8 Steps to Document Controls for Sarbanes-Oxley Compliance
- by Bryan Wilson, President, Acumen Control ERP, Inc.
- October 1, 2003
As an operational specialist, you might not have as much experience documenting internal controls as your counterparts in finance. The author of this article provides a step-by-step approach for the operational side of the business and explains the differences among the different types of controls.
Public companies registered with the Securities and Exchange Commission
(SEC) and their external auditors are developing action plans to
comply with pending regulations brought on by the Sarbanes-Oxley
Act (SOA) of 2002. However, the SOA's long-term effects rest
upon recent and future regulations issued by the SEC and the newly
created Public Company Accounting Oversight Board (PCAOB).
Complying with provisions associated with Section 404 of the SOA
will probably be the most costly to implement. Section 404 requires
management to create, maintain, and report on a system of internal
controls, which will include operational as well as financial processes.
(If you aren't familiar with internal controls, read the sidebar,
“What Is a Control?”)
These controls help provide reasonable assurance that the financial
statements filed with the SEC are reliable and comply with Generally
Accepted Accounting Principles (GAAP). Furthermore, your external
auditor must attest to the validity of management's assertion.
A critical dimension of SOA compliance activity is documenting,
identifying, and testing relevant controls found in financially
critical business cycles. For example, one key business cycle that
affects financial statements (e.g., liabilities, cash, fixed assets
or expense) is requisition-to-pay (R2P).
I have helped a number of companies and external auditors document,
identify, and test SAP-enabled internal controls over financial
reporting. I will use this experience to outline a general process
for documenting internal controls over financial reporting.
Would you like to see this full item?