8 Steps to Document Controls for Sarbanes-Oxley Compliance

  • by Bryan Wilson, President, Acumen Control ERP, Inc.
  • October 1, 2003
As an operational specialist, you might not have as much experience documenting internal controls as your counterparts in finance. The author of this article provides a step-by-step approach for the operational side of the business and explains the differences among the different types of controls.

Public companies registered with the Securities and Exchange Commission (SEC) and their external auditors are developing action plans to comply with pending regulations brought on by the Sarbanes-Oxley Act (SOA) of 2002. However, the SOA's long-term effects rest upon recent and future regulations issued by the SEC and the newly created Public Company Accounting Oversight Board (PCAOB).

Complying with provisions associated with Section 404 of the SOA will probably be the most costly to implement. Section 404 requires management to create, maintain, and report on a system of internal controls, which will include operational as well as financial processes. (If you aren't familiar with internal controls, read the sidebar, “What Is a Control?”)

These controls help provide reasonable assurance that the financial statements filed with the SEC are reliable and comply with Generally Accepted Accounting Principles (GAAP). Furthermore, your external auditor must attest to the validity of management's assertion.
A critical dimension of SOA compliance activity is documenting, identifying, and testing relevant controls found in financially critical business cycles. For example, one key business cycle that affects financial statements (e.g., liabilities, cash, fixed assets or expense) is requisition-to-pay (R2P).

I have helped a number of companies and external auditors document, identify, and test SAP-enabled internal controls over financial reporting. I will use this experience to outline a general process for documenting internal controls over financial reporting.

Bryan Wilson

Bryan Wilson is president of Acumen Control ERP, which specializes in SAP risk, advisory, and forensic audit services. With more than 20 years of experience in IT risk management, he has managed SAP R/3-enabled controls design and assessment teams for both KPMG LLP and Deloitte & Touche LLP. Bryan has advised audit committees, executive teams, and audit partners at several multi-national companies of the residual risks in their SAP R/3-supported business cycles. He also helped several multi-national clients re-engineer their SAP R/3 security architecture and re-architect business processes after internal control failures or fraud were identified. He currently helps clients assess their SAP control environments using his forensic audit queries, which clients can use to enhance their own off-the-shelf audit query tools. Bryan has a B.S. degree in computer science and is a Certified Public Accountant (CPA), Certified Information System Auditor (CISA), and an active member of the Association of Certified Fraud Examiners.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.