Avoid the Documentation
Nightmare

Under Sarbanes-Oxley not all corporate artifacts and actions need to be documented. IT managers and CITPs can use these tips to keep Sarbanes-Oxley documentation simple.

Specify accountability.Technically the CEO and CFO have ultimate responsibility for financial reports, but they will want to know who provided the information. Create a list of major functional areas related to Sarbanes-Oxley and identify who is accountable.

Be clear and concise. If the CEO has a question, he or she should be able to pick up your accountability list and call the responsible person directly. Break the list down by business unit, division or whatever segmentation makes sense in your organization. Keep it electronic and easy to update.

Define the business processes for managing financial information clearly.Only business processes that are critical and material to the production of financial statements and disclosures need to be documented.

Have documentation for each step showing

The person who performs or oversees the activity.
The systems involved in the activity.
The information required to complete the activity.
The information resulting from the activity.
The business rules that govern the activity.
When and how often the activity is performed.

Define all the computer systems that handle the data. It’s not sufficient to say you use an enterprise resource planning application to perform your financial analysis. Document the underlying database and the reporting tools, including the software version and patch levels. Also include detailed information about the operating environment, such as the version of Windows used and any add-ins.

Write a code of conduct. All employees should sign a code of conduct that encourages people to be honest, diligent and willing to follow the rules.

Conduct a risk assessment and develop mitigation measures. Risks vary from company to company. It’s essential to show that a good-faith effort was made to identify and evaluate areas of financial reporting where errors might occur. An IT team’s efforts combined with the development of internal controls to mitigate those risks will provide reassurance to auditors.

Here are a few examples of the risks companies might face with IT:

Major upgrades or replacements of financial reporting systems.
Major changes to manufacturing or inventory tracking systems.
Substantial increases or reductions in workforce.
Security breakdowns and system intrusions.
Significant amounts of human intervention in processing results.
System failures, particularly those requiring restoration of data.

Make sure the IT department documents these risks and others that are unique to your organization. Then document steps taken to mitigate each one and why you believe the final reported results won’t be affected.

Test your risk mitigation measures. Create a test plan that specifies what is being tested, how and by whom. Define the test cases by describing adverse scenarios followed by the steps to be taken in correcting them. Run through the scenarios and document the results to provide evidence of this testing to external auditors.

Source: Vin D’Amico, Writing Assistance Inc., Plymouth, Minn., www.writingassist.com, 2006.