Using Process / Workflow Automation to Meet Internal Control Requirements

The Sarbanes-Oxley Act prescribes various accounting, reporting and control requirements that companies must meet in order to support the intent of ensuring that financial statements are accurate and trustworthy. Using process automation tools is a cost-effective way to support fulfillment of these requirements.

Specifically, Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” [1]

Furthermore, Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” To do this, managers are generally adopting an internal control framework such as that described in COSO. [2]

Process automation tools, in conjunction with a solid process design, supports the execution of many of the following internal control activities:

  • 1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions)
  • 2. Occurrence (Cutoff): Transactions occurred during the correct period or were processed timely.
  • 3. Completeness: All transactions are processed that should be (i.e., no omissions)
  • 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate.
  • 5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date.
  • 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. [3]

Control activities may also be explained by the type or nature of activity. These include (but are not limited to):

  • 7. Segregation of duties – separating authorization, custody, and record keeping roles of fraud or error by one person.
  • 8. Authorization of transactions – review of particular transactions by an appropriate person.
  • 9. Retention of records – maintaining documentation to substantiate transactions.
  • 10. Supervision or monitoring of operations – observation or review of ongoing operational activity.
  • 11. Physical safeguards – usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory.
  • 12. Top-level reviews – analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).
  • 13. IT Security – usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.
  • 14. Top level reviews – Management review of reports comparing actual performance versus plans, goals, and established objectives.
  • 15. Controls over information processing – A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs. [4]

Process automation tools support the vast majority of these control objectives and activities as well through the use of sound process design in conjunction with an automated rule-based workflow control and monitoring engine that oversees the execution of all processes. The workflow control engine ensures that all processes are activated and controlled based on time schedules and user defined (no programmers needed) triggers/routing conditions. The engine captures a perfect and unalterable audit trail of the company’s compliance with required processes, identifiable at the specific user level of responsibility. This audit trail is connected to a “business intelligence” reporting engine that cost-effectively documents such compliance (or lack thereof).

Process automation environments have dropped in price tremendously due to the declining cost of technology. LeanVista has years of experience in putting these kinds of environments to work to meet internal control reporting requirements. Contact us to get our perspective on how process automation can help your company meet Sarbanes-Oxley internal control requirements in a risk managed and cost-effective way.


Post a Comment