With initial documentation and first audits out of the way, much of the heavy lifting is over for SarbOx. In year two, focus efforts on maintaining a compliant environment by automating internal controls and reporting.

What Is SarbOx Automation?

Automation is an umbrella term for technology solutions that automate manual controls under a sustainable and repeatable compliance framework. These controls may include documentation, testing, monitoring, and enforcement processes. Because these internal controls are scrutinized by auditors, enterprises must prove control effectiveness for annual SarbOx audits. The big question is how to do this in the most effective manner.

Throughout the next fiscal year, enterprises will shift their attention to acquiring technology solutions for SarbOx compliance. A recent study by CFO Research Services and PricewaterhouseCoopers found that automation of control environments is a priority for 76% of survey respondents. Similarly, 51% stated they are seeking to leverage automated controls within ERP systems as opposed to streamlining manual controls.

Why Automate?

Automation brings numerous benefits to the enterprise. First, automated controls are more easily documented and enforced, which is something auditors want to see. Second, if implemented correctly, automation will improve business process efficiency, which brings with it reduced costs, time, and labor.

Action Plan

1. Identify controls that can, and should, be automated. IT must speak with the owners of business processes to uncover which manual controls are being used and why. Where possible, eliminate the use of spreadsheets (e.g. for sensitive data in an ERP system) and filter out redundant processes. The CFO Research Services/PricewaterhouseCoopers study found that companies plan to automate processes such as:

-Information retention.

-Application control testing.

-Dashboard reporting/compliance management.

-Documentation of control activities.

-Duty segregation testing.

-Security or access controls.

2.Investigate an automation solution. Most of the pure-play SarbOx solutions on the market integrate with the IT infrastructure to provide secure documentation of internal controls for financial reporting across the enterprise. For a detailed purchasing plan and vendor grid, see McLean Report's "Selecting a Pure-Play SarbOx Tool." Once installed, conduct periodic diagnostic checks to ensure the system is working as it should.

3.Focus on automating ongoing documentation. Most enterprises have found that the majority of controls center around documentation, as opposed to financials or access controls. In this case, content management-based SarbOx software is more suitable. Companies laden with enterprise-level solutions (e.g. ERP, CRM, SCM, etc.), however, are more concerned with extracting data from transactional systems and making it available for analysis and reporting. Here, business intelligence-based SarbOx software is desirable.

- "SarbOx Tools: Business Intelligence vs. Content Management," from McLean Report, provides selection criteria for deciding on either approach.

4.Shift controls into "preventive" mode. Detective controls are at best inefficient and at worst ineffective. The goal here is to transform these dinosaur controls into automated, preventive controls. Once this has been accomplished, business process efficiency will improve, thereby creating value and ROI from the automation solution. For further information on control types, read "Just What Is an 'IT Control'?" from McLean Report.

Bottom Line

Automated control environments are the "next big thing" for SarbOx compliance. Enterprises investigating this strategy must start the selection process now.