Academic journal article Journal of Accountancy

Choose the Right Tools for Internal Control Reporting: Pick Internal Control Software for Changing Business Conditions

Academic journal article Journal of Accountancy

Choose the Right Tools for Internal Control Reporting: Pick Internal Control Software for Changing Business Conditions

Article excerpt

Time is running out for many businesses to begin the complex process of complying with section 404 of the Sarbanes-Oxley Act of 2002, which tightened internal control and financial reporting requirements. (See "Impact of Section 404," page 36.)

This article is intended for readers in both industry and public accounting who seek, or need to offer, advice on selecting software--based on the extent to which a company already has compliance systems in place--for meeting section 404's requirements. Although it is not a detailed buyer's guide, it describes the features of specific software categories and thus can serve as a practical guide to what's available in the market and what to look for when examining software for employers and clients and discussing products with vendors.

CPAs can play a valuable role in helping companies choose software tools whose functions include supporting compliance and also enhancing communication with investors, employees and regulators, making financial statements clear and easier to analyze and increasing efficiency by, for example, eliminating redundant or obsolete controls and improving workflow. Acting as a technical adviser on financial internal controls design, financial processes and transaction flows, the CPA can help a client or employer answer three difficult but important questions:

* Is it better to design a compliance program for the short term (one year or less) or a more sustainable one for the long term?

* Which software tools are most capable of fostering complete, effective and sustainable compliance in a given business situation?

* What other investments (new policies and procedures, training and ethics programs, for example) are necessary to achieve section 404 compliance and also to take full advantage of the software chosen?

Companies are eager to contain the already spiraling costs of complying with Sarbanes-Oxley. Some are overhauling their business processes and integrating them into enterprise-wide systems. They also are installing software that produces always-up-to-date business process documentation in terms managers, investors and lenders can understand. This software enables companies to refine their financial controls, improve both their timing and public communication of key company events and provide more detailed evaluations of business results.


CPAs can save clients or employers time and money by strongly recommending the selection of software be based on the criteria listed below in order of importance.

* The software tool's most important functions, not its minor features.

* The vendor's viability as a going concern.

* The vendor's support plans and the software's position in its product line.

* The product's ongoing compatibility with the company's operating systems and its scalability.

* Whether the tool has a Web-based interface and employees can access it online without installing software on their individual PCs.

* Whether customization of the product is available or required.

* The availability of suitable vendor-supplied implementation services.

* The level of training the vendor provides.

* The extent of integration with other tools--for example, how proprietary is the database, and can users easily link it to other programs?

* Price.

* Maintenance, support and upgrade costs (direct and indirect--for example, hardware and staff).

* Availability of information on any infrastructure and operating system changes or updates that could become necessary.


The extent to which a company has progressed in building a strong control environment will dictate what tools it needs to buy and when. CPAs can use an internal controls maturity framework to help companies determine whether their existing or proposed controls for a given activity or process are rigorous enough to manage related risks and that they are sufficiently documented for review by auditors who must assess section 404 compliance. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.