Centive, a vendor of demand strategic sales compensation management solutions, today announced that Salary.com, Inc. (NASDAQ:SLRY) , has selected Centive Compel(R) to automate sales compensation management for its worldwide salesforce. Salary.com will deploy Centive's AppExchange-certified solution within salesforce.com, providing its sales representatives and managers with a single, integrated view of actual earnings and attainment performance as well as potential earnings based on forecast opportunities.
"After a comprehensive evaluation of sales compensation solutions on the market, Centive Compel emerged as the best fit for our requirements," said Ken Goldman, senior vice president and chief financial officer, Salary.com. "As a publicly traded company, our financial applications have to support our Sarbanes-Oxley compliance initiatives, and Centive proved most capable in that area. In addition, their integration with salesforce.com will enable us to derive additional value from our CRM system investments."
Centive Compel, an on-demand sales compensation management solution, automates the entire sales compensation process in one secure, centralized system. Compel allows customers to model and forecast commission expense, optimize plan effectiveness, and drive sales performance and top-line revenue growth.
"Salary.com understands the power of compensation in driving performance; it's part of their corporate DNA," said Mike Torto, president and CEO, Centive. "We are pleased that a leader in on-demand compensation solutions recognizes Centive Compel as the best solution for on-demand sales compensation management."
Friday, 30 March 2007
Feldman Mall Delays Form 10-K.
Feldman Mall Properties, Inc. (NYSE:FMP) announced today that it requires additional time to file its Annual Report on Form 10-K for the year ended December 31, 2006, in order to complete the Company's normally required year-end reporting requirements and assessment of the effectiveness of its internal controls over financial reporting as required by Section 404 of the Sarbanes-Oxley Act. The Company is in the final stages of completing the financial reporting process and expects intends to file the requisite reports shortly.
Wednesday, 28 March 2007
Sarbanes-Oxley Article Listing
A listing of articles on Sarbanes-Oxley from our sister site at http://www.software-risk.co.uk.
Investment Bank and OpenPages for SOX
Investment bank Thomas Weisel Partners has selected OpenPages FCM for its Sarbanes-Oxley compliance activities. The bank focuses on growth aspects of the economy.
Stated reasons for the choice are the flexibility and configurability of the solution. Thomas Weisel Partners to automate the ongoing test and review of its controls documentation to reduce the time, cost and complexity associated with Sarbanes-Oxley Section 404 and 302.
"As a company operating in the investment banking market, regulatory compliance is of the utmost importance," said David Baylor, Chief Financial Officer and Chief Operating Officer at Thomas Weisel Partners. "Our investment in OpenPages FCM gives our organization the confidence needed to ensure that we are not only appropriately complying with our financial reporting responsibilities, but are also helping to reduce the time and resource costs associated with sustaining compliance."
Stated reasons for the choice are the flexibility and configurability of the solution. Thomas Weisel Partners to automate the ongoing test and review of its controls documentation to reduce the time, cost and complexity associated with Sarbanes-Oxley Section 404 and 302.
"As a company operating in the investment banking market, regulatory compliance is of the utmost importance," said David Baylor, Chief Financial Officer and Chief Operating Officer at Thomas Weisel Partners. "Our investment in OpenPages FCM gives our organization the confidence needed to ensure that we are not only appropriately complying with our financial reporting responsibilities, but are also helping to reduce the time and resource costs associated with sustaining compliance."
Tuesday, 27 March 2007
Internal Controls Glossary
Activity Level
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements.
ALM
Application Lifecycle Management
More on Internal Controls
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements.
ALM
Application Lifecycle Management
More on Internal Controls
Xactly On-Demand SAS 70 Type I
On-demand sales compensation vendor Xactly has passed its Type 1 SAS audit. The certification applies to the company's flagship product Xactly Incent. The company claims that Incent is the first SAS 70 on-demand sales compensation management application to be hosted in a SAS 70 certified facility.
The audit and examination is the first of two levels of SAS certification. The onus on internal controls means that it is often seen as good preparation for complying with Section 404.
The audit and examination is the first of two levels of SAS certification. The onus on internal controls means that it is often seen as good preparation for complying with Section 404.
Verizon Business Completes SAS 70 Type II
Verizon Business has completed the SAS 70 Type II examination for its Internet Colocation and Managed Hosting Data center.
SAS 70 Type II is often a preparatory step for compliance with the Sarbanes-Oxley Act and in particular the infamous Section 404 Act.
SAS 70 Type II is often a preparatory step for compliance with the Sarbanes-Oxley Act and in particular the infamous Section 404 Act.
Monday, 26 March 2007
J-SOX Win for OpenPages
CAC Corporation, a Japanese software development company has chosen OpenPages FCM for its J-SOX corporate governance activities.
OpenPages FCM allows CAC to automate the ongoing test and review of its controls documentation so that it may reduce the time and resource costs associated with financial reporting compliance and to help organizations better implement internal audit and enterprise risk management solutions.
A leading IT services company, CAC Corporation delivers an integrated suite of services, ranging from IT strategy formulation and consulting to system construction, operation and management. And since its foundation in 1966 as Japan's earliest independent software developer, CAC has been serving its customers in a wide range of areas including the financial, pharmaceutical, and consumer packaged goods industries. In April 2006, CAC partnered with OpenPages to jointly distribute solutions for financial controls management and operational risk management in Japan. CAC is headquartered in Tokyo, Japan with operations in New York, London and Shanghai.
"Given CAC's global presence, we were in need of a solution that would not only optimize compliance initiatives but would also reduce the costs associated with complying with the numerous financial regulations that our organization must meet annually," said Susumu Fukushima, General Manager, Internal Control Promotion Dept. at CAC. "Recognizing the value that our own customers found by using OpenPages' solutions for financial controls management, we look forward to implementing OpenPages FCM in-house to both effectively manage information and to automate key workflow processes."
OpenPages FCM is an enterprise financial controls management solution that reduces the time and resource costs associated with ongoing compliance with financial reporting regulations.
The choice of OpenPages to help with J-Sox compliance is aposite. A number of countries around the world are implementing their own regulatory versions of the US Sarbanes-Oxley Act. At the same time the SEC and Congress is looking to alleviate the cost and impact of the infamous Section 404.
OpenPages FCM allows CAC to automate the ongoing test and review of its controls documentation so that it may reduce the time and resource costs associated with financial reporting compliance and to help organizations better implement internal audit and enterprise risk management solutions.
A leading IT services company, CAC Corporation delivers an integrated suite of services, ranging from IT strategy formulation and consulting to system construction, operation and management. And since its foundation in 1966 as Japan's earliest independent software developer, CAC has been serving its customers in a wide range of areas including the financial, pharmaceutical, and consumer packaged goods industries. In April 2006, CAC partnered with OpenPages to jointly distribute solutions for financial controls management and operational risk management in Japan. CAC is headquartered in Tokyo, Japan with operations in New York, London and Shanghai.
"Given CAC's global presence, we were in need of a solution that would not only optimize compliance initiatives but would also reduce the costs associated with complying with the numerous financial regulations that our organization must meet annually," said Susumu Fukushima, General Manager, Internal Control Promotion Dept. at CAC. "Recognizing the value that our own customers found by using OpenPages' solutions for financial controls management, we look forward to implementing OpenPages FCM in-house to both effectively manage information and to automate key workflow processes."
OpenPages FCM is an enterprise financial controls management solution that reduces the time and resource costs associated with ongoing compliance with financial reporting regulations.
The choice of OpenPages to help with J-Sox compliance is aposite. A number of countries around the world are implementing their own regulatory versions of the US Sarbanes-Oxley Act. At the same time the SEC and Congress is looking to alleviate the cost and impact of the infamous Section 404.
Sunday, 25 March 2007
USi Completes SAS 70 Type II For Seventh Year
USi (http://www.usi.com/), an AT&T company and a leading Application Service Provider (ASP), today announced that it has successfully completed an American Institute of Certified Public Accountants (AICPA) SAS 70 Type II examination for the seventh consecutive year.
Regulatory changes in recent years, such as the Sarbanes-Oxley Act, require companies to obtain assurance on the integrity of their data. SAS 70 Type II examinations can help confirm that access to information is limited by physical and logical controls and that this access is internally regulated. The examination includes design assessments and operating effectiveness tests of USi's infrastructure, physical and network security, maintenance procedures, infrastructure change management, environmental safeguards, problem management, and reporting control procedures.
"SAS 70 Type II reports assure our clients that our operational processes and controls meet high standards for the security and reliability of the systems we manage for our clients," said Josie Ollinger, USi's Director for Audits and Compliance. "Because clients can take advantage of USi's controls, they often have to implement fewer controls and procedures within their own accounting and IT infrastructure. Plus, our SAS 70 examinations eliminate the need for each of our clients to audit USi individually, which saves them time and money," she added.
USi has a long history of comprehensive auditing and compliance. In addition to its semi-annual SAS 70 Type II examinations, USi has also completed various regulatory audits for specific clients, including compliance with HIPAA requirements for healthcare data privacy and protection and compliance with the public company financial reporting internal control aspects of the Sarbanes-Oxley Act. As a member of the BITS' Financial Institution Shared Assessments Program's steering committee, USi works with the committee to develop criteria for new assessments that will be shared across financial institutions, all of whom will themselves conform to these strict security criteria.
Regulatory changes in recent years, such as the Sarbanes-Oxley Act, require companies to obtain assurance on the integrity of their data. SAS 70 Type II examinations can help confirm that access to information is limited by physical and logical controls and that this access is internally regulated. The examination includes design assessments and operating effectiveness tests of USi's infrastructure, physical and network security, maintenance procedures, infrastructure change management, environmental safeguards, problem management, and reporting control procedures.
"SAS 70 Type II reports assure our clients that our operational processes and controls meet high standards for the security and reliability of the systems we manage for our clients," said Josie Ollinger, USi's Director for Audits and Compliance. "Because clients can take advantage of USi's controls, they often have to implement fewer controls and procedures within their own accounting and IT infrastructure. Plus, our SAS 70 examinations eliminate the need for each of our clients to audit USi individually, which saves them time and money," she added.
USi has a long history of comprehensive auditing and compliance. In addition to its semi-annual SAS 70 Type II examinations, USi has also completed various regulatory audits for specific clients, including compliance with HIPAA requirements for healthcare data privacy and protection and compliance with the public company financial reporting internal control aspects of the Sarbanes-Oxley Act. As a member of the BITS' Financial Institution Shared Assessments Program's steering committee, USi works with the committee to develop criteria for new assessments that will be shared across financial institutions, all of whom will themselves conform to these strict security criteria.
Tuesday, 6 March 2007
Sarbanes-Oxley and Automation
Sarbanes-Oxley has passed into the corporate consciousness. Companies now know that compliance does not come cheap. One of the ways management and auditors are looking to reduce costs but still maintain quality is through automation.
Is there a silver bullet somewhere that will magically remove the pain of Sarbanes-Oxley, whilst at the same time producing the benefits that were promised from it?
Of course not, is the simple answer. No more than it is possible for traditional load or automated testing.
Significant up-front costs, training and the possibility that it may become redundant if Sarbanes-Oxley is repealed or made radically insubstantial.
How then to proceed? In my humble opinion there are three stages in any automation programme. They apply whether we are load testing, preparing for Basel II or the infamous Section 404 on internal controls.
*Hire good people
*Have those good people do good things.
*Automate the good things done by the good people.
How does this map on to compliance with Sarbanes-Oxley? In the first instance the people are already there in the shape of management and auditors. Whether they are any good is a different matter.
The company/audit firm can hire in of course, but that can be expensive. The right skills though are worth the price.
Should the existing personnel not be up to scratch, then they will not be able to perform the second stage, and it will degenerate either into chaos or become a box-ticking exercise. Either way, any attempt to automate will only compound the problems.
The second stage is more problematic. Guidance from the auditing bodies and the SEC was initially sketchy on what to report and concentrate on. Consequently, auditors have had a tendency to go overboard and examine every single internal control, no matter how trivial.
Management was also on a steep learning curve. Many have complained that they are not running a fraudulent company, so why should they be treated as if they are an Enron waiting to happen.
The passage of time, companies having been through the process and guidance from the SEC/PCAOB means that we have a much clearer picture of how to comply. Throughout the coming year, I predict a far wider range of companies taking on automation projects for Sarbanes-Oxley compliance.
Is there a silver bullet somewhere that will magically remove the pain of Sarbanes-Oxley, whilst at the same time producing the benefits that were promised from it?
Of course not, is the simple answer. No more than it is possible for traditional load or automated testing.
Significant up-front costs, training and the possibility that it may become redundant if Sarbanes-Oxley is repealed or made radically insubstantial.
How then to proceed? In my humble opinion there are three stages in any automation programme. They apply whether we are load testing, preparing for Basel II or the infamous Section 404 on internal controls.
*Hire good people
*Have those good people do good things.
*Automate the good things done by the good people.
How does this map on to compliance with Sarbanes-Oxley? In the first instance the people are already there in the shape of management and auditors. Whether they are any good is a different matter.
The company/audit firm can hire in of course, but that can be expensive. The right skills though are worth the price.
Should the existing personnel not be up to scratch, then they will not be able to perform the second stage, and it will degenerate either into chaos or become a box-ticking exercise. Either way, any attempt to automate will only compound the problems.
The second stage is more problematic. Guidance from the auditing bodies and the SEC was initially sketchy on what to report and concentrate on. Consequently, auditors have had a tendency to go overboard and examine every single internal control, no matter how trivial.
Management was also on a steep learning curve. Many have complained that they are not running a fraudulent company, so why should they be treated as if they are an Enron waiting to happen.
The passage of time, companies having been through the process and guidance from the SEC/PCAOB means that we have a much clearer picture of how to comply. Throughout the coming year, I predict a far wider range of companies taking on automation projects for Sarbanes-Oxley compliance.
Oracle Expands GRC Offering
An expanded governance, risk and compliance (GRC) suite has been launched by Oracle.
Stated aim of the expansion is to allow companies manage multiple GRC initiatives across the Enterprise enterprise with the introduction of a new application suite that manages compliance initiatives in heterogeneous environments, provides increased security through automated, pre-defined ERP controls and intends to provide greater visibility through expanded GRC intelligence.
The compliance and management capabilities displayed in the suite came with the acquisition of Stellent. Oracle added its own expertise in application controls.
Oracle has provided compliance capabilities for each of its enterprise application lines and recognized that broad GRC requirements extend across multiple business units, geographies, mandates and enterprise applications. the suite includes support for international financial regulations including OMB A-123 in the U.S., Multilateral Instrument 52-109 in Canada, JSOX in Japan, KSOX in Korea or the Turnbull Report in the U.K.
"We've experienced clear process improvements and increased efficiencies from our implementation of the Sarbanes-Oxley solution from Stellent," said Danny Waxenberg, Assistant Vice President, Internal Controls at Unum, the largest provider of individual and group income protection insurance in the US and the UK. "We are pleased that Oracle is protecting our investment in the application and look forward to leveraging the latest capabilities from Oracle Governance Risk and Compliance Manager."
Stated aim of the expansion is to allow companies manage multiple GRC initiatives across the Enterprise enterprise with the introduction of a new application suite that manages compliance initiatives in heterogeneous environments, provides increased security through automated, pre-defined ERP controls and intends to provide greater visibility through expanded GRC intelligence.
The compliance and management capabilities displayed in the suite came with the acquisition of Stellent. Oracle added its own expertise in application controls.
Oracle has provided compliance capabilities for each of its enterprise application lines and recognized that broad GRC requirements extend across multiple business units, geographies, mandates and enterprise applications. the suite includes support for international financial regulations including OMB A-123 in the U.S., Multilateral Instrument 52-109 in Canada, JSOX in Japan, KSOX in Korea or the Turnbull Report in the U.K.
"We've experienced clear process improvements and increased efficiencies from our implementation of the Sarbanes-Oxley solution from Stellent," said Danny Waxenberg, Assistant Vice President, Internal Controls at Unum, the largest provider of individual and group income protection insurance in the US and the UK. "We are pleased that Oracle is protecting our investment in the application and look forward to leveraging the latest capabilities from Oracle Governance Risk and Compliance Manager."
Sunday, 4 March 2007
AXS-One Q4 Results
AXS-One has reported Q4 2006 financial results. Central is the discontinuation of the Enterprise Financials product line. The company's figures reflect solely its Records Compliance Management solutions.
License revenues for the fourth quarter decreased 46.3 percent to $0.7 million from $1.3 million in the fourth quarter of 2005, and increased 48.0 percent sequentially when compared with the $0.5 million for the third quarter of 2006. Total revenues for the fourth quarter were $2.5 million, a decrease of $0.5 million from the fourth quarter 2005 revenues of $3.0 million. Total operating expenses for the quarter were $7.7 million, an increase of 33.0 percent compared to the fourth quarter of 2005.
Net income was $13.6m or $0.39 per diluted share compared to $0.05 for the same period last year.
During the quarter, a new version of the flagship AXS-One Compliance Platform was announced. New features included risk management and cost containment.
License revenues for the fourth quarter decreased 46.3 percent to $0.7 million from $1.3 million in the fourth quarter of 2005, and increased 48.0 percent sequentially when compared with the $0.5 million for the third quarter of 2006. Total revenues for the fourth quarter were $2.5 million, a decrease of $0.5 million from the fourth quarter 2005 revenues of $3.0 million. Total operating expenses for the quarter were $7.7 million, an increase of 33.0 percent compared to the fourth quarter of 2005.
Net income was $13.6m or $0.39 per diluted share compared to $0.05 for the same period last year.
During the quarter, a new version of the flagship AXS-One Compliance Platform was announced. New features included risk management and cost containment.
Friday, 2 March 2007
Approva's CTO
Approva has appointed Steve Elliot to the post of Chief Technology Officer. He will be responsible for driving product strategy and innovation. The company is a vendor of governance, risk and compliance solutions.
"Steve's experience developing software to automate IT auditing is nearly unparalleled in the industry," said Prashanth (PV) Boccasam, Approva's chairman and chief executive officer. "With his leadership and track record of defining groundbreaking new technologies, Approva is positioned to deliver cutting edge products that our customers and partners have come to expect from us."
Elliott has also led Approva's Open Controls Framework(TM) (OCF) effort, the industry's first standards-based approach for companies and their auditors to simplify the way they design and analyze controls, report exceptions and audit key application and operational controls. As part of this effort, Elliott helped define two new XML control definition formats, the control reporting language (XCRL) and the control definition language (XCDL) which Approva is promoting to standards organization for adoption.
"Approva is the standard which other companies in the continuous controls monitoring and audit market measure themselves against when it comes to innovation and quality," said Elliott. "I am thrilled to have the opportunity to guide our technology strategy and to help our customers respond to new regulatory guidance while realizing their goals of turning compliance from a cost to an asset."
"Steve's experience developing software to automate IT auditing is nearly unparalleled in the industry," said Prashanth (PV) Boccasam, Approva's chairman and chief executive officer. "With his leadership and track record of defining groundbreaking new technologies, Approva is positioned to deliver cutting edge products that our customers and partners have come to expect from us."
Elliott has also led Approva's Open Controls Framework(TM) (OCF) effort, the industry's first standards-based approach for companies and their auditors to simplify the way they design and analyze controls, report exceptions and audit key application and operational controls. As part of this effort, Elliott helped define two new XML control definition formats, the control reporting language (XCRL) and the control definition language (XCDL) which Approva is promoting to standards organization for adoption.
"Approva is the standard which other companies in the continuous controls monitoring and audit market measure themselves against when it comes to innovation and quality," said Elliott. "I am thrilled to have the opportunity to guide our technology strategy and to help our customers respond to new regulatory guidance while realizing their goals of turning compliance from a cost to an asset."
Internal Controls and Business Processes
The COSO framework makes a distinction between internal controls, in terms of scale with entity level and activity level controls.
Internal controls are currently important, because of section 404 of the Sarbanes-Oxley Act. Public companies and their auditors have to attest to the effectiveness of their internal controls in relation to financial reporting.
Entity level controls are those that have an effect in the control environment. They have a pervasive effect on the way that controls are implemented. (The control environment is one of 5 elments that make up internal controls and essentially consists of management "setting the tone" and has a heavy slant towards ethics.)
An example is a commitment to competence, so that every member of the organisation has the required skill set and knowledge to his job.
Activity level controls are control procedures that are enacted at the activity level.
To continue the commitment an activity level control, would be asking a job candidates for financial roles to take a skills test.
However, COSO does make clear that significant controls found at both levels. Indeed, any thorough evaluation of internal controls must investigate all significant control, no matter what level.
The approach COSO takes to evaluating activity controls may differ from current auditing practice, which traditionally focused on the financial statement approach. For a more up to date US approach see the Public Company Accounting Oversight Board .
In particular, COSO chose to follow the Value-Chain analysis approach. This seeks to identify business process activities that add value to the offering to the customer. For more on the approach see here.
Value-Chain splits activities within firms and organisations into two, primary and support.
Primary activities are those involved directly in creating the the product and ensuring selling and delivery to the customer.
*Inbound Logistics Activities for handling inputs to the product. Example is warehousing of raw materials.
*Operations Activities to transform to a finished product.
*Outbound logistics Storing the finished product and delivering it to the customer. An financial reporting related activity is ensuring the customer actually receives it.
*Market and sales enabling the customer to purchase the product. An example is pricing. The control could be, to ensure the advertised price is the correct one.
*Service Activities to maintain the product in the hands of the buyer.
Support activities help the primary activities and each other by providing purchased inputs, technology and entity wide activities like management accounting.
*Firm Infrastructure General management activities.
*Human Resource Management Activities dealing with hiring, training, development and compensation.
*Procurement Activities involved in the purchase of inputs. As procurement is so pervasive throughout the organisation, it sometimes is overlooked. A typical control is to make sure that stocks of materials match up with those purchased.
*Technology Development Activities to improve services, products and services. An example might be developing new IT systems.
Lastly it has to be noted that every entity no matter how small or large, simple or complex has an individual value chain. As a consequence, each entity has to be viewed individually.
Internal controls are currently important, because of section 404 of the Sarbanes-Oxley Act. Public companies and their auditors have to attest to the effectiveness of their internal controls in relation to financial reporting.
Entity level controls are those that have an effect in the control environment. They have a pervasive effect on the way that controls are implemented. (The control environment is one of 5 elments that make up internal controls and essentially consists of management "setting the tone" and has a heavy slant towards ethics.)
An example is a commitment to competence, so that every member of the organisation has the required skill set and knowledge to his job.
Activity level controls are control procedures that are enacted at the activity level.
To continue the commitment an activity level control, would be asking a job candidates for financial roles to take a skills test.
However, COSO does make clear that significant controls found at both levels. Indeed, any thorough evaluation of internal controls must investigate all significant control, no matter what level.
The approach COSO takes to evaluating activity controls may differ from current auditing practice, which traditionally focused on the financial statement approach. For a more up to date US approach see the Public Company Accounting Oversight Board .
In particular, COSO chose to follow the Value-Chain analysis approach. This seeks to identify business process activities that add value to the offering to the customer. For more on the approach see here.
Value-Chain splits activities within firms and organisations into two, primary and support.
Primary activities are those involved directly in creating the the product and ensuring selling and delivery to the customer.
*Inbound Logistics Activities for handling inputs to the product. Example is warehousing of raw materials.
*Operations Activities to transform to a finished product.
*Outbound logistics Storing the finished product and delivering it to the customer. An financial reporting related activity is ensuring the customer actually receives it.
*Market and sales enabling the customer to purchase the product. An example is pricing. The control could be, to ensure the advertised price is the correct one.
*Service Activities to maintain the product in the hands of the buyer.
Support activities help the primary activities and each other by providing purchased inputs, technology and entity wide activities like management accounting.
*Firm Infrastructure General management activities.
*Human Resource Management Activities dealing with hiring, training, development and compensation.
*Procurement Activities involved in the purchase of inputs. As procurement is so pervasive throughout the organisation, it sometimes is overlooked. A typical control is to make sure that stocks of materials match up with those purchased.
*Technology Development Activities to improve services, products and services. An example might be developing new IT systems.
Lastly it has to be noted that every entity no matter how small or large, simple or complex has an individual value chain. As a consequence, each entity has to be viewed individually.
Thursday, 1 March 2007
OpenPages for Moss Adams
Moss Adams LLP the 12th largest accounting and consulting firm in the U.S. has selected OpenPages FCM for its Sarbanes-Oxley compliance initiatives.
OpenPages was chosen because it is consistent with the way Moss Adams performs control assessments. The suite should enable Moss Adams to automate its test and review of its controls documentation, reducing costs associated with Sarbanes-Oxley Section 404. The company intends using the software as part of consulting with its clients.
"Leadership in our profession is directly related to the quality of the people, processes and systems efficiency and effectiveness in helping our clients navigate through an ever-changing business environment to achieve their compliance, operational and reliable financial reporting goals," said Curtis Matthews, Partner at Moss Adams. "We are looking for our investment in OpenPages FCM as a means to automate and streamline compliance processes to lower our client costs and enhance our ability to achieve greater value-added client results."
OpenPages was chosen because it is consistent with the way Moss Adams performs control assessments. The suite should enable Moss Adams to automate its test and review of its controls documentation, reducing costs associated with Sarbanes-Oxley Section 404. The company intends using the software as part of consulting with its clients.
"Leadership in our profession is directly related to the quality of the people, processes and systems efficiency and effectiveness in helping our clients navigate through an ever-changing business environment to achieve their compliance, operational and reliable financial reporting goals," said Curtis Matthews, Partner at Moss Adams. "We are looking for our investment in OpenPages FCM as a means to automate and streamline compliance processes to lower our client costs and enhance our ability to achieve greater value-added client results."
Control Documentation Tool Requirements
Using a tool to document the internal controls of an organisation is an increasingly popular option for company management.
Choosing a tool for Sarbanes-Oxley is no different from any other automation effort.
The functionality looked for in the tool should be based on the requirements of the company, test or audit organisation. Not the blurb from a tool vendors catalogue.
The ultimate goal is the accurately description of the company's control policies and procedures.
Maintaining information about internal controls or "warehousing" is one three main functions of a automated tool in terms of SOX. The other two are the automation of testing internal controls and automation of the controls themselves.
This article focuses on using the tool for Sarbanes-Oxley (SOX) review purposes. However it the information can quite easily be extrapolated out to any other regime which mandates effectiveness of internal control, such as Basel II, HIPAA and IT audits.
As has been noted elsewhere on this site, the more an organisation can prepare and, in particular the IT department, any review becomes easier. Indeed if done properly costs of complying with SOX can come down dramatically. (But then that is the holy grail with all automation projects. How many fail?)
There are three main methods for collating internal control documentation. Most tools will offer one or a combination of these.
Links to Existing Documentation Documentation on internal controls will already exist for many organisations. The tool merely provides a reference to this material, to allow the material to be reviewed.
One particular problem with this method, is if the document linked to changes. Is this change recorded and the overall control framework updated. The cheapest upfront cost, but could be expensive in the long term.
Menu Driven
In this scenario the documentation is created via the tool itself. The user is prompted with items from a menu. To describe a control objective, the user might be offered "ensure proper authorization of transactions" or "verify accuracy".
Again this reduces the upfront cost, as users are prompted with stock phrases. The temptation might be to less qualified people on the task.
The downside, is that the control objective descriptions will only ever be as good as the person who sets the menu items.
A number of IT management tools have inbuilt classifications from the COBIT framework. In the future, it is likely the COSO framework will be built into tools.
Free Responses The users is given free rein to enter her own descritpions. This requires a large amount of support or knowledge from the user, as the information and knowledge of controls has to come from them.
No matter how good the tool, the features it has or its cost, it is only ever as good as the person using it. To make sure we optimize the effect of automation, users need the following attributes.
Knowledge of company controlsIn organisations with existing clear descriptions and a knowledgeable workforce this will not pose too much of a problem.
internal control concepts These relate to a framework like COSO, which is mandated by the SOX legislation. The area of IT related controls is covered by Control Objectives for Information and related Techologies (COBIT). This subject can be quite theoretical. A number of tools have the COBIT framework built into them as parameters, and can therefore be turned into a menu-dropdown.
Financial reporting process The whole point of Sarbanes-Oxley is to ensure the accuracy of financial reporting. All users of the tool must have idea of what financial reporting involves. After all, how will they know it has gone wrong?
Assertions in the Financial Statements These are the representations of management built into the entity's financial statement. Examples of assertions from the auditing are the exisitence of assets or liabilities, valuation or measurement of amounts or completeness of the financial statements.
The design of a control and only associated documentation is only part of the story. The control has to go on and be effective.
Indeed the operational effectiveness is more important. Documentation, however makes this is easier to prove.
As noted above the testing the effectiveness of internal controsls is of paramount importance. The descriptions of the controls therefore have to be readily available to a wide range of people, through their respectives.
By Control Objective The user should be able review for each control objective, the control policies and procedures meant to achieve it. All significant control objectives should be covered.
business process The User can start evaluating activity-level controls from here.
General Ledger Account This perspective provides a link between financial statements and internal control. Particularly good for activity-level controls.
Maintaining information integrity ensures that the documentation held by the tool is an accurate representation of the real-world within the entity and it's internal controls. The ease with which controls can be updated is an important element. However the documentation is an important element in a process with potential implications for controls over billions of dollars.
Logical access controls Tool administrators should be able to restrict access by users to the portion of documentation pertaining to their level and area of responsibility.
Sstandardized Updating Procedures Changes to the documentation have to leave behind a paper trail. Also everything else which is impacted by internal control has to be updated. These include the general ledger, business processes and the affected control objectives.
Management have to monitor the internal controls of their company. Any material changes to internal control have to be reported. In some cases where significant deficiencies or material weaknesses have been reported and subsequently remediated, this also has to be reported. Once the tool is being used effectively and efficiently this can be accomplished with relative ease.
Monitoring is one of five elements of the internal control framework as laid down by COSO.
In support of the element, changes to documentation should mirror changes to the actual controls. The tools should be able to identify any changes to the controls over a given time period.
The goal is for the management to have assurance that the documentation and the internal controls are indeed in alignment.
In the software testing area, automated tools have a high propensity to become "shelfware". The reasons for this occuring are many. The primary reason, though is that they become irrelevant to most people or the amount of updating generates prohibitive costs.
A similar fate may await the newly purchased SOX tool. A combination of the above features and the user attributes are essential if the automation process is to be successful.
Choosing a tool for Sarbanes-Oxley is no different from any other automation effort.
The functionality looked for in the tool should be based on the requirements of the company, test or audit organisation. Not the blurb from a tool vendors catalogue.
The ultimate goal is the accurately description of the company's control policies and procedures.
Maintaining information about internal controls or "warehousing" is one three main functions of a automated tool in terms of SOX. The other two are the automation of testing internal controls and automation of the controls themselves.
This article focuses on using the tool for Sarbanes-Oxley (SOX) review purposes. However it the information can quite easily be extrapolated out to any other regime which mandates effectiveness of internal control, such as Basel II, HIPAA and IT audits.
As has been noted elsewhere on this site, the more an organisation can prepare and, in particular the IT department, any review becomes easier. Indeed if done properly costs of complying with SOX can come down dramatically. (But then that is the holy grail with all automation projects. How many fail?)
There are three main methods for collating internal control documentation. Most tools will offer one or a combination of these.
Links to Existing Documentation Documentation on internal controls will already exist for many organisations. The tool merely provides a reference to this material, to allow the material to be reviewed.
One particular problem with this method, is if the document linked to changes. Is this change recorded and the overall control framework updated. The cheapest upfront cost, but could be expensive in the long term.
Menu Driven
In this scenario the documentation is created via the tool itself. The user is prompted with items from a menu. To describe a control objective, the user might be offered "ensure proper authorization of transactions" or "verify accuracy".
Again this reduces the upfront cost, as users are prompted with stock phrases. The temptation might be to less qualified people on the task.
The downside, is that the control objective descriptions will only ever be as good as the person who sets the menu items.
A number of IT management tools have inbuilt classifications from the COBIT framework. In the future, it is likely the COSO framework will be built into tools.
Free Responses The users is given free rein to enter her own descritpions. This requires a large amount of support or knowledge from the user, as the information and knowledge of controls has to come from them.
No matter how good the tool, the features it has or its cost, it is only ever as good as the person using it. To make sure we optimize the effect of automation, users need the following attributes.
Knowledge of company controlsIn organisations with existing clear descriptions and a knowledgeable workforce this will not pose too much of a problem.
internal control concepts These relate to a framework like COSO, which is mandated by the SOX legislation. The area of IT related controls is covered by Control Objectives for Information and related Techologies (COBIT). This subject can be quite theoretical. A number of tools have the COBIT framework built into them as parameters, and can therefore be turned into a menu-dropdown.
Financial reporting process The whole point of Sarbanes-Oxley is to ensure the accuracy of financial reporting. All users of the tool must have idea of what financial reporting involves. After all, how will they know it has gone wrong?
Assertions in the Financial Statements These are the representations of management built into the entity's financial statement. Examples of assertions from the auditing are the exisitence of assets or liabilities, valuation or measurement of amounts or completeness of the financial statements.
The design of a control and only associated documentation is only part of the story. The control has to go on and be effective.
Indeed the operational effectiveness is more important. Documentation, however makes this is easier to prove.
As noted above the testing the effectiveness of internal controsls is of paramount importance. The descriptions of the controls therefore have to be readily available to a wide range of people, through their respectives.
By Control Objective The user should be able review for each control objective, the control policies and procedures meant to achieve it. All significant control objectives should be covered.
business process The User can start evaluating activity-level controls from here.
General Ledger Account This perspective provides a link between financial statements and internal control. Particularly good for activity-level controls.
Maintaining information integrity ensures that the documentation held by the tool is an accurate representation of the real-world within the entity and it's internal controls. The ease with which controls can be updated is an important element. However the documentation is an important element in a process with potential implications for controls over billions of dollars.
Logical access controls Tool administrators should be able to restrict access by users to the portion of documentation pertaining to their level and area of responsibility.
Sstandardized Updating Procedures Changes to the documentation have to leave behind a paper trail. Also everything else which is impacted by internal control has to be updated. These include the general ledger, business processes and the affected control objectives.
Management have to monitor the internal controls of their company. Any material changes to internal control have to be reported. In some cases where significant deficiencies or material weaknesses have been reported and subsequently remediated, this also has to be reported. Once the tool is being used effectively and efficiently this can be accomplished with relative ease.
Monitoring is one of five elements of the internal control framework as laid down by COSO.
In support of the element, changes to documentation should mirror changes to the actual controls. The tools should be able to identify any changes to the controls over a given time period.
The goal is for the management to have assurance that the documentation and the internal controls are indeed in alignment.
In the software testing area, automated tools have a high propensity to become "shelfware". The reasons for this occuring are many. The primary reason, though is that they become irrelevant to most people or the amount of updating generates prohibitive costs.
A similar fate may await the newly purchased SOX tool. A combination of the above features and the user attributes are essential if the automation process is to be successful.
Peerless Mfg
Peerless Mfg. Co. is engaged in the business of designing, engineering, manufacturing and selling highly specialized products used for the abatement of air pollution and products for the separation and filtration of contaminants from gases and liquids. The Company headquartered in Dallas, Texas, markets its products worldwide.
Subscribe to:
Posts (Atom)
