SOX Audit Readiness -
Responsibilities & Opportunities
The Sarbanes-Oxley Act of 2002 assumes the risk of fraud in any public company, and makes it the responsibility of all signing officers to establish and maintain internal controls over financial reporting. In most cases, the successful establishment and maintenance of these internal controls is assessed by an external, independent auditor.
It is in the interest of the enterprise that risk assessment with regard to internal controls be as complete and transparent as possible. An external auditor will use the work done by your internal auditor, provided the external auditor is satisfied with that internal auditor's competence to perform the tasks in question, and with their relative objectivity. It is therefore essential that your internal audit team have the means and tools at their disposal to determine the effectiveness of internal controls such as the change management process. The responsibility to mitigate risk is also an opportunity to create value by fostering transparency.
Business Intelligence & Change Management
For signing officers within public companies, the enterprise reporting environment must figure heavily in the assessment of risks. While the assessment of risk is necessarily a top-down process, it has to satisfy the detail-oriented thought processes of an auditor, and thus must be capable of drilling down to the field level in all data sources that are material to the financial statements.
What effect could a report's inclusion or exclusion of a single field from a particular table within a particular data source have on the accuracy of a public company's financial statements? It could have next to no effect, or the effect could be significant if an auditor finds it to be an indicator of potential misstatement.
Because the devil is in the details, there is no internal control more essential to risk mitigation than change management. A rigorous change management process will record when a report began or ceased to include a particular field, table, and/or data source.
Your top-down approach needs to be able to get to the bottom of things — from the financial statement level, to entity level controls, to significant accounts and disclosures, and down to the most granular aspects of change management — to discover the potential for material misstatement.
Audit requirements for the financial reporting change management process typically involve baselining reports on a quarterly basis. If you have ever performed a manual baselining operation on a reporting environment of any size, you know that it is an extremely labor-intensive operation that ties up your BI and IT resources for a significant amount of time.
However, there is an alternative to this manual, labor-intensive process.
Learn About APOS Insight's Advanced Audit Capabilities for SAP BusinessObjects...