to the american institute of certified public accountants. and both issues are new to the agenda this year.
it governance, of course, has been an issue for years, ever since it became obvious that the it function was the foundation for most of a company’s business intelligence. the financial accounting system is an important component of the it function in most firms.
the focus on assurance and compliance applications comes, in large part, from the sarbanes-oxley act of 2002 (known affectionately as sox), especially section 404 on internal controls. even though the act is already four years old, many of the publicly-held companies which fall under its requirements are still getting their act together.
and, while private companies are not officially subject to the compliance requirements of sox, some are adopting the standards in order to remain competitive, to satisfy vendors or suppliers, or to gain and maintain access to capital.
it has meant new investments in technology and in training. but it seems to be paying off.
in fact, a survey reported in cio insight reports that 54% of cios report seeing sox-driven benefits – up from 43 percent in 2005. what’s more, twice as many cios say their companies surpassed compliance requirements to gain additional business benefits: 14 percent in 2006 compared to 7 percent in 2005.
clearly it systems are at the heart of sox compliance. it’s meant that accountants, auditors, and finance managers have needed to join with counterparts in the it department to develop new processes and procedures, and to learn how to bullet-proof them. it security and financial controls have become one and the same.
when sox was first passed, there was a wide variety of vendors claiming to have compliance applications. this is still true, but to a large extent, the confusion of what constitutes sox compliance software has been whittled down to applications which address these three prime areas of control:
• access control,
• change control, and
• documentation control.
business process management and risk analysis are two additional areas than many of the more popular sox compliance applications target.
access control is the ability of the financial system, it system, or ancillary sox compliance application to detect and deter unauthorized personnel from entering or editing a transaction. change control is concerned with assuring that only authorized users can edit financial or it data, and that these users are limited to only specific data and areas where they are authorized.
the last category, documentation control, is a bit wider in scope. in addition to the document management features that capture all e-mails, memos, and correspondence for future audit use, documentation control address the need, per section 302, to document the effectiveness of internal controls. in some cases this requires testing plans and results, action plans and results, and roll-up surveys where all responsible managers attest to ongoing effectiveness of internal controls under their control.
in looking at their it systems, accountants are considering:
• change management: how to manage organizational change while providing the services and support processes, automating and reinforcing the change process, and yet providing complete control over auditing.
• controlling and monitoring employee access to financial processes and application: new security services are needed to allow only the right employees to access only the data for which they are authorized, while maintaining an audit trail and privacy.
• operations management: how to maintain the availability and performance of the network and applications that support the financial systems.
• data protection, continuity and record retention: making sure that data integrity and audit trails are not wiped away in an outage.
the focus on control aspects of sox compliance applications is no coincidence. sox itself was passed because gross lack of proper controls allowed improper transactions to pass unchallenged in some of the largest corporations in the u.s.
obviously, the need for internal controls in business systems is nothing new. sox and other new pronouncements just refocus your attention on the importance of controls – both technological and financial.